Flash is a hot bed of vulnerabilities.
Chrome contains a built in version of Flash, running in sandboxed mode. Obviously, this method is safer than running Flash as a plugin in either Firefox or IE.
But isn't it possible to find a zero day vulnerability in Flash and a way to break out of the sandbox as well? Isn't disabling the Flash plugin altogether the best option?
Obviously, this method is safer.
Surely. Running a program within the browser's sandbox is always safer because the browser creates a contained environment for the third party program (Adobe Flash, in your case) -such as scratch space-to prevent the eventual malicious code from leaving the browser and installing itself to your hard drive. You can think of running an untrusted third party application within the browser's sandbox, at a certain degree, as running a program within a virtual machine instead of running in your host machine's operating system.
An other advantage of Chrome sandboxing Adobe Flash programs is that:
However, Adobe recommends that non-developer Chrome users use Flash Player integrated with their browser. Using manually installed versions of Flash Player, by following the steps below, means that users no longer benefit from the automatic Flash Player updates that Chrome provides.
It means the recommended way of running Adobe Flash makes the user benefiting automatically from security updates (as not all users are prone to do that manually, and thus exposing them to threats)
than running Flash as a plugin in either Firefox or IE
Recently, Mozilla added a feature in Firefox that enables the user to sandbox any program (including Adobe Flash) you want individually -this is may be an advantage for Firefox as it allows to sandbox Java applets unlike Chrome-
As I am not using IE you mentioned, I am not sure whether it sandboxes Adobe Flash programs or not yet. But I think so as I landed on this article (Adobe sets IE as next target in Flash security work) written three years ago.
But isn't it possible to find a zero day vulnerability in Flash and a way to break out of the sandbox as well?
You are right. Sandboxing mechanisms are not that perfect. Whether the sandbox is related to Flash or any other third party programs, it is common for attackers to break the security constraints of the sandbox.
Speaking about Flash and Chrome, just last month there has been a real world example where the Flash sandbox in Chrome has been escaped (Hacking Team’s Flash 0-day: Potent enough to infect actual Chrome user). But as I said, not only Flash sandboxes can be escaped: I can mention to you randomly (CVE-2015-0016, escaping from IE sandbox) and you can find so many at your will there for different browsers.
Isn't disabling the Flash plugin altogether the best option?
If you are talking only about Flash player plugin, then you are right. It is no longer recommended (Facebook calls for end to Flash as Firefox blocks it over hacking holes). HTML5 is the recommended technology instead (Comparison of HTML5 and Flash)