"While I applaud the impressive advances in security that are apparent in Chrome OS, to a certain extent we are seeing marketing history repeat itself," he said in a blog post.
Ferguson is alluding to the marketing hype around Mac OS that the operating system was immune to malware, which, he says, the majority of users continue to believe even after Apple incorporated rudimentary anti-virus software into the operating system. Apple also recently issued a security update to defend against scareware that has been targeting the Mac OS.
Chrome OS boasts that each process runs in its own sandbox, which developers claim means that if an application is malicious or compromised, then it is unable to interact with or otherwise affect other applications or processes on the system.
But Ferguson points out that exploits that break out of sandboxing have already been demonstrated for Internet Explorer, Java, Google Android and the Chrome browser. "While the Google sandbox is effective, it is not impenetrable and to rely on it for 100% security would be short-sighted," he said.
Malware is persistent
Another security feature of Chrome OS is that it will check the integrity and validity of system files every time it is started up, and if it detects any anomaly or unauthorized change, the system will revert to the known-good state to neutralize any suspect activity at every reboot.
Ferguson says this tactic is merely moving the goal posts for the bad guys. Chrome will make it more difficult for malware where the one of the primary goals is persistence, he says, but this will just shift the motivation.
"If I can infect you for one session and steal your keys, well then I'll get what I can while I'm in there and then continue accessing your stuff in the cloud, after all I've got your keys now, I don't need your PC any more. The beauty of that for criminals is that the victim may be even more unaware than they are now that they have been compromised," said Ferguson.
OS not enough to combat cybercrime
The Chrome OS security features do not stop there. They include automatic updating that is mandatory to stop the user from opting themselves out of security, limitations on desktop applications with most running inside the browser, and storage of data in an encrypted form in the cloud and not on the local drive.
But Ferguson points out that criminal activity extends far beyond file-based threats, and includes social engineering, phishing, social networks and e-mail-borne threats.
"The palette is continually expanding and the techniques are continually evolving, to assure your customers that they will not have to deal with online cybercrime simply by switching OS is foolish to say the least," he said.
This story was first published by Computer Weekly