FUD over ChromeOS's security already?
It hasn't taken long for the security vendors to wake to the potential of Google's new ChromeOS. The potential that is, to create FUD – fear uncertainty and doubt.
In a release today, security company Websense quite rightly commends Google's plan to redesign the security architecture of the operating system but points out that "it’s likely that malware authors will be looking for flaws in the Chrome OS to take advantage of from day one", and asks: "It’s a great philosophy to design an OS for today’s environments, but will Google deliver? And when we will see the first attack against Chrome OS?"
Good questions. But as the same release points out (and in doing so rather undermines its argument), most security issues are application- rather than OS-based – Websense cites SQL injection, browser vulnerability and rogue AV. This implies that, while the OS retains some control over rogue code, it's up to developers to contain such issues as SQL injection and rogue anti-virus software.
Websense also reminds us that malware authors will be looking for flaws, and here's where I think the company may be overplaying its hand: the fact remains that ChromeOS is still vapourware. Even after its general release, it'll remain a minority OS for some considerable time: both Apple's OS X and Linux have yet to make serious incursions into the Microsoft mono-culture despite years of hacking away at Redmond's fortress.
Between them, OS X and Linux have around 11-12 percent market share, with Windows hoovering up the rest. And you still don't get many viruses or malware attacks on those OSes.
Why so? It seems obvious but here goes: malware authors are in it for the money and need a critical base of unprotected machines to make their botnets work.
So what's the best target for an attack from a return on investment point of view? You know the answer to this.
That's not to say that security isn't an issue for Google, nor that it shouldn't be taken account of both by users and the developer. Rather, let's keep things in perspective here. After all, it's the security vendors who have taught us about the balance required to be struck between risk and cost/convenience.
Running up the danger flag at this stage strikes me as being a bit of an over-reaction...