Trend Micro's Rik Ferguson sounds alarm bell on Google Chrome OS

Google has, he notes, made a number of 'media friendly' statements such as, 'users don't have to deal with viruses, malware and security updates.'

Each process within Chrome OS, he notes, runs in its own sandbox.

"Effectively this means that if an application is malicious or compromised, it is unable to interact with or otherwise affect other applications or processes on the system", he says in his latest Trend Micro security blog.

The Chrome OS, he adds, is billed as being always up-to-date, with updates, patches or feature updates auto-downloaded and installed by default. This is, he observes, a mandatory process designed to stop the user from opting themselves out of security.

Furthermore, each time Chrome OS is started up, it will, says Ferguson, check the integrity and validity of system files.

"If it detects any anomaly or unauthorised change, the system will revert to the known-good state, effectively neutralising any suspect activity at every reboot", he says, adding that the separation of user files and system files makes this a simple and effective process.

Ferguson goes on to say that the existence of a software development kit may not bode well for the long-term security of Chrome OS, meaning it may be about as secure as an untouched Android device.

"Of course the sandboxing technology is designed to ensure that even a bad native app can't misbehave. Well, exploits that break out of sandboxing have already been demonstrated for Internet Explorer, for Java, for Google Android and of course, for the Chrome browser - to name but a few", he says.

"While the Google sandbox is effective, it is not impenetrable, and to rely on it for 100% security would be short-sighted", he adds.

So what’s the bottom line from the Trend Micro security veteran?

"While I applaud the impressive advances in security that are apparent in Chrome OS, to a certain extent we are seeing marketing history repeat itself", he says.

"How often did the mantra that MacOS was immune to malware need to be repeated until the vast majority of users believed it and continue to do so, even after Apple went as far as incorporating rudimentary AV software into MacOS", he adds.

Criminal activity, says Ferguson, extends far beyond file-based threats, encompassing social engineering, phishing, social networks and email borne threats.

"The palette is continually expanding and the techniques are continually evolving, to assure your customers that they will not have to deal with online cybercrime if they simply switch to a new OS is foolish, to say the least", he concludes.

What’s Hot on Infosecurity Magazine?