Wednesday, July 8, 2009

Google Chrome OS: No Viruses, Malware, or Security Updates?

Yesterday evening, Google announced a brand new operating system project called the Google Chrome Operating System, based on some of the concepts behind its Chrome Web browser. Google Chrome OS is supposed to be a lightweight operating system designed with low-powered computers such as netbooks in mind. In the announcement, Google made some pretty bold claims about the security of the upcoming OS which I feel should be addressed. From the press release (bold emphasis mine):
"Speed, simplicity and security are the key aspects of Google Chrome OS. ... And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware and security updates. It should just work."
To make such claims about the security of an operating system—especially one that's still in its early stages of development—is laughable. Granted, it could turn out to be true that fewer viruses will be designed specifically for Google's Chrome OS than for competing platforms; if recent trends continue, most malware authors will continue to primarily target Windows since it has the lion share of the market and thus has the most potential for ill-gotten revenue through software or user exploitation. Google's marketing spin is similar to that of Apple, which claims that Mac users don't have to deal with viruses or malware in spite of the fact that there are a handful of Mac OS X-infecting Trojan horses in the wild, not to mention platform-independent browser exploits.

But how can Google possibly claim that users won't have to deal with security updates? No matter how secure one might think a piece of software is, given enough time and motivation someone will probably discover an exploit for it. To give Google the benefit of the doubt, perhaps the authors of the press release (Sundar Pichai, VP Product Management and Linus Upson, Engineering Director) simply meant that security updates will be applied automatically without any user interaction, similar to how the Chrome browser is capable of updating itself automatically on Windows by keeping an updater process always running in the background.

It will be interesting to see what becomes of the Google Chrome OS, and in particular how it will deal with security threats. But no matter how awe-inspiring Google's marketing hype is, the new OS will not be a panacea for computer security.