Chrome OS to be targeted by hackers, says McAfee

Chrome OS to be targeted by hackers, says McAfee

Summary: Based on a report by McAfee, Google Chrome OS will be targeted by hackers in 2010 -- mainly due to the rise in popularity of HTML 5.With the technological advances brought on by HTML 5, the web will undergo a dramatic upgrade that will change the way web application developers and hackers are able to interact with their “target market.

SHARE:
TOPICS: Browser, Google, Security
28

Based on a report by McAfee, Google Chrome OS will be targeted by hackers in 2010 -- mainly due to the rise in popularity of HTML 5.

With the technological advances brought on by HTML 5, the web will undergo a dramatic upgrade that will change the way web application developers and hackers are able to interact with their “target market.” HTML 5 holds all the promises that today’s web community seeks—primarily blurring and removing the lines between a web application and a desktop application. HTML 5–based attacks will become even more tempting once the Google Chrome Operating System is released. (It’s scheduled for second half of 2010.) Google Chrome OS is intended for use with netbooks, and HTML5 enables not only a rich Internet experience, but also offline applications. Another motivation for attackers is HTML 5’s anticipated cross-platform support, which will allow attackers to eventually reach users of many mainstream browsers.

If Google has it their way though -- security on Chrome OS should be almost bullet proof due to it's sandbox environment, and the fact that there is absolutely nothing stored on the local machine. Even if a hacker did manage to install something in the kernel, Google says it will automatically re-image the device if something seems amiss upon reboot.

It will be interesting to see what type of attacks are launched for Chrome OS -- any ideas?

Topics: Browser, Google, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • Doubtful source

    McAfee is probably afraid of losing customers. It looks like FUD to me:
    http://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt
    pjotr123
    • Agreed. But they may still have a point.

      The antivirus providers are well know for these
      tactics. We should all learn to view their
      statements in that light.

      But they may still have a point. Until now if
      exploiting a browser an attacker would like to
      also infect the system permanently. He would
      like to do so in order to have the system under
      control.

      Sandboxing the browser protects the system from
      a compromised browser. Most efficient is the
      Windows low integrity mode sandbox which will
      even protect the internet preferences
      (something a Linux sandbox will not do) least
      efficient is the virtually non-existing sandbox
      on OSX.

      But a sandbox only protects the <i>system</i>
      from the browser. When something like HTML5
      allows local storage it opens another possible
      attack vector where an attacker can hide
      malicious code and ensure re-infection on each
      start - like when an exploit infects internet
      preferences.

      It is all theory at this point, but it is
      undeniable that the fact that the browser
      starts to keep more complicated state will also
      complicate things.

      Right now, when you start a browser it starts
      from a "clean" state - with the exception of
      internet preferences, bookmarks and
      extensions/plugins.

      When more state is made persistent, it is more
      opportunities for permanent infections as well.

      And the crucial point of this is that <b>a
      sandbox will not protect against such
      infections</b>. Windows low integrity mode,
      Chrome sandbox or apparmor; all of them need to
      allow the browser to read/write this special
      browser state - without user confirmation as
      that would all but destroy the user experience.

      The sandboxes cannot judge from the outside
      whether the state is malicious or not. Thus,
      HTML5 may open up another class of infections:
      One where your <i>system</i> has not been
      compromised/root'ed, but the most important
      application has. If the browser is compromised
      this way it may not be able to send spam (right
      away) but it will be able to snoop on all of
      your traffic, both incoming and outgoing.

      However, a clever exploit can pack a secondary
      attack: At some point you will download an
      executable and execute it on your system. At
      that point it can attach malicious code to the
      downloaded file during the transfer.

      The end result is that sandboxing will <b>not
      be effective</b> against such infections.

      HTML5 is still just a working draft. It is
      nowhere near being a standard and it still
      experience breaking changes. I think that the
      designers should think long and hard how they
      can make this possible attack vector harder or
      even impossible to exploit.

      Unfortunately you see players like Google and
      Mozilla rush on this specification. Security
      could very well be the victim here.
      honeymonster
      • one point

        On ChromeOS, users cannot execute anything[1]. So there is no way to download an executable and run it. Whatever it is would have to be done in javascript or by some browser-based means.

        1. except NaCl code which runs in a sandbox in a browser tab inside an instruction set scrubber with absolutely zero access to the system or any user data whatsoever. For example, you can play Quake natively on CrOS inside of the browser using NaCl. (Most Linux software can be, and most libraries have been, compiled for NaCl according to Google's presentation.)
        cabdriverjim
      • haha... You're all too hilarious! :D

        First off you are obviously an M$ (they make an Antivirus software btw) Spy or Cell, planted to spread bogus trash talk about Linux and Google Chrome OS! :D

        Linux is the only OS that the NSA (National Security Administration) has wrote a secure kernel for. Secure Linux Kernel is now in every single system. Even Cell Phones!

        You see... Linux to this very day is the most Secure OS on the Planet. Partly because it's still a full Macro Kernel. Not a hybrid like your Quick and Dirty Windows or Mac OS-X. To this day, Linux has only been infected ONCE by a VIRUS.... and that was in a LAB!

        Afterwords, the Kernel was updated to protect against the flaw. There have been NO INFECTIONS of LINUX in the WILD to this day. While Windows Systems are infected by the minute or second every day!

        Then you're telling us, contrary to all the information received to date, that the Director of the FBI was wrong, when he said "Don't use Windows for Banking or online purchases. USE a LIVE LINUX DISC! Why? Because until M$ has fully instituted Secure Java Transactions with remote Server Authentication in .NET it's still using the most insecure Security system on the Planet. Called ActiveX! Their VBS is not far behind and maybe you aren't aware of Sun and M$'s arrangements. Maybe not aware of how Secure Transaction and the IBM Main Frames that handle them work. Or how most Banks, Stock Exchanges, and Credit Card Transactions are handled around the Globe!

        Maybe you aren't aware that Linux powers the vast majority of HPC Clusters to the tune of over 93% of Clouds (including Amazon's).

        That my friend is how Chrome OS will work. Your browser is just another application that runs on the CLOUD. Very much like a TV Set Top Box or the Sony PS3 right now. Have you heard of a PS3 ever being infected or hacked? NO! ...and it runs on embedded Linux! :D

        Chrome OS on Google's Netbooks will have a super fast booting hard coded embedded OS. A hypervisor if you like to call it that. That can be updated much like Sony's PS3 OS with firmware updates.

        For nearly 20yrs, I'm been using Cloud Email and I'm barely aware of it. I have the same account and have never lost data or had my settings compromised. But I have lost many computers, uncountable OS installs and yes.. lot's of data. Like some of you that use Hotmail, MSN or LIVE have! ;)

        On Chrome OS, literally all applications will run in a Dalvik (Java) Virtual Machine. Exactly like Java or .NET! ..... the Browser is an application (in case you didn't know)! ;)

        If you know of any infections on any Linux install, please let me know. So I can tell the NSA, DOD, DOE and numerous other Governments and Corporate entities that run Linux. That they're in EXTREME DANGER! lol

        Like DOE's Roadrunner Super Computer. Built by IBM as the most Powerful Super Computer (1.8 PETAFLOPS)in the World! ...and since it's handling such sensitive data as Nuclear Arms and Nuclear Waste Disposal, etc, at Los Alamos Laboratories, we don't want them to get infected. Right?

        Thank God none of the Top 100 Super Computers run on Windows either! :D
        i2fun
    • Maybe

      While I agree it could be partially FUD I do think that nothing is unhackable and if a hacker or malicious person wants to spend the time I am sure an exploit can be found. The more popular something gets in technology when it comes to software the more appealing it becomes to those who wish to exploit it.
      bobiroc
  • yes, doubtful. No more comments.

    pjotr123 said it!
    zdnetregistration
    • I wont say I told you say.

      Seriously though it is there buisness to scare people but lets wait till they actualy release a product before we call it fud.
      jdbukis
      • you don't get it jdbukis..

        they have already released products and i would never buy anything from them.

        They dont want to release apps for linux, they should be ashamed of themselves, what they are trying to tell us is... "don't stay away from microsoft windows(the virus appeal company) and buy our security package.
        With FREE comodo internet security.. i'm safe, no thank you McAfee, your products are so 90's and useless.
        zdnetregistration
        • I do get it

          They have not released products for THIS (chrome) platform.
          BTW according to the latest tests by AV-Comparatives there product is reasonably good.

          BTW putting stuff like (*childishflamebait*)in brackets makes it difficult to take you seriously.
          jdbukis
  • Absolutely nothing stored on the local machine?

    If that's the case, then why the need for a 64 GB SSD? OS and programs don't take that much space.
    Michael Kelly
    • probably...

      there will be local files (your documents, pics,
      etc) that will be synced with a server. otherwise
      you couldn't work offline, and i doubt google
      wants your system to be crippled when you're not
      in the range of a wifi hub.
      lostarchitect
    • local cache

      The user filesystem is encrypted and stores data much like Android does. Main difference in concept, I think, is that Android doesn't encrypt the data because its on removable media that some windows user will inevitably assume they can read outside of the device itself.
      cabdriverjim
  • Actually some test reveal problems

    Actually I have read some independent security tests that reveal Chrome and Safari to be rather poor at real time exploits. I was surprised too but we all know everything has its flaws.
    jscott418-22447200638980614791982928182376
    • which is why...

      They are using process isolation and taking advantage of Linux security mechanisms. Even if webkit is breached Linux can keep the system and your data perfectly safe if configured properly.

      Windows security is swiss cheese with duct tape covering the holes Linux security (can easily be) an armored tank maybe with a crack here or there. Using a good LSM Linux can be setup to allow nothing at all by default and grant applications, people, etc permission to access individual syscalls and resources.

      The difference is maybe subtle. But the upshot is that there is not much debate on how to fix such problems on Linux. Just eliminate the ability to do whatever malicious thing which was never intended to be allowed. Windows has a massive compatibility monkey on its back in comparison.

      Will there be embarrassing security failures? Probably. Will there be as many as Windows and as often? Very unlikely. I bet it will be a bit shaky for the first year or so but that's about all.
      cabdriverjim
      • re: which is why?

        Oh great - using Linux will be more secure than
        Windows. That is why Linux has hundreds more
        critical security vulnerabilities each year
        compared to Windows?

        Check your linux updates over the past year vs
        windows and you'll see it's pretty obvious.

        Also using a simple tool like metasploit it's
        pretty easy to expose vunerabilities in linux
        and get root access (if you don't have latest
        security updates)

        Windows by the way can also be set up to secure,
        and Windows Vista + Windows 7 are set up quite
        secure by default.
        eatredmeatfeelgood
        • try again

          I've been paying attention to my updates. Currently using ubuntu 9.10. This month, I've seen 5 total security updates.

          They were listed per specific location of the vulnerability, making it easy to Google exactly what it was that was getting an update.

          I also remember when I'd get updates while using Windows XP just 1 year ago. Those updates were never specific, never making it easy to Google what it was that was getting updated and why.

          Next, take a look at the difference between open source and closed source. Open Source means it's legal to look at the source, that means more people looking at the code to fix it.

          Closed Source means only the company which created the code can legally look at it to fix it. Makes it pretty easy on the bad guys when they're up against such a small group of individuals.
          tmsbrdrs
  • RE: Chrome OS to be targeted by hackers, says McAfee

    In other news, McAfee unveils "McAfee Security Suite for Chrome OS 2011"

    Available soon at finer software retailers.
    civikminded
  • RE: Chrome OS to be targeted by hackers, says McAfee

    Only Windows gets viruses. Chrome should be OK.
    tburzio
    • And your just having a laugh right??? [NT]

      NT
      mrjoctave
  • McAfee is a joke.

    Lousy scanner. It's nothing but a marketing company with some poor programmers behind the scenes.

    McAfee: Die.
    BigAxeToGrind