Could Google Repeat Apple’s Security Blunders?

Posted on 09. Jun, 2011 by in Features

flattr this!

A lot of people like to say that history repeats itself. People will make the same mistakes, for the same reasons, over and over again. That’s pretty much one of the fundamental laws of the human race. That’s essentially one of the rules by which we’ve operated for..well, centuries. Now, a lot of you are probably wondering where I’m going with this – what the hell some pseudo-philosophical nonsense has to do with Chrome, or even technology.

I’m getting to that.

Security and the Mac

apple logo Back in 2000-2006, the Mac platform was picking up speed.  The way Apple marketed the Mac, it seemed new. It was unique. It was a hot, hip alternative to Windows. They were pretty confident in their new operating system, and anyone who watched TV would be virtually inundated with lauding the superiority of Macs over PCs. One of the often touted reasons? The Mac was supposedly a virus free platform (ironically enough; the very year that ad aired was when the first Mac OS X-specific Trojan was discovered). Now, for a time, Apple’s claims about the security of their system seem legit. Instances of malicious software on the Mac were rare, if not completely unheard of.

That would soon change.

As a result of its supposed immunity (and to be fair, the Mac platform was immune to traditional Windows viruses), most Macs generally didn’t contain security software. The problem with that, of course, was that when a Mac was hit by a virus, it was hit hard. See, once the crusty little virus-forging trolls realized that more and more people were using Macs, they began designing viruses for Macs. And once they did that, well…the holes in Apple’s security became blindingly obvious, and the once ‘secure’ Mac OS was left at the mercy of malware. All it took was the right virus.

Enter Mac Defender. Last month this new piece of malware caught the Mac platform completely off guard.  It’s become a complete epidemic, apparently infecting somewhere between 60,000 and 120,000 systems. The worst part, though? It wasn’t the virus. It was Apple’s handling of the event.  Apple flatly denied there was a problem- even going so far as to order their representatives not to assist customers with malware removal. They’ve since released a security update to rectify the problem with Mac Defender, but the whole snafu has opened the eyes of a lot of people- Macs aren’t safe from malicious software, not like Apple would have once liked their customers to believe. The foolish assumption that their system was immune, and their ham-handed attempts to perpetuate the image even in the face of overwhelming evidence to the contrary…well, it did a lot more harm than good to Apple’s rep.

Again, you’re probably wondering what this all has to do with Google- with Chrome.

Chrome’s Unique Security

Chrome os sandbox 300x207
Chrome is completely unlike any operating system we’ve seen to date, I’ll give it that. The fact that it operates entirely on the cloud- in a “sandboxed environment” as Google has been so fond of saying- gives it a massive leg up on every traditional operating system on the market as far as virus protection goes. Since every single application on Chrome’s OS runs in its own personal ‘sandbox’, infected applications can’t interact with other apps. Basically, every single program on Chrome runs in its own personal quarantine zone. What’s more, since all personal files and data are stored on a remote server, infected files can’t really do much.  What’s more, in the nearly impossible event that a Chromebook should come down with a nasty case of malware, damage control is much more effective- since all your personal data is saved from the ravages of the viral infection.  Of course, the likelihood of a Mac-I mean, a Chromebook – coming down with a virus is, well…nonexistent, right?

That’s the story Google’s been perpetuating, anyway. Rik Ferguson, director of security research at Trend Micro, isn’t buying it. He made a rather poignant post on his blog giving his take on the whole thing. ”While I applaud the impressive advances in security that are apparent in Chrome OS,” Ferguson says, “to a certain extent we are seeing marketing history repeat itself. How often did the mantra that Mac OS was immune to malware need to be repeated until the vast majority of users believed it and continue to do so, even after Apple went as far as incorporating rudimentary AV software into Mac OS?” He ultimately concludes that the belief Google is perpetuating about their operating system is foolish, to say the least. I’m inclined to agree- after all, it was basically assumptions of invulnerability that sunk the Titanic.

Okay, yeah, probably not a very good analogy. Let’s move on.

Holes in Chrome’s Security

ill malware 400 Well, first and foremost, let’s take another look at sandboxing. What Google has said to the public rather insistently implies that operating on the Chrome platform means you’re operating in a completely sterile environment- any malicious infections will be isolated, confined to their own little bubbles, and unable to cause any real damage. Ferguson definitely didn’t neglect putting in his two cents about that little point in his blog post, either:  ”Of course the sandboxing technology is designed to ensure that even a bad native app can’t misbehave. Well, exploits that break out of sandboxing have already been demonstrated for Internet Explorer, for Java, for Google Android and of course for the Chrome browser (to name but a few).”

So sandboxing prevents infected apps from interacting with other apps. Except when they can. That’s not all Ferguson has to say, either (he’s sort of ripping Google a new one here, isn’t he? But hey- they need to have their eyes opened just a touch.) Long story short, Google seems to be forgetting one very, very important aspect of spyware and malware- if a piece of malware exists, that means it was developed by someone. But not just anyone. These criminals are likely intelligent, resourceful, and cunning. Google’s Chromebooks have changed the game, so they’ll change their approach.  Ferguson says it better than I could:

“In regards the notion of the operating system always reverting to a known good state at reboot and the security afforded by encrypted data being stored in Google’s cloud, well surely that’s just moving the goalposts for the bad guys. For much of today’s malware, one of the primary goals is persistence. This will be much more difficult (see how I hesitate to say impossible) in the Chrome environment, so the motivation will shift. If I can infect you for one session and steal your keys, well then I’ll get what I can while I’m in there and then continue accessing your stuff in the cloud, after all I’ve got your keys now, I don’t need your PC anymore. The beauty of that for criminals is that the victim may be even more unaware than they are now that they have been compromised.”

So, wait. Let me see if I’ve got this straight – not only is Chrome not one hundred percent secure against intrusion, but the way the system’s built could actually serve to aid cyber crime?  That’s not exactly a comforting thought, is it?

Final Thoughts
acerchromebookexperiment
Chrome’s security is above and beyond anything we’ve seen yet- but it’s not invincible. What’s more, there are sacrifices that need to be made to attain such a level of security- users aren’t going to be able to opt out of automatic updates, and there are going to be severe limitations on what desktop applications can be installed on the Chromebook.  And even with all of this, even with Chrome’s Cloud platform and sandboxed applications and verified boot- it’s not indestructible. It’s still vulnerable to attack; we just don’t really know the avenue through which this attack might originate.  Either way, Google’s perpetuating perhaps a rather dangerous mindset. When one thinks they’re invulnerable, one tends to take some rather dangerous- and foolish- risks.

Ultimately, Google risks going down the same road as Apple does with their marketing. Yes, their Chrome operating system is secure- perhaps one of the most secure operating systems to date. Even so, it’s not one hundred percent secure. No operating system is. Chrome has some weaknesses somewhere. But Google probably knows that, because if they don’t- well, I’m sure you all know what could happen.

How do you feel about Chrome’s security?

Via The Register, Computer Weekly

  • services sprite
  • services sprite
  • services sprite
  • services sprite
  • services sprite
  • services sprite
  • services sprite
  • services sprite
  • services sprite

Related posts:

  1. Researcher Claims Chrome OS Has Security Flaws
  2. Flash Security Update in Chrome at the Forefront of Browser Security
  3. Capsicum Offers Better Chrome Security, More Robust Development

Tags:

11 Responses to “Could Google Repeat Apple’s Security Blunders?”

  1. Anonymous

    09. Jun, 2011

    it is 100% secure

  2. [...] Read original article… Share this:EmailPrintFacebookStumbleUpon 0 Comments – Leave a comment! « Previous PostNext Post » [...]

  3. acupuncture

    10. Jun, 2011

    One big difference is that Google is willing to pay for people to find the holes where apple will ignore them even when found and presented to them. Google is taking a very pro active attitude with Chrome & Chrome OS security. Nonetheless, no operating system is immune unless you cut off all possible ways for the OS to interact with the outside world.

  4. Nicholas Greene

    11. Jun, 2011

    Anonymous: No system is 100% secure, unless, as acupuncture said, you completely cut it off from the outside world.. Since Chrome operates on the cloud…yeah, not happening.

    Acupuncture: That’s true, they do seem a bit less bullheaded when it comes to flaws in their products. I was frankly quite shocked at the rather idiotic way that Apple handled the Macdefender scandal.

  5. Anonymous

    13. Jun, 2011

    The marketing text from google repeatedly says that there is no perfect security.

    http://www.google.com/chromebook/features-security.html

    “Chromebooks use the first operating system designed with this ongoing threat in mind. It uses the principle of “defense in depth” to provide multiple layers of protection, so if any one layer is bypassed, others are still in effect. So while it’s still important to take precautions to protect your data, Chromebooks let you breathe just a little bit easier.”

    That’s why there is a “hardware backed recovery system”.

    And any research in to the public documentation only provides more detail in the thought process behind the chromebook:

    http://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview

  6. [...] a long time coming, but I must say Chrome and Chrome OS is something that I believe in, even in spite of the criticisms that we give Google here for some things sometimes. I hope that the words we have written here reflect [...]

  7. Cougar Abogado

    17. Jun, 2011

    @6/13/11 Anon. I imagine Apple probably has some fine print legal text, itself (most organizations with a decent legal department want to cover themselves). I think what Nicholas is trying to say is that Google’s main signal to the public is, “There are no viruses/malware on Chrome OS devices.” Many would call this puffery (or sales exaggeration).

    Google can be inclined to puff (as in the sales variety from above), here and there. Take, for example, how Google says NOTHING is stored on Chrome OS devices. From an absolutist view, this is wrong: Downloaded/transferred files, at least, reside on the device, itself.

    @Nicholas. I enjoyed the article. I’m unsure what I’d advise Google to say (on the surface) that would fall short of “100% virus free” and yet sound strong enough to get it’s message across. Maybe, “It is insanely difficult to breach Chrome OS’ security layers.”

  8. Nicholas Greene

    21. Jun, 2011

    I’d say this probably sums it up quite nicely: “Unlike any computer ever made, and consequently one of the most secure operating systems currently on the market. Though Chrome is safer, we still advice you to practice safe browsing: No system is one hundred percent secure,after all.”

  9. [...] exists that could specifically target Chrome yet. Of course, as we learned from Apple’s Macdefender scandal, all it takes is one bit of malware that runs on the system, and everything goes down the toilet. [...]

  10. [...] exists that could specifically target Chrome yet. Of course, as we learned from Apple’s Macdefender scandal, all it takes is one bit of malware that runs on the system, and everything goes down the toilet. [...]

  11. [...] said it before, I’ll say it again- Chrome is probably the most secure operating system in circulation right [...]

Leave a Reply

Name

Email

Website

Comment