Chrome OS to be targeted by hackers, says McAfee
Summary: Based on a report by McAfee, Google Chrome OS will be targeted by hackers in 2010 -- mainly due to the rise in popularity of HTML 5.With the technological advances brought on by HTML 5, the web will undergo a dramatic upgrade that will change the way web application developers and hackers are able to interact with their “target market.
Based on a report by McAfee, Google Chrome OS will be targeted by hackers in 2010 -- mainly due to the rise in popularity of HTML 5.
With the technological advances brought on by HTML 5, the web will undergo a dramatic upgrade that will change the way web application developers and hackers are able to interact with their “target market.” HTML 5 holds all the promises that today’s web community seeks—primarily blurring and removing the lines between a web application and a desktop application. HTML 5–based attacks will become even more tempting once the Google Chrome Operating System is released. (It’s scheduled for second half of 2010.) Google Chrome OS is intended for use with netbooks, and HTML5 enables not only a rich Internet experience, but also offline applications. Another motivation for attackers is HTML 5’s anticipated cross-platform support, which will allow attackers to eventually reach users of many mainstream browsers.
If Google has it their way though -- security on Chrome OS should be almost bullet proof due to it's sandbox environment, and the fact that there is absolutely nothing stored on the local machine. Even if a hacker did manage to install something in the kernel, Google says it will automatically re-image the device if something seems amiss upon reboot.
It will be interesting to see what type of attacks are launched for Chrome OS -- any ideas?
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Doubtful source
http://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt
Agreed. But they may still have a point.
tactics. We should all learn to view their
statements in that light.
But they may still have a point. Until now if
exploiting a browser an attacker would like to
also infect the system permanently. He would
like to do so in order to have the system under
control.
Sandboxing the browser protects the system from
a compromised browser. Most efficient is the
Windows low integrity mode sandbox which will
even protect the internet preferences
(something a Linux sandbox will not do) least
efficient is the virtually non-existing sandbox
on OSX.
But a sandbox only protects the <i>system</i>
from the browser. When something like HTML5
allows local storage it opens another possible
attack vector where an attacker can hide
malicious code and ensure re-infection on each
start - like when an exploit infects internet
preferences.
It is all theory at this point, but it is
undeniable that the fact that the browser
starts to keep more complicated state will also
complicate things.
Right now, when you start a browser it starts
from a "clean" state - with the exception of
internet preferences, bookmarks and
extensions/plugins.
When more state is made persistent, it is more
opportunities for permanent infections as well.
And the crucial point of this is that <b>a
sandbox will not protect against such
infections</b>. Windows low integrity mode,
Chrome sandbox or apparmor; all of them need to
allow the browser to read/write this special
browser state - without user confirmation as
that would all but destroy the user experience.
The sandboxes cannot judge from the outside
whether the state is malicious or not. Thus,
HTML5 may open up another class of infections:
One where your <i>system</i> has not been
compromised/root'ed, but the most important
application has. If the browser is compromised
this way it may not be able to send spam (right
away) but it will be able to snoop on all of
your traffic, both incoming and outgoing.
However, a clever exploit can pack a secondary
attack: At some point you will download an
executable and execute it on your system. At
that point it can attach malicious code to the
downloaded file during the transfer.
The end result is that sandboxing will <b>not
be effective</b> against such infections.
HTML5 is still just a working draft. It is
nowhere near being a standard and it still
experience breaking changes. I think that the
designers should think long and hard how they
can make this possible attack vector harder or
even impossible to exploit.
Unfortunately you see players like Google and
Mozilla rush on this specification. Security
could very well be the victim here.
one point
1. except NaCl code which runs in a sandbox in a browser tab inside an instruction set scrubber with absolutely zero access to the system or any user data whatsoever. For example, you can play Quake natively on CrOS inside of the browser using NaCl. (Most Linux software can be, and most libraries have been, compiled for NaCl according to Google's presentation.)
haha... You're all too hilarious! :D
Linux is the only OS that the NSA (National Security Administration) has wrote a secure kernel for. Secure Linux Kernel is now in every single system. Even Cell Phones!
You see... Linux to this very day is the most Secure OS on the Planet. Partly because it's still a full Macro Kernel. Not a hybrid like your Quick and Dirty Windows or Mac OS-X. To this day, Linux has only been infected ONCE by a VIRUS.... and that was in a LAB!
Afterwords, the Kernel was updated to protect against the flaw. There have been NO INFECTIONS of LINUX in the WILD to this day. While Windows Systems are infected by the minute or second every day!
Then you're telling us, contrary to all the information received to date, that the Director of the FBI was wrong, when he said "Don't use Windows for Banking or online purchases. USE a LIVE LINUX DISC! Why? Because until M$ has fully instituted Secure Java Transactions with remote Server Authentication in .NET it's still using the most insecure Security system on the Planet. Called ActiveX! Their VBS is not far behind and maybe you aren't aware of Sun and M$'s arrangements. Maybe not aware of how Secure Transaction and the IBM Main Frames that handle them work. Or how most Banks, Stock Exchanges, and Credit Card Transactions are handled around the Globe!
Maybe you aren't aware that Linux powers the vast majority of HPC Clusters to the tune of over 93% of Clouds (including Amazon's).
That my friend is how Chrome OS will work. Your browser is just another application that runs on the CLOUD. Very much like a TV Set Top Box or the Sony PS3 right now. Have you heard of a PS3 ever being infected or hacked? NO! ...and it runs on embedded Linux! :D
Chrome OS on Google's Netbooks will have a super fast booting hard coded embedded OS. A hypervisor if you like to call it that. That can be updated much like Sony's PS3 OS with firmware updates.
For nearly 20yrs, I'm been using Cloud Email and I'm barely aware of it. I have the same account and have never lost data or had my settings compromised. But I have lost many computers, uncountable OS installs and yes.. lot's of data. Like some of you that use Hotmail, MSN or LIVE have! ;)
On Chrome OS, literally all applications will run in a Dalvik (Java) Virtual Machine. Exactly like Java or .NET! ..... the Browser is an application (in case you didn't know)! ;)
If you know of any infections on any Linux install, please let me know. So I can tell the NSA, DOD, DOE and numerous other Governments and Corporate entities that run Linux. That they're in EXTREME DANGER! lol
Like DOE's Roadrunner Super Computer. Built by IBM as the most Powerful Super Computer (1.8 PETAFLOPS)in the World! ...and since it's handling such sensitive data as Nuclear Arms and Nuclear Waste Disposal, etc, at Los Alamos Laboratories, we don't want them to get infected. Right?
Thank God none of the Top 100 Super Computers run on Windows either! :D
Maybe
yes, doubtful. No more comments.
I wont say I told you say.
you don't get it jdbukis..
They dont want to release apps for linux, they should be ashamed of themselves, what they are trying to tell us is... "don't stay away from microsoft windows(the virus appeal company) and buy our security package.
With FREE comodo internet security.. i'm safe, no thank you McAfee, your products are so 90's and useless.
I do get it
BTW according to the latest tests by AV-Comparatives there product is reasonably good.
BTW putting stuff like (*childishflamebait*)in brackets makes it difficult to take you seriously.
Absolutely nothing stored on the local machine?
probably...
etc) that will be synced with a server. otherwise
you couldn't work offline, and i doubt google
wants your system to be crippled when you're not
in the range of a wifi hub.
local cache
Actually some test reveal problems
which is why...
Windows security is swiss cheese with duct tape covering the holes Linux security (can easily be) an armored tank maybe with a crack here or there. Using a good LSM Linux can be setup to allow nothing at all by default and grant applications, people, etc permission to access individual syscalls and resources.
The difference is maybe subtle. But the upshot is that there is not much debate on how to fix such problems on Linux. Just eliminate the ability to do whatever malicious thing which was never intended to be allowed. Windows has a massive compatibility monkey on its back in comparison.
Will there be embarrassing security failures? Probably. Will there be as many as Windows and as often? Very unlikely. I bet it will be a bit shaky for the first year or so but that's about all.
re: which is why?
Windows. That is why Linux has hundreds more
critical security vulnerabilities each year
compared to Windows?
Check your linux updates over the past year vs
windows and you'll see it's pretty obvious.
Also using a simple tool like metasploit it's
pretty easy to expose vunerabilities in linux
and get root access (if you don't have latest
security updates)
Windows by the way can also be set up to secure,
and Windows Vista + Windows 7 are set up quite
secure by default.
try again
They were listed per specific location of the vulnerability, making it easy to Google exactly what it was that was getting an update.
I also remember when I'd get updates while using Windows XP just 1 year ago. Those updates were never specific, never making it easy to Google what it was that was getting updated and why.
Next, take a look at the difference between open source and closed source. Open Source means it's legal to look at the source, that means more people looking at the code to fix it.
Closed Source means only the company which created the code can legally look at it to fix it. Makes it pretty easy on the bad guys when they're up against such a small group of individuals.
RE: Chrome OS to be targeted by hackers, says McAfee
Available soon at finer software retailers.
RE: Chrome OS to be targeted by hackers, says McAfee
And your just having a laugh right??? [NT]
McAfee is a joke.
McAfee: Die.