Wednesday, July 8, 2009

Google Chrome OS: No Viruses, Malware, or Security Updates?

Yesterday evening, Google announced a brand new operating system project called the Google Chrome Operating System, based on some of the concepts behind its Chrome Web browser. Google Chrome OS is supposed to be a lightweight operating system designed with low-powered computers such as netbooks in mind. In the announcement, Google made some pretty bold claims about the security of the upcoming OS which I feel should be addressed. From the press release (bold emphasis mine):
"Speed, simplicity and security are the key aspects of Google Chrome OS. ... And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware and security updates. It should just work."
To make such claims about the security of an operating system—especially one that's still in its early stages of development—is laughable. Granted, it could turn out to be true that fewer viruses will be designed specifically for Google's Chrome OS than for competing platforms; if recent trends continue, most malware authors will continue to primarily target Windows since it has the lion share of the market and thus has the most potential for ill-gotten revenue through software or user exploitation. Google's marketing spin is similar to that of Apple, which claims that Mac users don't have to deal with viruses or malware in spite of the fact that there are a handful of Mac OS X-infecting Trojan horses in the wild, not to mention platform-independent browser exploits.

But how can Google possibly claim that users won't have to deal with security updates? No matter how secure one might think a piece of software is, given enough time and motivation someone will probably discover an exploit for it. To give Google the benefit of the doubt, perhaps the authors of the press release (Sundar Pichai, VP Product Management and Linus Upson, Engineering Director) simply meant that security updates will be applied automatically without any user interaction, similar to how the Chrome browser is capable of updating itself automatically on Windows by keeping an updater process always running in the background.

It will be interesting to see what becomes of the Google Chrome OS, and in particular how it will deal with security threats. But no matter how awe-inspiring Google's marketing hype is, the new OS will not be a panacea for computer security.


  1. This has been rhetoric of Mac OS X fans past, present and future. Even though there are documented security flaws and viruses dating back to OS 10.1. There wouldn't be a market for Mac antivirus if there weren't.

    What this boils down to is market share and the financial motivation for people to really exploit Google Chrome OS. Mac OS X enjoyed such little market share that it touted security through obsurity. I think what you are getting at is the irresponsibility to claim things that cannot be verified before zero day. It makes sense to claim that updates and antivirus may be transparent to the user, it is foolish to claim any software system is invincible, regardless of obscurity.

  2. Google is saying people don't have to deal with it, not that it wouldn't happen. Most Chrome users don't really have to deal with updates because Chrome gets updates automatically and installs the updates the next time Chrome is started.


Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)