Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Chrome OS Network Manager Sandboxed, Stripped of Root Privileges

The latest version of Google’s Chrome OS operating system brings some significant security improvements related to the Shill network manager, including a sandbox and fewer privileges.

The latest version of Google’s Chrome OS operating system brings some significant security improvements related to the Shill network manager, including a sandbox and fewer privileges.

Chrome OS 72 was released last week and Google informed customers that Shill has been placed in a sandbox and it no longer runs as the root user. Developers say these measures should help protect users against vulnerabilities and attacks such as the ones disclosed by a researcher back in December 2016.

The researcher showed that a series of flaws could have been exploited for arbitrary code execution in the web browser and to escalate privileges to root. The attack was partly possible due to the existence of an HTTP proxy built into Shill. The proxy was removed at the time by Chrome OS developers as part of a fix.

Developers now want to make sure that Shill cannot be abused for malicious purposes, which is why they have placed it in a sandbox and stripped it of its root privileges.

Blog posts announcing stable channel updates for Chrome OS typically only mention “security updates,” without providing any details.

Security improvements have only been summarized on a few occasions in the past year, including mitigations for the Spectre and Meltdown attacks, patches for the Foreshadow (L1TF) vulnerabilities, and an undisclosed use-after-free bug in the GPU that has been classified as “high severity.”

Related: Code Execution Flaw in SQLite Affects Chrome, Other Software

Related: Google Tightens Rules for Chrome Extensions

Advertisement. Scroll to continue reading.

Related: More Chrome OS Devices Receive Meltdown, Spectre Patches

Related: Latest Version of Chrome Improves Password Management, Patches 40 Flaws

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...