Gallery

There'll never be a bulletproof OS

Posted on 30 Oct 2009 at 10:39

Davey Winder goes in search of the bulletproof operating system and discovers it doesn't exist

I have a vision of Google’s engineering director, Linus Upson, with a weird ginger Mr Whippy haircut bopping around singing “Chrome OS baby will be, Bulletproof” in a La Roux stylee. I can’t help it since he declared that Google was completely “redesigning the underlying security architecture of the OS”, so users “don’t have to deal with viruses, malware and security updates”.

Really? I don’t think so, because I don’t believe it’s actually possible for an operating system design to be bulletproof (and that includes Mac OS, says he flinching in anticipation). Ditto for web browsers, including Google’s own, what was it called, ah yes, Chrome…

At Secunia.com, home of application security advisories, you’ll discover no fewer than eight vulnerabilities leading to six advisories including: Google Chrome Cross-Site Scripting and Information Disclosure; Google Chrome URI Handler Registration Vulnerability; Google Chrome “ChromeHTML” URI Handler Vulnerability; Google Chrome Skia 2D Integer Overflow Vulnerabilities; Google Chrome WebKit SVGList Object Handling Memory Corruption; and the (unpatched at time of writing) Google Chrome WebKit Use-After-Free Vulnerability.

I’m not knocking Google for trying to make a more secure OS, but to say that it will in effect bring an end to malware and viruses is plain daft

I’m with well-respected security guru and chief security technology officer at BT, Bruce Schneier, who called it “an idiotic claim” and stated that it’s been mathematically proven to be impossible to create a virus-immune OS.

I’m not knocking Google for trying to make a more secure OS, and doubt that Schneier is either, and building from scratch with security in mind has to be a good thing, but to say that it will in effect bring an end to malware and viruses is plain daft. Actually, it goes beyond daft and asks for trouble, just begging the Bad Guys to prove the Do No Evil company wrong.

I’m guessing that someone will point out that Apple has been implying much the same for Mac OS, and it has yet to become riddled with security bullet holes.

Go to Apple's website and you’ll find it states that “Mac OS X is designed with security in mind. Its built-in defences help keep you safe from viruses and malware without the hassle of constant alerts and sweeps.”

Yet when you get past all the bold claims on the Apple Security page about how Mac OS protects you from the bad stuff, you eventually find this inevitable disclaimer under the title of Security Advice: “The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100% immune from every threat, antivirus software may offer additional protection.” Ah right, not bulletproof either then.