and ran with it, spreading more concern over Chrome OS and HTML5.
When you dive deeper into McAfee's threat predictions, there's no hard data or explanation behind the broad assertions they make:
"With the technological advances brought on by HTML 5, the web will undergo a dramatic upgrade that will change the way web application developers and hackers are able to interact with their “target market.” HTML 5 holds all the promises that today’s web community seeks—primarily blurring and removing the lines between a web application and a desktop application. HTML 5–based attacks will become even more tempting once the Google Chrome Operating System is released. (It’s scheduled for second half of 2010.) Google Chrome OS is intended for use with netbooks, and HTML5 enables not only a rich Internet experience, but also offline applications."
It's true that the Chrome OS will be geared towards web applications, so conceivably it might be more vulnerable to malware via the internet. However, many of the major browsers already support HTML5, meaning the threat is not just a Chrome OS problem. BusinessWeek's article makes HTML5 seem like a peripheral technology, and Chrome is the only thing mentioned in association with it: "The Web-based operating system, dubbed Chrome, relies on a technology known as HTML 5 that's designed to help Web applications behave like PC software." The McAfee document mentions the other browsers that use HTML5, but it uses the wide adoption of the spec as another reason for concern: "Another motivation for attackers is HTML 5’s anticipated cross-platform support, which will allow attackers to eventually reach users of many mainstream browsers." What could be the most alarming aspect to an internet layman is BusinessWeek's other statement: "The HTML 5 technology intended to power Google's forthcoming computer operating system can access a PC online or off." The sub-headline might lead someone to believe that with HTML5, their computer is now vulnerable at all times, which may not be the case.
McAfee might be referring to vulnerabilities in HTML5's client-side storage solution, but we can't really be sure without more explanation by them. An old white paper shows that there are some security issues surrounding the client-side storage in HTML5:
"First of all, due to the absence of the ability to set an expiration date, if a session storage object is saved on the user’s machine, not being deleted when necessary, and the user continues to surf on the Internet using the same window, that object will be recoverable many hours or even days after it has finished its usefulness… The freedom in global storage to set the domain name and access the storage data could cause an unwanted leak of data.
It’s quite obvious with the passage of time that the attack surface for web applications will grow. HTML 5 structured client-side storage is a powerful instrument for web developers, but introduces new relevant risks."
Some of the risks in the white paper were:
- Attack Automation: HTML5CSdump
- Cross-directory Attacks
- Cross-domain and Cross-port Attacks
- Client-side SQL Injection Attacks
- One Shot Attacks
Users reading McAfee's document and BusinessWeek's article might want to stay away from HTML5, but some might not realize that it's already here. There's a lot of motivation for browsers to implement more of the HTML5 spec as it evolves. Non-standard technologies like Flash Player can be just as vulnerable. The attack surface is growing for web applications in general, not just for Chrome OS.