Rob Pegoraro

Special for USA Today

Q. I’m getting a Chromebook. There’s no malware on that, right?

A. Google has earned the right to brag a little about the security built into its browser-based Chrome OS that runs on cheap, light and increasingly popular Chromebook laptops.

As the company explains in a tech-support note, Chrome OS closes off most traditional entry points for malware. You can’t install traditional programs at all, the browser and individual pages run locked inside “sandboxed” areas of memory, and at each reboot, a Chromebook verifies that its software hasn’t been tampered with and repairs it if necessary.

Chrome OS also downloads and installs its own security updates automatically. And since it stores your data online, even setting a Chromebook on fire should not jeopardize your info.

But all of those features don’t reduce the “attack surface” of Chromebooks to zero: An adversary can still exploit features of Chrome OS, and of your brain, for ill purposes. At a minimum, a hostile page can still try to lock up your browser and leave it stuck on a demand that you pay up. As a Google advisory notes, you can escape that by resetting the Chromebook, then restarting Chrome while declining its option to restore earlier open pages.

That kind of page hijacking can also present the user with a prompt to install a malicious third-party extension—a browser add-on that runs inside of Chrome.

“We are seeing more and more aggressive malicious advertising (malvertising) campaigns that trick or force users to install bogus extensions,” said Jérôme Segura, lead malware-intelligence analyst at the security firm Malwarebytes. Last year, he found one such extension had been downloaded over a thousand times before Google yanked it from the Chrome Web Store.

The newfound ability of Chrome OS to run Android apps—it’s confined to a few recent Chromebooks now, but this feature announced last summer should soon arrive on more models—adds an exceedingly low but non-zero possibility of infection. Android malware exists and can sweep across phones in vast quantities, but almost all of it arrives via third-party app stores, not Google’s Play Store. But some malicious apps sneak in, just as they rarely do in Apple’s iOS App Store.

More from this columnist

T-Mobile One isn’t the only choice for T-Mobile’s network

Should you switch to Google Voice from Hangouts?

No direct way to duck DirecTV's box rental fee

How to stay online in impossible circumstances

Segura added that a Chromebook remains as vulnerable as any other computer to “man-in-the-middle” attacks, in which a hostile WiFi network (or a wireless router that’s been remotely hacked) can start spying on your Web traffic or redirecting it to other malicious sites. Using a virtual private network service to shield and encrypt your connection will stop that threat, although VPNs often cost extra.

Finally, phishing e-mails and other types of “social engineering” ploys that try to fool you into giving up a password or other valuable data don’t care what software you run. They only prey on your own mind. The best defense against them remains a healthy skepticism towards solicitations on the screen that you weren’t expecting. That, in turn, remains good advice for keeping any other computer secure.

Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech question, e-mail Rob at rob@robpegoraro.com. Follow him on Twitter at twitter.com/robpegoraro.



