Google Chrome OS: Too secure to need security?

Confident anti-virus-less chocolateers may be repeating Apple's mistakes


A leading security researcher has warned that Google risks repeating Apple's mistakes on security with its new Chrome OS.

Google Chrome OS is a Linux-based operating system designed to work exclusively with web applications. Chrome netbooks running the new OS will be available from Google's partners Samsung and Acer from June. In a launch announcement, Google boasted of an end to patching and anti-virus updates woes.

Chromebooks have many layers of security built in so there is no anti-virus software to buy and maintain. Even more importantly, you won't spend hours fighting your computer to set it up and keep it up to date.

Rik Ferguson, a security consultant at Trend Micro, criticised this line as marketing rhetoric. Google risks repeating the security mistakes of Apple, he warns.

Security features of Chrome OS include process sandboxing (so any app is unable to interfere with other apps on a system), automatic updating and a reversion to the last known good state if any problems are detected. This latter feature is possible because user files are stored in the cloud (and encrypted), with only system files held locally.

In addition, every application in Chrome OS will run inside the browser, with only (sandboxes) browser plug-ins running locally.

However this sterile environment is unlikely to last long, not least because Google has created a a Software Development Kit that allows the creation of Chrome "native apps", according to Ferguson, who reckons this open the door towards the creation of malware.

Sandboxing technology ought to prevent any bad apps that are created getting out of their play pen. But Ferguson warns that sandboxing technology is no panacea for security woes.

"Exploits that break out of sandboxing have already been demonstrated for Internet Explorer, for Java, for Google Android and of course for the Chrome browser (to name but a few), while the Google sandbox is effective, it is not impenetrable and to rely on it for 100 per cent security would be short-sighted," he said.

Rebooting laptops and storing data in the cloud is just "moving the goalposts" for scammers, Ferguson further argues. Instead of stealing data on a compromised device, the motivation will shift towards swiping authentication keys. "If I can infect you for one session and steal your keys, well then I'll get what I can while I'm in there and then continue accessing your stuff in the cloud; after all I've got your keys now, I don't need your PC anymore," Ferguson writes.

Ferguson praises Google for its engineering work but questions its apparent suggestion that switching OSes is a "silver bullet" capable of killing off the modern myriad of security woes. He draws a comparison between Google's claim that Chrome needs no anti-virus and similar claims in the past by Apple.

Similar topics

Broader topics


Other stories you might like

  • Infosys skips government meeting – and collecting government taxes
    Tax portal wobbles, again

    Services giant Infosys has had a difficult week, with one of its flagship projects wobbling and India's government continuing to pressure it over labor practices.

    The wobbly projext is India's portal for filing Goods and Services Tax returns. According to India's Central Board of Indirect Taxes and Customs (CBIC), the IT services giant reported a "technical glitch" that meant auto-populated forms weren't ready for taxpayers. The company was directed to fix it and CBIC was faced with extending due dates for tax payments.

    Continue reading
  • Google keeps legacy G Suite alive and free for personal use
    Phew!

    Google has quietly dropped its demand that users of its free G Suite legacy edition cough up to continue enjoying custom email domains and cloudy productivity tools.

    This story starts in 2006 with the launch of “Google Apps for Your Domain”, a bundle of services that included email, a calendar, Google Talk, and a website building tool. Beta users were offered the service at no cost, complete with the ability to use a custom domain if users let Google handle their MX record.

    The service evolved over the years and added more services, and in 2020 Google rebranded its online productivity offering as “Workspace”. Beta users got most of the updated offerings at no cost.

    Continue reading
  • GNU Compiler Collection adds support for China's LoongArch CPU family
    MIPS...ish is on the march in the Middle Kingdom

    Version 12.1 of the GNU Compiler Collection (GCC) was released this month, and among its many changes is support for China's LoongArch processor architecture.

    The announcement of the release is here; the LoongArch port was accepted as recently as March.

    China's Academy of Sciences developed a family of MIPS-compatible microprocessors in the early 2000s. In 2010 the tech was spun out into a company callled Loongson Technology which today markets silicon under the brand "Godson". The company bills itself as working to develop technology that secures China and underpins its ability to innovate, a reflection of Beijing's believe that home-grown CPU architectures are critical to the nation's future.

    Continue reading

Biting the hand that feeds IT © 1998–2022