Will Google's OS Make the Desktop Safe

"I have serious doubts about their claims simply because an operating system must execute code and malware is code," says Dave Marcus, director of security research and communications for McAfee Avert Labs.

Like the , Google Chrome OS will be based on an existing open-source project: Where the Chrome browser is based on the open-source Webkit project, the Chrome OS will be based on the open-source Linux kernel. It will be, Google says, a "lightweight" OS that will run on x86 or ARM processors and have a new windowing system. Furthermore, the Chrome OS will be positioned for use on netbooks, which are designed primarily for Internet use. The Android platform will remain Google's choice for mobile devices.

With its Chrome browser, Google did attempt to . It created a new JavaScript virtual machine, V8, arguing that JavaScript today does much more than enable online novelties. JavaScript now runs applications, such as those built by Google itself. Among the optimizations introduced in the V8 engine is a new way of interpreting JavaScript source code so that it runs as machine code within the CPU. Thanks to another optimization, V8 also knows where the JavaScript pointers are, eliminating the need for repeated searches. But while V8 optimized performance, the Chrome browser hasn't eliminated the JavaScript threat landscape.

"Malware takes on many forms, including JavaScript malware, which Google's Chrome is still vulnerable to," says Robert Hansen, CEO of SecTheory. At last summer's Black Hat USA security conference, Hansen and Tom Stracener of Cenzic presented a talk showing how they were able to exploit Google Gadgets; they even coined the phrase Gmalware (for Gmodules-based malware) to describe this new class of vulnerabilities.