We’ve just published our latest Chrome OS and Ubuntu guidance. These are both substantial updates, so in this post I’ve picked out some of the main points and highlighted the most notable changes to our guidance for these two popular operating systems.
ChromeOS 65
For those of you who are new to Chrome OS, this is Google’s own operating system, based on the Chrome web browser. It’s used on Google Chrome based products, like Chromebooks and Chromeboxes.
If you use one of these devices, you may have seen our previous Chrome OS guidance. The very observant among you might even have noticed that we don’t update this guidance for every new Chrome release. This is purely down to the frequency of updates released. We only put out updates to our guidance for significant changes to the platform.
Some of the changes we’ve made for the current guidance are:
- We now recommend that firmware updates be done by the user.
- We draw attention to the risks associated with applications using the “WRITE_EXTERNAL_STORAGE” permission.
- We’ve added recommendations for additional device settings: Device Reporting, Anonymous Metric Reporting, and Bluetooth.
Currently, the TPM firmware update process is a little involved as it requires the user to ensure that all data stored on the device is suitably backed up before updating the firmware. This is necessary because the update procedure wipes the device. You can only restore your data once the update has been applied.
Since updating the firmware requires backing up all data on the device, it would be helpful for users to be able to perform the update themselves, rather than requiring the intervention of an administrator. Google is working to improve the process so that it does not require the device to be wiped. In the meantime, we still encourage allowing users to update their firmware, until the update mechanism is improved, being careful to back-up any local data beforehand.
Ubuntu 18.04
The big changes in our Ubuntu guidance focus on the installation of the OS. Here, we have removed the “install” script and instead used Ubuntu’s preseeding functionality along with an updated post-install script.
As well as this we’ve made smaller changes:
- Steps have been added to additionally secure the boot process using functionality introduced in the latest Ubuntu 18.04 LTS version.
- We’ve updated our recommended privacy settings, highlighting features that can be disabled to enhance the user’s privacy.
- Our VPN configuration has been updated to be more user friendly, by including an example configuration, and more detailed instructions.
We hope that preseeding, coupled with a post-install script will make installation much quicker and easier.
As with all our guidance, we really appreciate any feedback and/or questions you have, so please feel free to leave a comment below or email us directly.
Tom W
EUD Security Researcher
Source: National Cyber Security Centre
