Google runs Microsoft's IE, attacks show
'Why wasn't Google running Chrome?' asks researcher
Computerworld - Google's corporate network was hacked because its workers were running rival Microsoft's Internet Explorer browser, a point that didn't escape the notice of security researchers and Web users.
"More interesting than the IE zero-day, is why wasn't Google running Chrome?" asked Andrew Storms, director of security operations at nCircle Network Security, shortly after Microsoft issued a security advisory that told users of a critical, unpatched bug in Internet Explorer (IE).
Thursday, Microsoft acknowledged that the IE exploit had been used in the attacks against Google and other major corporations. "We have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks," said Mike Reavey, director of Microsoft's Security Response Center (MSRC).
In fact, the malware that Microsoft and others researchers have examined was designed to exploit IE6, the eight-year-old browser that's most often used with Windows XP.
Others, in addition to Storms, questioned why Google wasn't "eating its own dog food," the phrase used to describe software development companies running their own products, often in early editions long before they're made public. "I have to wonder, why the hell is Google using IE, and why IE6?" asked a Computerworld reader in a comment appended to a story on the IE bug. "In fact, why Windows-based servers? Eat your own dog food, Google."
"Actually, it's the norm within companies, especially technology companies, for employees to run multiple browsers," said John Pescatore, Gartner's primary analyst on security subjects, noting that Google's workers may have, say, Chrome and IE on their machines. "But it's almost impossible for IE not to start up at some point during the day."
Sheri McLeish, a Forrester analyst who covers browsers, wasn't surprised by the fact that Google workers run IE, even the aged IE6. "I don't have first-hand knowledge of why Google is using IE6, but what's under the hood at enterprises isn't always best practices," McLeish said. "There are likely business reasons why Google runs IE, because if they were easily able to upgrade [to IE8], they would."
Microsoft said, and independent researchers confirmed, that the exploits which struck Google would be largely deflected by IE7 and IE8, particularly the latter because it enables DEP (data execution prevention) by default.
"What these attacks point to is the fact that a lot of companies are running IE6," McLeish said. "Microsoft wants to kill IE6, a lot of companies want to kill it. But they can't."
As McLeish said, Microsoft has urged customers to upgrade from IE6 to newer editions of its browser. It kicked off a campaign last August when Microsoft's general manager for IE said, "Friends don't let friend use IE6." The efforts haven't been entirely successful. Last year, as users began switching to IE8, they were more likely to desert IE7 than the even older IE6. According to Web metrics company Net Applications, IE6 lost 38% of its usage share during 2009, but IE7 lost even more: It dropped by 56%.
Because of IE's dominance in enterprises -- one recent estimate is that IE runs on 80% of corporate computers -- it remains a prime target, and exploits that leverage its vulnerabilities make ideal vectors for attacks against businesses, Pescatore said.
The attacks that exploited IE's unpatched flaw first came to light Tuesday, when Google announced that Chinese attackers had made off with intellectual property from its corporate network, and also tried to access the Gmail accounts of Chinese human rights activists. Google said the attacks, along with increasing censorship of the Web by China's government, had prompted a reevaluation of its business in the country.
Researchers at McAfee said their investigation showed that the attacks began in mid-December 2009 and stopped Jan. 4, 2010, when the hackers' command-and-control servers were taken offline.
Google did not reply to a request for an explanation of why at least some of the company's workers use Microsoft's IE.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to firstname.lastname@example.org or subscribe to Gregg's RSS feed .
Web giants attacked
- White House orders security review in wake of WikiLeaks disclosure
- Leaked U.S. document links China to Google attack
- Update: Researchers track cyber-espionage ring to China
- Google, China now playing cat and mouse?
- McAfee: 'Amateur' malware not used in Google attacks
- Military warns of 'increasingly active' cyber-threat from China
- China: Google 'totally wrong' to stop censoring
- Update: Google stops censoring in China
- Google's China ad partners wait in 'incomparable pain'
- Google may soon leave China, reports say
Read more about Networking in Computerworld's Networking Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- The Critical Role of Support in Your Enterprise Mobility Management Strategy Most business leaders underestimate the importance of tech support when they choose an EMM solution. Here's what to put on your checklist.
- Separating Work and Personal at the Platform Level: How BlackBerry Balance Works BlackBerry® Balance™ separates work from personal on the same mobile device, right at a platform level. Find out how it can work for...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the...
- Containerization Options: How to Choose the Best DLP Solution for Your Organization This webcast outlines a framework for making the right choice when it comes to containerization approaches, along with the pros and cons of... All Networking White Papers | Webcasts