Chrome OS’ Unique Approach to Security Leaves Even Experts Unsure
On Wednesday, a Kaspersky Labs researcher posted to a security Web site his finding that the initial Chrome OS-based computers from Samsung appeared to be using an older version of Adobe Flash, potentially putting users at risk.
Indeed, the version of Flash running on the latest stable build of Chrome OS is not the latest version of Flash.
“This doesn’t bode well for Google’s security boast,” Kaspersky’s Roel Schouwenberg said in the Securelist posting. “ChromeOS is supposed to be all about being able to trust Google to take care of security for you. Google has gone through great lengths to secure ChromeOS itself, but security doesn’t stop there. A platform needs to be properly managed if it intends on being and staying secure.”
However, a Google representative said there are indeed additional security patches applied to that version of Flash, closing the vulnerabilities corrected with more recent releases of the Adobe software.
Either way, the issue highlights the different approach Google is taking with security in its new operating system.
With most computer operating systems, the software providers are responsible for providing patches, but it is the user who decides whether to update his or her system, either manually or automatically applying the updates.
With Chrome OS, Google has changed the approach.
Chrome OS-based computers, known as Chromebooks, run software only within Google’s browser, and Google is in charge of managing the browser and its core add-ons, such as Flash.
Users are leaving the decisions of how and when to update the system to Google. That has both positive and negative implications, though Google maintains that Chrome OS is inherently more secure and eliminates the need for third-party security software.
On the downside, those who like control will feel a lack of power. In addition, the individual has little ability to take action in advance of any security measures taken by Google on behalf of all Chrome OS users.
However, Google has staked its reputation that Chrome OS will be secure, giving the company a strong incentive to quickly close holes. The operating system also has a “verified boot” system in place to check at start-up for any modifications, potentially mitigating the impact rogue code might have.