Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Chrome OS Network Manager Sandboxed, Stripped of Root Privileges

The latest version of Google’s Chrome OS operating system brings some significant security improvements related to the Shill network manager, including a sandbox and fewer privileges.

The latest version of Google’s Chrome OS operating system brings some significant security improvements related to the Shill network manager, including a sandbox and fewer privileges.

Chrome OS 72 was released last week and Google informed customers that Shill has been placed in a sandbox and it no longer runs as the root user. Developers say these measures should help protect users against vulnerabilities and attacks such as the ones disclosed by a researcher back in December 2016.

The researcher showed that a series of flaws could have been exploited for arbitrary code execution in the web browser and to escalate privileges to root. The attack was partly possible due to the existence of an HTTP proxy built into Shill. The proxy was removed at the time by Chrome OS developers as part of a fix.

Developers now want to make sure that Shill cannot be abused for malicious purposes, which is why they have placed it in a sandbox and stripped it of its root privileges.

Blog posts announcing stable channel updates for Chrome OS typically only mention “security updates,” without providing any details.

Security improvements have only been summarized on a few occasions in the past year, including mitigations for the Spectre and Meltdown attacks, patches for the Foreshadow (L1TF) vulnerabilities, and an undisclosed use-after-free bug in the GPU that has been classified as “high severity.”

Related: Code Execution Flaw in SQLite Affects Chrome, Other Software

Related: Google Tightens Rules for Chrome Extensions

Related: More Chrome OS Devices Receive Meltdown, Spectre Patches

Related: Latest Version of Chrome Improves Password Management, Patches 40 Flaws

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.