Can a Chromebook be infected by a computer virus through a malicious website?
I am wondering if a Chromebook can receive a virus through a malicious website. I recently have heard they are immune to any sort of virus, but I am not sure that's true. Does somebody know if Chromebooks can be infected with a virus?
virus malware chromebook
asked Jan 22 at 6:47
JimJim
14136
add a comment |
I am wondering if a Chromebook can receive a virus through a malicious website. I recently have heard they are immune to any sort of virus, but I am not sure that's true. Does somebody know if Chromebooks can be infected with a virus?
virus malware chromebook
asked Jan 22 at 6:47
JimJim
14136
15
General rule of thumb: if it runs software it can be infected. The odds of infection depends on many things, which are well explained in the answers already posted.
– Alexandre Aubrey
Jan 22 at 14:33
@AlexandreAubrey if it runs software and has any permanent storage.
– rackandboneman
Jan 22 at 15:46
11
@rackandboneman No, if it runs software. RAM-resident malware has been around for years; in fact, it used to be the norm; if the goal is to steal credit card details instead of just format the hard drive, it'd be profitable to make these again.
– wizzwizz4
Jan 22 at 17:32
Not sure if its worth an answer on its own, but IF your chromebook does get a virus somehow(I've never had one in 5+ years of using one), its really easy to powerwash the device which is ChromeOs terms for reset to factory settings. Since all your settings and everything are on the cloud, once you log back in it will be all back to normal. The whole powerwash takes 15-30 minutes until you are back to the state you were before. I love chromebooks so feel free to message me if you have questions.
– samuraiseoul
Jan 23 at 15:50
add a comment |
I am wondering if a Chromebook can receive a virus through a malicious website. I recently have heard they are immune to any sort of virus, but I am not sure that's true. Does somebody know if Chromebooks can be infected with a virus?
virus malware chromebook
asked Jan 22 at 6:47
JimJim
14136
I am wondering if a Chromebook can receive a virus through a malicious website. I recently have heard they are immune to any sort of virus, but I am not sure that's true. Does somebody know if Chromebooks can be infected with a virus?
virus malware chromebook
virus malware chromebook
asked Jan 22 at 6:47
JimJim
14136
asked Jan 22 at 6:47
JimJim
14136
asked Jan 22 at 6:47
JimJim
14136
asked Jan 22 at 6:47
JimJim
14136
asked Jan 22 at 6:47
JimJim
14136
14136
15
General rule of thumb: if it runs software it can be infected. The odds of infection depends on many things, which are well explained in the answers already posted.
– Alexandre Aubrey
Jan 22 at 14:33
@AlexandreAubrey if it runs software and has any permanent storage.
– rackandboneman
Jan 22 at 15:46
11
@rackandboneman No, if it runs software. RAM-resident malware has been around for years; in fact, it used to be the norm; if the goal is to steal credit card details instead of just format the hard drive, it'd be profitable to make these again.
– wizzwizz4
Jan 22 at 17:32
Not sure if its worth an answer on its own, but IF your chromebook does get a virus somehow(I've never had one in 5+ years of using one), its really easy to powerwash the device which is ChromeOs terms for reset to factory settings. Since all your settings and everything are on the cloud, once you log back in it will be all back to normal. The whole powerwash takes 15-30 minutes until you are back to the state you were before. I love chromebooks so feel free to message me if you have questions.
– samuraiseoul
Jan 23 at 15:50
add a comment |
15
General rule of thumb: if it runs software it can be infected. The odds of infection depends on many things, which are well explained in the answers already posted.
– Alexandre Aubrey
Jan 22 at 14:33
@AlexandreAubrey if it runs software and has any permanent storage.
– rackandboneman
Jan 22 at 15:46
11
@rackandboneman No, if it runs software. RAM-resident malware has been around for years; in fact, it used to be the norm; if the goal is to steal credit card details instead of just format the hard drive, it'd be profitable to make these again.
– wizzwizz4
Jan 22 at 17:32
Not sure if its worth an answer on its own, but IF your chromebook does get a virus somehow(I've never had one in 5+ years of using one), its really easy to powerwash the device which is ChromeOs terms for reset to factory settings. Since all your settings and everything are on the cloud, once you log back in it will be all back to normal. The whole powerwash takes 15-30 minutes until you are back to the state you were before. I love chromebooks so feel free to message me if you have questions.
– samuraiseoul
Jan 23 at 15:50
15
15
General rule of thumb: if it runs software it can be infected. The odds of infection depends on many things, which are well explained in the answers already posted.
– Alexandre Aubrey
Jan 22 at 14:33
General rule of thumb: if it runs software it can be infected. The odds of infection depends on many things, which are well explained in the answers already posted.
– Alexandre Aubrey
Jan 22 at 14:33
@AlexandreAubrey if it runs software and has any permanent storage.
– rackandboneman
Jan 22 at 15:46
@AlexandreAubrey if it runs software and has any permanent storage.
– rackandboneman
Jan 22 at 15:46
11
11
@rackandboneman No, if it runs software. RAM-resident malware has been around for years; in fact, it used to be the norm; if the goal is to steal credit card details instead of just format the hard drive, it'd be profitable to make these again.
– wizzwizz4
Jan 22 at 17:32
@rackandboneman No, if it runs software. RAM-resident malware has been around for years; in fact, it used to be the norm; if the goal is to steal credit card details instead of just format the hard drive, it'd be profitable to make these again.
– wizzwizz4
Jan 22 at 17:32
Not sure if its worth an answer on its own, but IF your chromebook does get a virus somehow(I've never had one in 5+ years of using one), its really easy to powerwash the device which is ChromeOs terms for reset to factory settings. Since all your settings and everything are on the cloud, once you log back in it will be all back to normal. The whole powerwash takes 15-30 minutes until you are back to the state you were before. I love chromebooks so feel free to message me if you have questions.
– samuraiseoul
Jan 23 at 15:50
Not sure if its worth an answer on its own, but IF your chromebook does get a virus somehow(I've never had one in 5+ years of using one), its really easy to powerwash the device which is ChromeOs terms for reset to factory settings. Since all your settings and everything are on the cloud, once you log back in it will be all back to normal. The whole powerwash takes 15-30 minutes until you are back to the state you were before. I love chromebooks so feel free to message me if you have questions.
– samuraiseoul
Jan 23 at 15:50
add a comment |
4 Answers
4
active
oldest
votes
Tl;dr - yes (but unlikely).
From https://en.wikipedia.org/wiki/Chrome_OS:
Chrome OS is an operating system designed by Google that is based on
the Linux kernel and uses the Google Chrome web browser as its
principal user interface. As a result, Chrome OS primarily supports
web applications.
Google around for information about Linux & virus and you will find that it is low runner, but certainly not unheard of.
For instance, Does Linux need antivirus? says
There is much debate as to whether Linux needs antivirus. Proponents
of Linux state that its heritage as a multi-user, networked operating
systems means that it was built from the ground up with superior
malware defense. Others take the stance that while some operating
systems can be more resistant to malware, there’s simply no such thing
as a virus-resistant operating system. The second group is correct –
Linux is not impervious to viruses
and Can my UNIX or Linux computer become infected with a virus? says
Few viruses are currently known for UNIX or Linux. However, virus
checking is necessary for these reasons:
- UNIX or Linux computers acting as servers for other operating system client workstations can become carriers for other virus types, e.g. Windows macro viruses.
- UNIX and Linux computers are often used as mail servers, and can check email for worms and infected attachments before they reach the desktop.
- If your UNIX or Linux computer is running a PC emulator (a 'soft PC'), applications running under that emulator are vulnerable to viruses, particularly macro viruses.
So, you are at little risk, but not no risk
Recommended reading: Chromebook How To: Viruses, Malware and Chrome OS Security
edited Jan 22 at 11:14
Wai Ha Lee
10315
answered Jan 22 at 8:00
MawgMawg
1,57953051
4
deleted my answer as yours was way more complete. I couldn't provide more without replicating your answer... :)
– Stese
Jan 22 at 8:22
2
I didn't even see yours; we must have posted simultaneously (so, upvote to your comment ;-). Bottom line, if it has a processor, someone will try to code a virus for it. In this case, the biggest risks are browser plugins.
– Mawg
Jan 22 at 8:27
6
Your last quote suggests that you use the anti-virus on the linux machine not to protect itself, but to protect the windows machines "downstream"; the the latter part isn't about running linux at all. Since a chromebook is out of scope of all these points, I feel it's just not relevant to the question.
– UKMonkey
Jan 22 at 10:38
3
then again, there are quite a few people arguing that you shouldn't even install antivirus on Windows (maybe aside MS's own version), as this will open up another attack vector for viruses to get on your system in the first place. arstechnica.com/information-technology/2017/01/antivirus-is-bad
– Frank Hopkins
Jan 22 at 14:25
1
Should one consider the tons of malware apps for Android as an example for a linux-based system which needs some form of defense against malware? And the risk seems not so small, when one includes a broad variety of malware, not just viruses attacking the underlying linux system...
– Falco
Jan 23 at 14:11
|
show 4 more comments
tl;dr
Yes, just be careful and don't install any extensions and if you do make sure you understand the permissions they ask for.
Note: The professional definition of "computer virus" is a specific type of malicious application, the "normal" definition of "computer virus" is more or less any malicious application. Reading the OP's post I have interpreted his question to be using the term in the latter meaning.
Totally agree with the other answer and will start from the same place, but expand on it a bit:
Chrome OS is an operating system designed by Google that is based on the Linux kernel and uses the Google Chrome web browser as its principal user interface. As a result, Chrome OS primarily supports web applications.
Source: Wikipedia
Chrome: Passive attacks
Description of attack:
- You open a website
- Suddenly you have a virus
Likelihood: Even with Chrome on Windows these are incredibly uncommon, but the fact that Chrome on ChromeOS runs on Linux means that it's far less "worth" it for attackers to create attacks for Linux/ChromeOS.
Chrome: Stupid user attacks (malware + malicious site)
Description of attack:
- You open a website
- Website convinces the user to do something stupid
- Example: You open a streaming site (the type which takes its content without permission or legal right from the copyright owner) and the site convinces its users to install a missing codec, whilst they actually install some virus.
Likelihood: As Chrome doesn't allow (by default) running actual Linux applications there is a far smaller attack surface. Additionally most of those attacks target once again Windows, so you end up with a bunch of useless .exe files in your Downloads folder.
BUT another type of cross platform attack which does work and is not uncommon is the installation of malicious chrome extensions. These will typically request the permission to
- Read and change your data on all sites
Anyway, this requires the user to do something stupid and ignore the literal warning that the extension will have the permission to see and change anything you see (including for example your online banking interface).
Note: This doesn't start with a malicious site, so it doesn't really fall under the OP's question from the title, but does answer the question in the body.
Android: Passive attacks
Description of attack:
- You install and open a malicious android app
- Suddenly you have a virus (where a virus is once again defined as something that could steal your passwords or access your online banking)
Likelihood: The sandboxing on Android apps is so well done that as far as I currently know nobody has yet broken through it. This means practically that you are reasonably safe from this happening though. Of course, any permission you do grant to the android app - just like with the chrome extensions - can be used against you by a malicious player.
Linux attack surface
Description of attack:
- (Prequel) You enable linux applications (this is disabled by default and only for powerusers)
- You open some innocent looking file
- Example: Some libreoffice document
- Suddenly you have a virus
Likelihood: Even if you do enable linux apps and you open yourself to more or less all the dangers or running normal linux, viruses on Linux are incredibly uncommon. See Mawq's answer for a discussion of this.
answered Jan 22 at 12:30
David MulderDavid Mulder
20119
add a comment |
Chrome OS has some features that make it very difficult for a virus to run, to elevate privilege to root, or to survive a reboot (become persistent).
The Chrome Sandbox (pdf) limits what a process can do. All operations are sandboxed, apart from basic CPU and memory usage. This means the renderer, javascript process, PDF renderer, etc. are sandboxed, and will not be allowed to execute arbitrary syscalls, write to arbitrary files, do network io, etc. unless those calls are explicitly allowed.
Verified Boot (Firmware boot). The Chrome OS boot happens in several stages. The first stage is a boot flash ROM, which is protected from writing by a hardware switch on the motherboard (this protection can be disabled if you want to flash your own boot loader). The Chrome firmware is stored in two writeable slots, but the signature is verified by the first stage, so it can't be arbitrarily modified and still boot. The kernel and initramfs are stored as GPT volumes and are signed, so those can't be modified either. The actual OS filesystem uses Verity to sign every block, and the signature is checked when a block is loaded, so the file system can't be modified either.
Constant updates. Chrome OS uses an A/B OS install so that security updates can be shipped regularly and automatically, with failed updates being easily reverted.
So, for a virus to run on the Chromebook, it would require a persistent compromise that chains something like:
- an exploit to run native code (the virus)
- a sandbox escape, to access the filesystem
- a root exploit, in order to modify OS files
- a "verified boot" exploit, targetting the firmware flash or filesystem, so that the modified OS files will be loaded on reboot
- some way to spread to other Chromebooks (if we are talking about a traditional virus)
Google offer a $100k bounty for anyone who reveals such a persistent compromise. There are only a couple of instances (1,2) where this has been claimed. The second of these required chaining together five CVE vulnerabilities. Not easy.
answered Jan 22 at 16:44
bainbain
1633
This is true if you take the "proper" definition of computer virus, but the OP was not likely using the "proper" definition of virus, but rather the common definition of virus which includes things like malware.
– David Mulder
Jan 23 at 7:55
Yes, it depends how you define "malware". Malware, as it is usually known on Windows, would still need an ability to run code, escape the sandbox, and modify the file system to become persistent. But if you define malware as something that happens purely in the browser, like a malicious Chrome extension, then every OS that allows Chrome to be run is vulnerable.
– bain
Jan 23 at 11:10
add a comment |
Do Chromebooks have vulnerabilities ?
Yes.
A brief search,at the time of writing this answer, on MITRE's CVE website by "chromebook" keyword, results in 9 vulnerability reports, all dated 2011 or 2012. Specifically, these mention "Acer AC700, Samsung Series 5, and Cr-48". According to the article in Security Week by Eduard Kovacs:
A researcher who uses the online moniker Gzob Qq informed Google on
September 18 that he had identified a series of vulnerabilities that
could lead to persistent code execution on Chrome OS, the operating
system running on Chromebox and Chromebook devices.
The exploit chain includes an out-of-bounds memory access flaw in the
V8 JavaScript engine (CVE-2017-15401), a privilege escalation in
PageState (CVE-2017-15402), a command injection flaw in the
network_diag component (CVE-2017-15403), and symlink traversal issues
in crash_reporter (CVE-2017-15404) and cryptohomed (CVE-2017-15405).
So there's another set of CVE exploits dated 2017.
Attack surface:
Note that this does not take into account vulnerabilities in extensions from Google Store. Every additional extension may increase attack surface. An interesting example of an extension that violates user's privacy and puts machine into botnet service can be found in Trend Micro's article:
This botnet was used to inject ads and cryptocurrency mining code into
websites the victim would visit. We have dubbed this particular botnet
Droidclub, after the name of one of the oldest command-and-control
(C&C) domains used.
In addition to the above features, Droidclub also abuses legitimate
session replay libraries to violate the user’s privacy. These scripts
are injected into every website the user visits. These libraries are
meant to be used to replay a user’s visit to a website, so that the
site owner can see what the user saw, and what he entered into the
machine, among other things.
Of course, physical access to devices it a significant factor - hardware itself could be compromised.
Note that attack surface may increase of the Chromebook runs out of the support cycle, which currently is 5 years, according to PC World's article. While the article states there's no clarity on the situation, apparently Google does intend to provide security updates:
There is, however, one more wrinkle to this story: Given that security
is “one of the key tenets of Chrome OS,” Google says it’s “working
with our partners to update our policies so that we’re able to extend
security patches and updates beyond a device’s EOL date.”
Google isn’t making any guarantees at this point, but it sounds like
the company wants to extend updates—at least on the security
side—beyond five years. It also sounds like device makers such as Acer
and Samsung would be partially responsible for making that happen.
Conclusion
In short, yes, one can get exploits on Chrome OS. As mentioned Mawg's answer, Chrome OS uses Linux Kernel, so Windows-specific exploits won't affect Chrome OS. Nonetheless, that doesn't decrease the attack surface if Linux Kernel exploits are of interest.
answered Jan 23 at 2:22
Sergiy KolodyazhnyySergiy Kolodyazhnyy
1037
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1396896%2fcan-a-chromebook-be-infected-by-a-computer-virus-through-a-malicious-website%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Tl;dr - yes (but unlikely).
From https://en.wikipedia.org/wiki/Chrome_OS:
Chrome OS is an operating system designed by Google that is based on
the Linux kernel and uses the Google Chrome web browser as its
principal user interface. As a result, Chrome OS primarily supports
web applications.
Google around for information about Linux & virus and you will find that it is low runner, but certainly not unheard of.
For instance, Does Linux need antivirus? says
There is much debate as to whether Linux needs antivirus. Proponents
of Linux state that its heritage as a multi-user, networked operating
systems means that it was built from the ground up with superior
malware defense. Others take the stance that while some operating
systems can be more resistant to malware, there’s simply no such thing
as a virus-resistant operating system. The second group is correct –
Linux is not impervious to viruses
and Can my UNIX or Linux computer become infected with a virus? says
Few viruses are currently known for UNIX or Linux. However, virus
checking is necessary for these reasons:
- UNIX or Linux computers acting as servers for other operating system client workstations can become carriers for other virus types, e.g. Windows macro viruses.
- UNIX and Linux computers are often used as mail servers, and can check email for worms and infected attachments before they reach the desktop.
- If your UNIX or Linux computer is running a PC emulator (a 'soft PC'), applications running under that emulator are vulnerable to viruses, particularly macro viruses.
So, you are at little risk, but not no risk
Recommended reading: Chromebook How To: Viruses, Malware and Chrome OS Security
edited Jan 22 at 11:14
Wai Ha Lee
10315
answered Jan 22 at 8:00
MawgMawg
1,57953051
4
deleted my answer as yours was way more complete. I couldn't provide more without replicating your answer... :)
– Stese
Jan 22 at 8:22
2
I didn't even see yours; we must have posted simultaneously (so, upvote to your comment ;-). Bottom line, if it has a processor, someone will try to code a virus for it. In this case, the biggest risks are browser plugins.
– Mawg
Jan 22 at 8:27
6
Your last quote suggests that you use the anti-virus on the linux machine not to protect itself, but to protect the windows machines "downstream"; the the latter part isn't about running linux at all. Since a chromebook is out of scope of all these points, I feel it's just not relevant to the question.
– UKMonkey
Jan 22 at 10:38
3
then again, there are quite a few people arguing that you shouldn't even install antivirus on Windows (maybe aside MS's own version), as this will open up another attack vector for viruses to get on your system in the first place. arstechnica.com/information-technology/2017/01/antivirus-is-bad
– Frank Hopkins
Jan 22 at 14:25
1
Should one consider the tons of malware apps for Android as an example for a linux-based system which needs some form of defense against malware? And the risk seems not so small, when one includes a broad variety of malware, not just viruses attacking the underlying linux system...
– Falco
Jan 23 at 14:11
|
show 4 more comments
Tl;dr - yes (but unlikely).
From https://en.wikipedia.org/wiki/Chrome_OS:
Chrome OS is an operating system designed by Google that is based on
the Linux kernel and uses the Google Chrome web browser as its
principal user interface. As a result, Chrome OS primarily supports
web applications.
Google around for information about Linux & virus and you will find that it is low runner, but certainly not unheard of.
For instance, Does Linux need antivirus? says
There is much debate as to whether Linux needs antivirus. Proponents
of Linux state that its heritage as a multi-user, networked operating
systems means that it was built from the ground up with superior
malware defense. Others take the stance that while some operating
systems can be more resistant to malware, there’s simply no such thing
as a virus-resistant operating system. The second group is correct –
Linux is not impervious to viruses
and Can my UNIX or Linux computer become infected with a virus? says
Few viruses are currently known for UNIX or Linux. However, virus
checking is necessary for these reasons:
- UNIX or Linux computers acting as servers for other operating system client workstations can become carriers for other virus types, e.g. Windows macro viruses.
- UNIX and Linux computers are often used as mail servers, and can check email for worms and infected attachments before they reach the desktop.
- If your UNIX or Linux computer is running a PC emulator (a 'soft PC'), applications running under that emulator are vulnerable to viruses, particularly macro viruses.
So, you are at little risk, but not no risk
Recommended reading: Chromebook How To: Viruses, Malware and Chrome OS Security
edited Jan 22 at 11:14
Wai Ha Lee
10315
answered Jan 22 at 8:00
MawgMawg
1,57953051
4
deleted my answer as yours was way more complete. I couldn't provide more without replicating your answer... :)
– Stese
Jan 22 at 8:22
2
I didn't even see yours; we must have posted simultaneously (so, upvote to your comment ;-). Bottom line, if it has a processor, someone will try to code a virus for it. In this case, the biggest risks are browser plugins.
– Mawg
Jan 22 at 8:27
6
Your last quote suggests that you use the anti-virus on the linux machine not to protect itself, but to protect the windows machines "downstream"; the the latter part isn't about running linux at all. Since a chromebook is out of scope of all these points, I feel it's just not relevant to the question.
– UKMonkey
Jan 22 at 10:38
3
then again, there are quite a few people arguing that you shouldn't even install antivirus on Windows (maybe aside MS's own version), as this will open up another attack vector for viruses to get on your system in the first place. arstechnica.com/information-technology/2017/01/antivirus-is-bad
– Frank Hopkins
Jan 22 at 14:25
1
Should one consider the tons of malware apps for Android as an example for a linux-based system which needs some form of defense against malware? And the risk seems not so small, when one includes a broad variety of malware, not just viruses attacking the underlying linux system...
– Falco
Jan 23 at 14:11
|
show 4 more comments
Tl;dr - yes (but unlikely).
From https://en.wikipedia.org/wiki/Chrome_OS:
Chrome OS is an operating system designed by Google that is based on
the Linux kernel and uses the Google Chrome web browser as its
principal user interface. As a result, Chrome OS primarily supports
web applications.
Google around for information about Linux & virus and you will find that it is low runner, but certainly not unheard of.
For instance, Does Linux need antivirus? says
There is much debate as to whether Linux needs antivirus. Proponents
of Linux state that its heritage as a multi-user, networked operating
systems means that it was built from the ground up with superior
malware defense. Others take the stance that while some operating
systems can be more resistant to malware, there’s simply no such thing
as a virus-resistant operating system. The second group is correct –
Linux is not impervious to viruses
and Can my UNIX or Linux computer become infected with a virus? says
Few viruses are currently known for UNIX or Linux. However, virus
checking is necessary for these reasons:
- UNIX or Linux computers acting as servers for other operating system client workstations can become carriers for other virus types, e.g. Windows macro viruses.
- UNIX and Linux computers are often used as mail servers, and can check email for worms and infected attachments before they reach the desktop.
- If your UNIX or Linux computer is running a PC emulator (a 'soft PC'), applications running under that emulator are vulnerable to viruses, particularly macro viruses.
So, you are at little risk, but not no risk
Recommended reading: Chromebook How To: Viruses, Malware and Chrome OS Security
edited Jan 22 at 11:14
Wai Ha Lee
10315
answered Jan 22 at 8:00
MawgMawg
1,57953051
Tl;dr - yes (but unlikely).
From https://en.wikipedia.org/wiki/Chrome_OS:
Chrome OS is an operating system designed by Google that is based on
the Linux kernel and uses the Google Chrome web browser as its
principal user interface. As a result, Chrome OS primarily supports
web applications.
Google around for information about Linux & virus and you will find that it is low runner, but certainly not unheard of.
For instance, Does Linux need antivirus? says
There is much debate as to whether Linux needs antivirus. Proponents
of Linux state that its heritage as a multi-user, networked operating
systems means that it was built from the ground up with superior
malware defense. Others take the stance that while some operating
systems can be more resistant to malware, there’s simply no such thing
as a virus-resistant operating system. The second group is correct –
Linux is not impervious to viruses
and Can my UNIX or Linux computer become infected with a virus? says
Few viruses are currently known for UNIX or Linux. However, virus
checking is necessary for these reasons:
- UNIX or Linux computers acting as servers for other operating system client workstations can become carriers for other virus types, e.g. Windows macro viruses.
- UNIX and Linux computers are often used as mail servers, and can check email for worms and infected attachments before they reach the desktop.
- If your UNIX or Linux computer is running a PC emulator (a 'soft PC'), applications running under that emulator are vulnerable to viruses, particularly macro viruses.
So, you are at little risk, but not no risk
Recommended reading: Chromebook How To: Viruses, Malware and Chrome OS Security
edited Jan 22 at 11:14
Wai Ha Lee
10315
answered Jan 22 at 8:00
MawgMawg
1,57953051
edited Jan 22 at 11:14
Wai Ha Lee
10315
edited Jan 22 at 11:14
Wai Ha Lee
10315
edited Jan 22 at 11:14
Wai Ha Lee
10315
10315
answered Jan 22 at 8:00
MawgMawg
1,57953051
answered Jan 22 at 8:00
MawgMawg
1,57953051
answered Jan 22 at 8:00
MawgMawg
1,57953051
1,57953051
4
deleted my answer as yours was way more complete. I couldn't provide more without replicating your answer... :)
– Stese
Jan 22 at 8:22
2
I didn't even see yours; we must have posted simultaneously (so, upvote to your comment ;-). Bottom line, if it has a processor, someone will try to code a virus for it. In this case, the biggest risks are browser plugins.
– Mawg
Jan 22 at 8:27
6
Your last quote suggests that you use the anti-virus on the linux machine not to protect itself, but to protect the windows machines "downstream"; the the latter part isn't about running linux at all. Since a chromebook is out of scope of all these points, I feel it's just not relevant to the question.
– UKMonkey
Jan 22 at 10:38
3
then again, there are quite a few people arguing that you shouldn't even install antivirus on Windows (maybe aside MS's own version), as this will open up another attack vector for viruses to get on your system in the first place. arstechnica.com/information-technology/2017/01/antivirus-is-bad
– Frank Hopkins
Jan 22 at 14:25
1
Should one consider the tons of malware apps for Android as an example for a linux-based system which needs some form of defense against malware? And the risk seems not so small, when one includes a broad variety of malware, not just viruses attacking the underlying linux system...
– Falco
Jan 23 at 14:11
|
show 4 more comments
4
deleted my answer as yours was way more complete. I couldn't provide more without replicating your answer... :)
– Stese
Jan 22 at 8:22
2
I didn't even see yours; we must have posted simultaneously (so, upvote to your comment ;-). Bottom line, if it has a processor, someone will try to code a virus for it. In this case, the biggest risks are browser plugins.
– Mawg
Jan 22 at 8:27
6
Your last quote suggests that you use the anti-virus on the linux machine not to protect itself, but to protect the windows machines "downstream"; the the latter part isn't about running linux at all. Since a chromebook is out of scope of all these points, I feel it's just not relevant to the question.
– UKMonkey
Jan 22 at 10:38
3
then again, there are quite a few people arguing that you shouldn't even install antivirus on Windows (maybe aside MS's own version), as this will open up another attack vector for viruses to get on your system in the first place. arstechnica.com/information-technology/2017/01/antivirus-is-bad
– Frank Hopkins
Jan 22 at 14:25
1
Should one consider the tons of malware apps for Android as an example for a linux-based system which needs some form of defense against malware? And the risk seems not so small, when one includes a broad variety of malware, not just viruses attacking the underlying linux system...
– Falco
Jan 23 at 14:11
4
4
deleted my answer as yours was way more complete. I couldn't provide more without replicating your answer... :)
– Stese
Jan 22 at 8:22
deleted my answer as yours was way more complete. I couldn't provide more without replicating your answer... :)
– Stese
Jan 22 at 8:22
2
2
I didn't even see yours; we must have posted simultaneously (so, upvote to your comment ;-). Bottom line, if it has a processor, someone will try to code a virus for it. In this case, the biggest risks are browser plugins.
– Mawg
Jan 22 at 8:27
I didn't even see yours; we must have posted simultaneously (so, upvote to your comment ;-). Bottom line, if it has a processor, someone will try to code a virus for it. In this case, the biggest risks are browser plugins.
– Mawg
Jan 22 at 8:27
6
6
Your last quote suggests that you use the anti-virus on the linux machine not to protect itself, but to protect the windows machines "downstream"; the the latter part isn't about running linux at all. Since a chromebook is out of scope of all these points, I feel it's just not relevant to the question.
– UKMonkey
Jan 22 at 10:38
Your last quote suggests that you use the anti-virus on the linux machine not to protect itself, but to protect the windows machines "downstream"; the the latter part isn't about running linux at all. Since a chromebook is out of scope of all these points, I feel it's just not relevant to the question.
– UKMonkey
Jan 22 at 10:38
3
3
then again, there are quite a few people arguing that you shouldn't even install antivirus on Windows (maybe aside MS's own version), as this will open up another attack vector for viruses to get on your system in the first place. arstechnica.com/information-technology/2017/01/antivirus-is-bad
– Frank Hopkins
Jan 22 at 14:25
then again, there are quite a few people arguing that you shouldn't even install antivirus on Windows (maybe aside MS's own version), as this will open up another attack vector for viruses to get on your system in the first place. arstechnica.com/information-technology/2017/01/antivirus-is-bad
– Frank Hopkins
Jan 22 at 14:25
1
1
Should one consider the tons of malware apps for Android as an example for a linux-based system which needs some form of defense against malware? And the risk seems not so small, when one includes a broad variety of malware, not just viruses attacking the underlying linux system...
– Falco
Jan 23 at 14:11
Should one consider the tons of malware apps for Android as an example for a linux-based system which needs some form of defense against malware? And the risk seems not so small, when one includes a broad variety of malware, not just viruses attacking the underlying linux system...
– Falco
Jan 23 at 14:11
|
show 4 more comments
tl;dr
Yes, just be careful and don't install any extensions and if you do make sure you understand the permissions they ask for.
Note: The professional definition of "computer virus" is a specific type of malicious application, the "normal" definition of "computer virus" is more or less any malicious application. Reading the OP's post I have interpreted his question to be using the term in the latter meaning.
Totally agree with the other answer and will start from the same place, but expand on it a bit:
Chrome OS is an operating system designed by Google that is based on the Linux kernel and uses the Google Chrome web browser as its principal user interface. As a result, Chrome OS primarily supports web applications.
Source: Wikipedia
Chrome: Passive attacks
Description of attack:
- You open a website
- Suddenly you have a virus
Likelihood: Even with Chrome on Windows these are incredibly uncommon, but the fact that Chrome on ChromeOS runs on Linux means that it's far less "worth" it for attackers to create attacks for Linux/ChromeOS.
Chrome: Stupid user attacks (malware + malicious site)
Description of attack:
- You open a website
- Website convinces the user to do something stupid
- Example: You open a streaming site (the type which takes its content without permission or legal right from the copyright owner) and the site convinces its users to install a missing codec, whilst they actually install some virus.
Likelihood: As Chrome doesn't allow (by default) running actual Linux applications there is a far smaller attack surface. Additionally most of those attacks target once again Windows, so you end up with a bunch of useless .exe files in your Downloads folder.
BUT another type of cross platform attack which does work and is not uncommon is the installation of malicious chrome extensions. These will typically request the permission to
- Read and change your data on all sites
Anyway, this requires the user to do something stupid and ignore the literal warning that the extension will have the permission to see and change anything you see (including for example your online banking interface).
Note: This doesn't start with a malicious site, so it doesn't really fall under the OP's question from the title, but does answer the question in the body.
Android: Passive attacks
Description of attack:
- You install and open a malicious android app
- Suddenly you have a virus (where a virus is once again defined as something that could steal your passwords or access your online banking)
Likelihood: The sandboxing on Android apps is so well done that as far as I currently know nobody has yet broken through it. This means practically that you are reasonably safe from this happening though. Of course, any permission you do grant to the android app - just like with the chrome extensions - can be used against you by a malicious player.
Linux attack surface
Description of attack:
- (Prequel) You enable linux applications (this is disabled by default and only for powerusers)
- You open some innocent looking file
- Example: Some libreoffice document
- Suddenly you have a virus
Likelihood: Even if you do enable linux apps and you open yourself to more or less all the dangers or running normal linux, viruses on Linux are incredibly uncommon. See Mawq's answer for a discussion of this.
answered Jan 22 at 12:30
David MulderDavid Mulder
20119
add a comment |
tl;dr
Yes, just be careful and don't install any extensions and if you do make sure you understand the permissions they ask for.
Note: The professional definition of "computer virus" is a specific type of malicious application, the "normal" definition of "computer virus" is more or less any malicious application. Reading the OP's post I have interpreted his question to be using the term in the latter meaning.
Totally agree with the other answer and will start from the same place, but expand on it a bit:
Chrome OS is an operating system designed by Google that is based on the Linux kernel and uses the Google Chrome web browser as its principal user interface. As a result, Chrome OS primarily supports web applications.
Source: Wikipedia
Chrome: Passive attacks
Description of attack:
- You open a website
- Suddenly you have a virus
Likelihood: Even with Chrome on Windows these are incredibly uncommon, but the fact that Chrome on ChromeOS runs on Linux means that it's far less "worth" it for attackers to create attacks for Linux/ChromeOS.
Chrome: Stupid user attacks (malware + malicious site)
Description of attack:
- You open a website
- Website convinces the user to do something stupid
- Example: You open a streaming site (the type which takes its content without permission or legal right from the copyright owner) and the site convinces its users to install a missing codec, whilst they actually install some virus.
Likelihood: As Chrome doesn't allow (by default) running actual Linux applications there is a far smaller attack surface. Additionally most of those attacks target once again Windows, so you end up with a bunch of useless .exe files in your Downloads folder.
BUT another type of cross platform attack which does work and is not uncommon is the installation of malicious chrome extensions. These will typically request the permission to
- Read and change your data on all sites
Anyway, this requires the user to do something stupid and ignore the literal warning that the extension will have the permission to see and change anything you see (including for example your online banking interface).
Note: This doesn't start with a malicious site, so it doesn't really fall under the OP's question from the title, but does answer the question in the body.
Android: Passive attacks
Description of attack:
- You install and open a malicious android app
- Suddenly you have a virus (where a virus is once again defined as something that could steal your passwords or access your online banking)
Likelihood: The sandboxing on Android apps is so well done that as far as I currently know nobody has yet broken through it. This means practically that you are reasonably safe from this happening though. Of course, any permission you do grant to the android app - just like with the chrome extensions - can be used against you by a malicious player.
Linux attack surface
Description of attack:
- (Prequel) You enable linux applications (this is disabled by default and only for powerusers)
- You open some innocent looking file
- Example: Some libreoffice document
- Suddenly you have a virus
Likelihood: Even if you do enable linux apps and you open yourself to more or less all the dangers or running normal linux, viruses on Linux are incredibly uncommon. See Mawq's answer for a discussion of this.
answered Jan 22 at 12:30
David MulderDavid Mulder
20119
add a comment |
tl;dr
Yes, just be careful and don't install any extensions and if you do make sure you understand the permissions they ask for.
Note: The professional definition of "computer virus" is a specific type of malicious application, the "normal" definition of "computer virus" is more or less any malicious application. Reading the OP's post I have interpreted his question to be using the term in the latter meaning.
Totally agree with the other answer and will start from the same place, but expand on it a bit:
Chrome OS is an operating system designed by Google that is based on the Linux kernel and uses the Google Chrome web browser as its principal user interface. As a result, Chrome OS primarily supports web applications.
Source: Wikipedia
Chrome: Passive attacks
Description of attack:
- You open a website
- Suddenly you have a virus
Likelihood: Even with Chrome on Windows these are incredibly uncommon, but the fact that Chrome on ChromeOS runs on Linux means that it's far less "worth" it for attackers to create attacks for Linux/ChromeOS.
Chrome: Stupid user attacks (malware + malicious site)
Description of attack:
- You open a website
- Website convinces the user to do something stupid
- Example: You open a streaming site (the type which takes its content without permission or legal right from the copyright owner) and the site convinces its users to install a missing codec, whilst they actually install some virus.
Likelihood: As Chrome doesn't allow (by default) running actual Linux applications there is a far smaller attack surface. Additionally most of those attacks target once again Windows, so you end up with a bunch of useless .exe files in your Downloads folder.
BUT another type of cross platform attack which does work and is not uncommon is the installation of malicious chrome extensions. These will typically request the permission to
- Read and change your data on all sites
Anyway, this requires the user to do something stupid and ignore the literal warning that the extension will have the permission to see and change anything you see (including for example your online banking interface).
Note: This doesn't start with a malicious site, so it doesn't really fall under the OP's question from the title, but does answer the question in the body.
Android: Passive attacks
Description of attack:
- You install and open a malicious android app
- Suddenly you have a virus (where a virus is once again defined as something that could steal your passwords or access your online banking)
Likelihood: The sandboxing on Android apps is so well done that as far as I currently know nobody has yet broken through it. This means practically that you are reasonably safe from this happening though. Of course, any permission you do grant to the android app - just like with the chrome extensions - can be used against you by a malicious player.
Linux attack surface
Description of attack:
- (Prequel) You enable linux applications (this is disabled by default and only for powerusers)
- You open some innocent looking file
- Example: Some libreoffice document
- Suddenly you have a virus
Likelihood: Even if you do enable linux apps and you open yourself to more or less all the dangers or running normal linux, viruses on Linux are incredibly uncommon. See Mawq's answer for a discussion of this.
answered Jan 22 at 12:30
David MulderDavid Mulder
20119
tl;dr
Yes, just be careful and don't install any extensions and if you do make sure you understand the permissions they ask for.
Note: The professional definition of "computer virus" is a specific type of malicious application, the "normal" definition of "computer virus" is more or less any malicious application. Reading the OP's post I have interpreted his question to be using the term in the latter meaning.
Totally agree with the other answer and will start from the same place, but expand on it a bit:
Chrome OS is an operating system designed by Google that is based on the Linux kernel and uses the Google Chrome web browser as its principal user interface. As a result, Chrome OS primarily supports web applications.
Source: Wikipedia
Chrome: Passive attacks
Description of attack:
- You open a website
- Suddenly you have a virus
Likelihood: Even with Chrome on Windows these are incredibly uncommon, but the fact that Chrome on ChromeOS runs on Linux means that it's far less "worth" it for attackers to create attacks for Linux/ChromeOS.
Chrome: Stupid user attacks (malware + malicious site)
Description of attack:
- You open a website
- Website convinces the user to do something stupid
- Example: You open a streaming site (the type which takes its content without permission or legal right from the copyright owner) and the site convinces its users to install a missing codec, whilst they actually install some virus.
Likelihood: As Chrome doesn't allow (by default) running actual Linux applications there is a far smaller attack surface. Additionally most of those attacks target once again Windows, so you end up with a bunch of useless .exe files in your Downloads folder.
BUT another type of cross platform attack which does work and is not uncommon is the installation of malicious chrome extensions. These will typically request the permission to
- Read and change your data on all sites
Anyway, this requires the user to do something stupid and ignore the literal warning that the extension will have the permission to see and change anything you see (including for example your online banking interface).
Note: This doesn't start with a malicious site, so it doesn't really fall under the OP's question from the title, but does answer the question in the body.
Android: Passive attacks
Description of attack:
- You install and open a malicious android app
- Suddenly you have a virus (where a virus is once again defined as something that could steal your passwords or access your online banking)
Likelihood: The sandboxing on Android apps is so well done that as far as I currently know nobody has yet broken through it. This means practically that you are reasonably safe from this happening though. Of course, any permission you do grant to the android app - just like with the chrome extensions - can be used against you by a malicious player.
Linux attack surface
Description of attack:
- (Prequel) You enable linux applications (this is disabled by default and only for powerusers)
- You open some innocent looking file
- Example: Some libreoffice document
- Suddenly you have a virus
Likelihood: Even if you do enable linux apps and you open yourself to more or less all the dangers or running normal linux, viruses on Linux are incredibly uncommon. See Mawq's answer for a discussion of this.
answered Jan 22 at 12:30
David MulderDavid Mulder
20119
edited Jan 23 at 7:58
answered Jan 22 at 12:30
David MulderDavid Mulder
20119
answered Jan 22 at 12:30
David MulderDavid Mulder
20119
answered Jan 22 at 12:30
David MulderDavid Mulder
20119
20119
add a comment |
add a comment |
Chrome OS has some features that make it very difficult for a virus to run, to elevate privilege to root, or to survive a reboot (become persistent).
The Chrome Sandbox (pdf) limits what a process can do. All operations are sandboxed, apart from basic CPU and memory usage. This means the renderer, javascript process, PDF renderer, etc. are sandboxed, and will not be allowed to execute arbitrary syscalls, write to arbitrary files, do network io, etc. unless those calls are explicitly allowed.
Verified Boot (Firmware boot). The Chrome OS boot happens in several stages. The first stage is a boot flash ROM, which is protected from writing by a hardware switch on the motherboard (this protection can be disabled if you want to flash your own boot loader). The Chrome firmware is stored in two writeable slots, but the signature is verified by the first stage, so it can't be arbitrarily modified and still boot. The kernel and initramfs are stored as GPT volumes and are signed, so those can't be modified either. The actual OS filesystem uses Verity to sign every block, and the signature is checked when a block is loaded, so the file system can't be modified either.
Constant updates. Chrome OS uses an A/B OS install so that security updates can be shipped regularly and automatically, with failed updates being easily reverted.
So, for a virus to run on the Chromebook, it would require a persistent compromise that chains something like:
- an exploit to run native code (the virus)
- a sandbox escape, to access the filesystem
- a root exploit, in order to modify OS files
- a "verified boot" exploit, targetting the firmware flash or filesystem, so that the modified OS files will be loaded on reboot
- some way to spread to other Chromebooks (if we are talking about a traditional virus)
Google offer a $100k bounty for anyone who reveals such a persistent compromise. There are only a couple of instances (1,2) where this has been claimed. The second of these required chaining together five CVE vulnerabilities. Not easy.
answered Jan 22 at 16:44
bainbain
1633
This is true if you take the "proper" definition of computer virus, but the OP was not likely using the "proper" definition of virus, but rather the common definition of virus which includes things like malware.
– David Mulder
Jan 23 at 7:55
Yes, it depends how you define "malware". Malware, as it is usually known on Windows, would still need an ability to run code, escape the sandbox, and modify the file system to become persistent. But if you define malware as something that happens purely in the browser, like a malicious Chrome extension, then every OS that allows Chrome to be run is vulnerable.
– bain
Jan 23 at 11:10
add a comment |
Chrome OS has some features that make it very difficult for a virus to run, to elevate privilege to root, or to survive a reboot (become persistent).
The Chrome Sandbox (pdf) limits what a process can do. All operations are sandboxed, apart from basic CPU and memory usage. This means the renderer, javascript process, PDF renderer, etc. are sandboxed, and will not be allowed to execute arbitrary syscalls, write to arbitrary files, do network io, etc. unless those calls are explicitly allowed.
Verified Boot (Firmware boot). The Chrome OS boot happens in several stages. The first stage is a boot flash ROM, which is protected from writing by a hardware switch on the motherboard (this protection can be disabled if you want to flash your own boot loader). The Chrome firmware is stored in two writeable slots, but the signature is verified by the first stage, so it can't be arbitrarily modified and still boot. The kernel and initramfs are stored as GPT volumes and are signed, so those can't be modified either. The actual OS filesystem uses Verity to sign every block, and the signature is checked when a block is loaded, so the file system can't be modified either.
Constant updates. Chrome OS uses an A/B OS install so that security updates can be shipped regularly and automatically, with failed updates being easily reverted.
So, for a virus to run on the Chromebook, it would require a persistent compromise that chains something like:
- an exploit to run native code (the virus)
- a sandbox escape, to access the filesystem
- a root exploit, in order to modify OS files
- a "verified boot" exploit, targetting the firmware flash or filesystem, so that the modified OS files will be loaded on reboot
- some way to spread to other Chromebooks (if we are talking about a traditional virus)
Google offer a $100k bounty for anyone who reveals such a persistent compromise. There are only a couple of instances (1,2) where this has been claimed. The second of these required chaining together five CVE vulnerabilities. Not easy.
answered Jan 22 at 16:44
bainbain
1633
This is true if you take the "proper" definition of computer virus, but the OP was not likely using the "proper" definition of virus, but rather the common definition of virus which includes things like malware.
– David Mulder
Jan 23 at 7:55
Yes, it depends how you define "malware". Malware, as it is usually known on Windows, would still need an ability to run code, escape the sandbox, and modify the file system to become persistent. But if you define malware as something that happens purely in the browser, like a malicious Chrome extension, then every OS that allows Chrome to be run is vulnerable.
– bain
Jan 23 at 11:10
add a comment |
Chrome OS has some features that make it very difficult for a virus to run, to elevate privilege to root, or to survive a reboot (become persistent).
The Chrome Sandbox (pdf) limits what a process can do. All operations are sandboxed, apart from basic CPU and memory usage. This means the renderer, javascript process, PDF renderer, etc. are sandboxed, and will not be allowed to execute arbitrary syscalls, write to arbitrary files, do network io, etc. unless those calls are explicitly allowed.
Verified Boot (Firmware boot). The Chrome OS boot happens in several stages. The first stage is a boot flash ROM, which is protected from writing by a hardware switch on the motherboard (this protection can be disabled if you want to flash your own boot loader). The Chrome firmware is stored in two writeable slots, but the signature is verified by the first stage, so it can't be arbitrarily modified and still boot. The kernel and initramfs are stored as GPT volumes and are signed, so those can't be modified either. The actual OS filesystem uses Verity to sign every block, and the signature is checked when a block is loaded, so the file system can't be modified either.
Constant updates. Chrome OS uses an A/B OS install so that security updates can be shipped regularly and automatically, with failed updates being easily reverted.
So, for a virus to run on the Chromebook, it would require a persistent compromise that chains something like:
- an exploit to run native code (the virus)
- a sandbox escape, to access the filesystem
- a root exploit, in order to modify OS files
- a "verified boot" exploit, targetting the firmware flash or filesystem, so that the modified OS files will be loaded on reboot
- some way to spread to other Chromebooks (if we are talking about a traditional virus)
Google offer a $100k bounty for anyone who reveals such a persistent compromise. There are only a couple of instances (1,2) where this has been claimed. The second of these required chaining together five CVE vulnerabilities. Not easy.
answered Jan 22 at 16:44
bainbain
1633
Chrome OS has some features that make it very difficult for a virus to run, to elevate privilege to root, or to survive a reboot (become persistent).
The Chrome Sandbox (pdf) limits what a process can do. All operations are sandboxed, apart from basic CPU and memory usage. This means the renderer, javascript process, PDF renderer, etc. are sandboxed, and will not be allowed to execute arbitrary syscalls, write to arbitrary files, do network io, etc. unless those calls are explicitly allowed.
Verified Boot (Firmware boot). The Chrome OS boot happens in several stages. The first stage is a boot flash ROM, which is protected from writing by a hardware switch on the motherboard (this protection can be disabled if you want to flash your own boot loader). The Chrome firmware is stored in two writeable slots, but the signature is verified by the first stage, so it can't be arbitrarily modified and still boot. The kernel and initramfs are stored as GPT volumes and are signed, so those can't be modified either. The actual OS filesystem uses Verity to sign every block, and the signature is checked when a block is loaded, so the file system can't be modified either.
Constant updates. Chrome OS uses an A/B OS install so that security updates can be shipped regularly and automatically, with failed updates being easily reverted.
So, for a virus to run on the Chromebook, it would require a persistent compromise that chains something like:
- an exploit to run native code (the virus)
- a sandbox escape, to access the filesystem
- a root exploit, in order to modify OS files
- a "verified boot" exploit, targetting the firmware flash or filesystem, so that the modified OS files will be loaded on reboot
- some way to spread to other Chromebooks (if we are talking about a traditional virus)
Google offer a $100k bounty for anyone who reveals such a persistent compromise. There are only a couple of instances (1,2) where this has been claimed. The second of these required chaining together five CVE vulnerabilities. Not easy.
answered Jan 22 at 16:44
bainbain
1633
answered Jan 22 at 16:44
bainbain
1633
answered Jan 22 at 16:44
bainbain
1633
answered Jan 22 at 16:44
bainbain
1633
1633
This is true if you take the "proper" definition of computer virus, but the OP was not likely using the "proper" definition of virus, but rather the common definition of virus which includes things like malware.
– David Mulder
Jan 23 at 7:55
Yes, it depends how you define "malware". Malware, as it is usually known on Windows, would still need an ability to run code, escape the sandbox, and modify the file system to become persistent. But if you define malware as something that happens purely in the browser, like a malicious Chrome extension, then every OS that allows Chrome to be run is vulnerable.
– bain
Jan 23 at 11:10
add a comment |
This is true if you take the "proper" definition of computer virus, but the OP was not likely using the "proper" definition of virus, but rather the common definition of virus which includes things like malware.
– David Mulder
Jan 23 at 7:55
Yes, it depends how you define "malware". Malware, as it is usually known on Windows, would still need an ability to run code, escape the sandbox, and modify the file system to become persistent. But if you define malware as something that happens purely in the browser, like a malicious Chrome extension, then every OS that allows Chrome to be run is vulnerable.
– bain
Jan 23 at 11:10
This is true if you take the "proper" definition of computer virus, but the OP was not likely using the "proper" definition of virus, but rather the common definition of virus which includes things like malware.
– David Mulder
Jan 23 at 7:55
This is true if you take the "proper" definition of computer virus, but the OP was not likely using the "proper" definition of virus, but rather the common definition of virus which includes things like malware.
– David Mulder
Jan 23 at 7:55
Yes, it depends how you define "malware". Malware, as it is usually known on Windows, would still need an ability to run code, escape the sandbox, and modify the file system to become persistent. But if you define malware as something that happens purely in the browser, like a malicious Chrome extension, then every OS that allows Chrome to be run is vulnerable.
– bain
Jan 23 at 11:10
Yes, it depends how you define "malware". Malware, as it is usually known on Windows, would still need an ability to run code, escape the sandbox, and modify the file system to become persistent. But if you define malware as something that happens purely in the browser, like a malicious Chrome extension, then every OS that allows Chrome to be run is vulnerable.
– bain
Jan 23 at 11:10
add a comment |
Do Chromebooks have vulnerabilities ?
Yes.
A brief search,at the time of writing this answer, on MITRE's CVE website by "chromebook" keyword, results in 9 vulnerability reports, all dated 2011 or 2012. Specifically, these mention "Acer AC700, Samsung Series 5, and Cr-48". According to the article in Security Week by Eduard Kovacs:
A researcher who uses the online moniker Gzob Qq informed Google on
September 18 that he had identified a series of vulnerabilities that
could lead to persistent code execution on Chrome OS, the operating
system running on Chromebox and Chromebook devices.
The exploit chain includes an out-of-bounds memory access flaw in the
V8 JavaScript engine (CVE-2017-15401), a privilege escalation in
PageState (CVE-2017-15402), a command injection flaw in the
network_diag component (CVE-2017-15403), and symlink traversal issues
in crash_reporter (CVE-2017-15404) and cryptohomed (CVE-2017-15405).
So there's another set of CVE exploits dated 2017.
Attack surface:
Note that this does not take into account vulnerabilities in extensions from Google Store. Every additional extension may increase attack surface. An interesting example of an extension that violates user's privacy and puts machine into botnet service can be found in Trend Micro's article:
This botnet was used to inject ads and cryptocurrency mining code into
websites the victim would visit. We have dubbed this particular botnet
Droidclub, after the name of one of the oldest command-and-control
(C&C) domains used.
In addition to the above features, Droidclub also abuses legitimate
session replay libraries to violate the user’s privacy. These scripts
are injected into every website the user visits. These libraries are
meant to be used to replay a user’s visit to a website, so that the
site owner can see what the user saw, and what he entered into the
machine, among other things.
Of course, physical access to devices it a significant factor - hardware itself could be compromised.
Note that attack surface may increase of the Chromebook runs out of the support cycle, which currently is 5 years, according to PC World's article. While the article states there's no clarity on the situation, apparently Google does intend to provide security updates:
There is, however, one more wrinkle to this story: Given that security
is “one of the key tenets of Chrome OS,” Google says it’s “working
with our partners to update our policies so that we’re able to extend
security patches and updates beyond a device’s EOL date.”
Google isn’t making any guarantees at this point, but it sounds like
the company wants to extend updates—at least on the security
side—beyond five years. It also sounds like device makers such as Acer
and Samsung would be partially responsible for making that happen.
Conclusion
In short, yes, one can get exploits on Chrome OS. As mentioned Mawg's answer, Chrome OS uses Linux Kernel, so Windows-specific exploits won't affect Chrome OS. Nonetheless, that doesn't decrease the attack surface if Linux Kernel exploits are of interest.
answered Jan 23 at 2:22
Sergiy KolodyazhnyySergiy Kolodyazhnyy
1037
add a comment |
Do Chromebooks have vulnerabilities ?
Yes.
A brief search,at the time of writing this answer, on MITRE's CVE website by "chromebook" keyword, results in 9 vulnerability reports, all dated 2011 or 2012. Specifically, these mention "Acer AC700, Samsung Series 5, and Cr-48". According to the article in Security Week by Eduard Kovacs:
A researcher who uses the online moniker Gzob Qq informed Google on
September 18 that he had identified a series of vulnerabilities that
could lead to persistent code execution on Chrome OS, the operating
system running on Chromebox and Chromebook devices.
The exploit chain includes an out-of-bounds memory access flaw in the
V8 JavaScript engine (CVE-2017-15401), a privilege escalation in
PageState (CVE-2017-15402), a command injection flaw in the
network_diag component (CVE-2017-15403), and symlink traversal issues
in crash_reporter (CVE-2017-15404) and cryptohomed (CVE-2017-15405).
So there's another set of CVE exploits dated 2017.
Attack surface:
Note that this does not take into account vulnerabilities in extensions from Google Store. Every additional extension may increase attack surface. An interesting example of an extension that violates user's privacy and puts machine into botnet service can be found in Trend Micro's article:
This botnet was used to inject ads and cryptocurrency mining code into
websites the victim would visit. We have dubbed this particular botnet
Droidclub, after the name of one of the oldest command-and-control
(C&C) domains used.
In addition to the above features, Droidclub also abuses legitimate
session replay libraries to violate the user’s privacy. These scripts
are injected into every website the user visits. These libraries are
meant to be used to replay a user’s visit to a website, so that the
site owner can see what the user saw, and what he entered into the
machine, among other things.
Of course, physical access to devices it a significant factor - hardware itself could be compromised.
Note that attack surface may increase of the Chromebook runs out of the support cycle, which currently is 5 years, according to PC World's article. While the article states there's no clarity on the situation, apparently Google does intend to provide security updates:
There is, however, one more wrinkle to this story: Given that security
is “one of the key tenets of Chrome OS,” Google says it’s “working
with our partners to update our policies so that we’re able to extend
security patches and updates beyond a device’s EOL date.”
Google isn’t making any guarantees at this point, but it sounds like
the company wants to extend updates—at least on the security
side—beyond five years. It also sounds like device makers such as Acer
and Samsung would be partially responsible for making that happen.
Conclusion
In short, yes, one can get exploits on Chrome OS. As mentioned Mawg's answer, Chrome OS uses Linux Kernel, so Windows-specific exploits won't affect Chrome OS. Nonetheless, that doesn't decrease the attack surface if Linux Kernel exploits are of interest.
answered Jan 23 at 2:22
Sergiy KolodyazhnyySergiy Kolodyazhnyy
1037
add a comment |
Do Chromebooks have vulnerabilities ?
Yes.
A brief search,at the time of writing this answer, on MITRE's CVE website by "chromebook" keyword, results in 9 vulnerability reports, all dated 2011 or 2012. Specifically, these mention "Acer AC700, Samsung Series 5, and Cr-48". According to the article in Security Week by Eduard Kovacs:
A researcher who uses the online moniker Gzob Qq informed Google on
September 18 that he had identified a series of vulnerabilities that
could lead to persistent code execution on Chrome OS, the operating
system running on Chromebox and Chromebook devices.
The exploit chain includes an out-of-bounds memory access flaw in the
V8 JavaScript engine (CVE-2017-15401), a privilege escalation in
PageState (CVE-2017-15402), a command injection flaw in the
network_diag component (CVE-2017-15403), and symlink traversal issues
in crash_reporter (CVE-2017-15404) and cryptohomed (CVE-2017-15405).
So there's another set of CVE exploits dated 2017.
Attack surface:
Note that this does not take into account vulnerabilities in extensions from Google Store. Every additional extension may increase attack surface. An interesting example of an extension that violates user's privacy and puts machine into botnet service can be found in Trend Micro's article:
This botnet was used to inject ads and cryptocurrency mining code into
websites the victim would visit. We have dubbed this particular botnet
Droidclub, after the name of one of the oldest command-and-control
(C&C) domains used.
In addition to the above features, Droidclub also abuses legitimate
session replay libraries to violate the user’s privacy. These scripts
are injected into every website the user visits. These libraries are
meant to be used to replay a user’s visit to a website, so that the
site owner can see what the user saw, and what he entered into the
machine, among other things.
Of course, physical access to devices it a significant factor - hardware itself could be compromised.
Note that attack surface may increase of the Chromebook runs out of the support cycle, which currently is 5 years, according to PC World's article. While the article states there's no clarity on the situation, apparently Google does intend to provide security updates:
There is, however, one more wrinkle to this story: Given that security
is “one of the key tenets of Chrome OS,” Google says it’s “working
with our partners to update our policies so that we’re able to extend
security patches and updates beyond a device’s EOL date.”
Google isn’t making any guarantees at this point, but it sounds like
the company wants to extend updates—at least on the security
side—beyond five years. It also sounds like device makers such as Acer
and Samsung would be partially responsible for making that happen.
Conclusion
In short, yes, one can get exploits on Chrome OS. As mentioned Mawg's answer, Chrome OS uses Linux Kernel, so Windows-specific exploits won't affect Chrome OS. Nonetheless, that doesn't decrease the attack surface if Linux Kernel exploits are of interest.
answered Jan 23 at 2:22
Sergiy KolodyazhnyySergiy Kolodyazhnyy
1037
Do Chromebooks have vulnerabilities ?
Yes.
A brief search,at the time of writing this answer, on MITRE's CVE website by "chromebook" keyword, results in 9 vulnerability reports, all dated 2011 or 2012. Specifically, these mention "Acer AC700, Samsung Series 5, and Cr-48". According to the article in Security Week by Eduard Kovacs:
A researcher who uses the online moniker Gzob Qq informed Google on
September 18 that he had identified a series of vulnerabilities that
could lead to persistent code execution on Chrome OS, the operating
system running on Chromebox and Chromebook devices.
The exploit chain includes an out-of-bounds memory access flaw in the
V8 JavaScript engine (CVE-2017-15401), a privilege escalation in
PageState (CVE-2017-15402), a command injection flaw in the
network_diag component (CVE-2017-15403), and symlink traversal issues
in crash_reporter (CVE-2017-15404) and cryptohomed (CVE-2017-15405).
So there's another set of CVE exploits dated 2017.
Attack surface:
Note that this does not take into account vulnerabilities in extensions from Google Store. Every additional extension may increase attack surface. An interesting example of an extension that violates user's privacy and puts machine into botnet service can be found in Trend Micro's article:
This botnet was used to inject ads and cryptocurrency mining code into
websites the victim would visit. We have dubbed this particular botnet
Droidclub, after the name of one of the oldest command-and-control
(C&C) domains used.
In addition to the above features, Droidclub also abuses legitimate
session replay libraries to violate the user’s privacy. These scripts
are injected into every website the user visits. These libraries are
meant to be used to replay a user’s visit to a website, so that the
site owner can see what the user saw, and what he entered into the
machine, among other things.
Of course, physical access to devices it a significant factor - hardware itself could be compromised.
Note that attack surface may increase of the Chromebook runs out of the support cycle, which currently is 5 years, according to PC World's article. While the article states there's no clarity on the situation, apparently Google does intend to provide security updates:
There is, however, one more wrinkle to this story: Given that security
is “one of the key tenets of Chrome OS,” Google says it’s “working
with our partners to update our policies so that we’re able to extend
security patches and updates beyond a device’s EOL date.”
Google isn’t making any guarantees at this point, but it sounds like
the company wants to extend updates—at least on the security
side—beyond five years. It also sounds like device makers such as Acer
and Samsung would be partially responsible for making that happen.
Conclusion
In short, yes, one can get exploits on Chrome OS. As mentioned Mawg's answer, Chrome OS uses Linux Kernel, so Windows-specific exploits won't affect Chrome OS. Nonetheless, that doesn't decrease the attack surface if Linux Kernel exploits are of interest.
answered Jan 23 at 2:22
Sergiy KolodyazhnyySergiy Kolodyazhnyy
1037
answered Jan 23 at 2:22
Sergiy KolodyazhnyySergiy Kolodyazhnyy
1037
answered Jan 23 at 2:22
Sergiy KolodyazhnyySergiy Kolodyazhnyy
1037
answered Jan 23 at 2:22
Sergiy KolodyazhnyySergiy Kolodyazhnyy
1037
1037
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1396896%2fcan-a-chromebook-be-infected-by-a-computer-virus-through-a-malicious-website%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
15
General rule of thumb: if it runs software it can be infected. The odds of infection depends on many things, which are well explained in the answers already posted.
– Alexandre Aubrey
Jan 22 at 14:33
@AlexandreAubrey if it runs software and has any permanent storage.
– rackandboneman
Jan 22 at 15:46
11
@rackandboneman No, if it runs software. RAM-resident malware has been around for years; in fact, it used to be the norm; if the goal is to steal credit card details instead of just format the hard drive, it'd be profitable to make these again.
– wizzwizz4
Jan 22 at 17:32
Not sure if its worth an answer on its own, but IF your chromebook does get a virus somehow(I've never had one in 5+ years of using one), its really easy to powerwash the device which is ChromeOs terms for reset to factory settings. Since all your settings and everything are on the cloud, once you log back in it will be all back to normal. The whole powerwash takes 15-30 minutes until you are back to the state you were before. I love chromebooks so feel free to message me if you have questions.
– samuraiseoul
Jan 23 at 15:50