Google's corporate network was hacked because its workers were running rival Microsoft's Internet Explorer browser, a point that didn't escape the notice of security researchers and Web users.
"More interesting than the IE zero-day, is why wasn't Google running Chrome?" asked Andrew Storms, director of security operations at nCircle Network Security, shortly after Microsoft issued a security advisory that told users of a critical, unpatched bug in Internet Explorer (IE).
Thursday, Microsoft acknowledged that the IE exploit had been used in the attacks against Google and other major corporations. "We have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks," said Mike Reavey, director of Microsoft's Security Response Center (MSRC).
In fact, the malware that Microsoft and others researchers have examined was designed to exploit IE6, the eight-year-old browser that's most often used with Windows XP.
Others, in addition to Storms, questioned why Google wasn't "eating its own dog food," the phrase used to describe software development companies running their own products, often in early editions long before they're made public. "I have to wonder, why the hell is Google using IE, and why IE6?" asked a Computerworld reader in a comment appended to a story on the IE bug. "In fact, why Windows-based servers? Eat your own dog food, Google."
"Actually, it's the norm within companies, especially technology companies, for employees to run multiple browsers," said John Pescatore, Gartner's primary analyst on security subjects, noting that Google's workers may have, say, Chrome and IE on their machines. "But it's almost impossible for IE not to start up at some point during the day."
Sheri McLeish, a Forrester analyst who covers browsers, wasn't surprised by the fact that Google workers run IE, even the aged IE6. "I don't have first-hand knowledge of why Google is using IE6, but what's under the hood at enterprises isn't always best practices," McLeish said. "There are likely business reasons why Google runs IE, because if they were easily able to upgrade [to IE8], they would."
Microsoft said, and independent researchers confirmed, that the exploits which struck Google would be largely deflected by IE7 and IE8, particularly the latter because it enables DEP (data execution prevention) by default.
"What these attacks point to is the fact that a lot of companies are running IE6," McLeish said. "Microsoft wants to kill IE6, a lot of companies want to kill it. But they can't."
As McLeish said, Microsoft has urged customers to upgrade from IE6 to newer editions of its browser. It kicked off a campaign last August when Microsoft's general manager for IE said, "Friends don't let friend use IE6." The efforts haven't been entirely successful. Last year, as users began switching to IE8, they were more likely to desert IE7 than the even older IE6. According to Web metrics company Net Applications, IE6 lost 38% of its usage share during 2009, but IE7 lost even more: It dropped by 56%.
Because of IE's dominance in enterprises -- one recent estimate is that IE runs on 80% of corporate computers -- it remains a prime target, and exploits that leverage its vulnerabilities make ideal vectors for attacks against businesses, Pescatore said.
The attacks that exploited IE's unpatched flaw first came to light Tuesday, when Google announced that Chinese attackers had made off with intellectual property from its corporate network, and also tried to access the Gmail accounts of Chinese human rights activists. Google said the attacks, along with increasing censorship of the Web by China's government, had prompted a reevaluation of its business in the country.
Researchers at McAfee said their investigation showed that the attacks began in mid-December 2009 and stopped Jan. 4, 2010, when the hackers' command-and-control servers were taken offline.
Google did not reply to a request for an explanation of why at least some of the company's workers use Microsoft's IE.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to firstname.lastname@example.org or subscribe to Gregg's RSS feed .