Security Watch

Google, Microsoft Start Brawl on Security Issues

Google leg sweeps at Microsoft's OS. Plus: Adobe eyes a monthly patch cycle; Facebook privacy still big issue; Microsoft security bigwig pens security guide.

• By Jabulani Leffall
• 06/01/2010

Here's something hot off the press from the "big surprise desk:" Google is blaming Microsoft products for a security breakdown.

For the first time in public, Google is placing blame on Windows for a large hack job in January, which gained international attention. This is according to the Financial Times. The FT piece insinuates that Google is now taking steps to replace Windows as the company's operating system on internal PCs.

On its face, Google's move appears to be one large tech rival scapegoating another. As Google makes obvious attempts to push its own Chrome browser as an OS of record for Web-based apps in the cloud era, it will want to tout the security of its products and place blame on Microsoft as an easy component to the marketing.

It's shrewd timing, as Google would seem to have a case for switching to its own internally developed operating system. January's attack, as I reported at the time, happened because hackers used an Internet Explorer bug to launch it.

Even Microsoft admitted that the exploit was pervasive on IE 6 Service Pack 1 sitting on Windows 2000 SP4. The flaw was also said to exist, if nominally, in IE 6, IE 7 and IE 8 on supported editions of XP, Vista and Windows 7, plus Windows Server 2003, 2008 and 2008 R2.

Microsoft has since issued two cumulative IE patches. One security expert told me Tuesday afternoon that the jab at Redmond was a bit premature and unfair and that the attacks have more to do with access controls than Windows flaws.

"Microsoft has acted very quickly to patch these vulnerabilities upon discovery, but the fact remains that companies are left vulnerable for days and weeks while patches are developed," said Steve Kelley, an executive vice president at BeyondTrust. "As our recent analysis of Microsoft vulnerabilities notes, the vast majority -- including Internet Explorer vulnerabilities -- are easily mitigated by organizations that remove administrator rights from desktop users."

It will be interesting to see whether or not Google's assertions in the long run prove to be more strategic than based on security concerns.

Adobe Patch Cycle May Go Monthly
Adobe is increasingly considered the most vulnerable third-party application on Windows stacks worldwide, and that means a quarterly patch cycle is proving not to be often enough.

I previously reported that Adobe has in recent months begun to piggy-back Microsoft's monthly patch cycle, coming out on the same Tuesday as Redmond every 90 days.

Well, now Redmond may have a new monthly third-party patch peer.

A post late last week from security blog "The H" quotes Brad Arkin, Adobe's Director of Product Security and Privacy, as saying a monthly rollout schedule is one of the things Adobe is considering in its security evolution.

The more telling part of what Arkin said, confirms something I reported in March: the idea of Adobe and Microsoft collaborating on updates.

To wit, Arkin now says that by the end of 2010, Adobe updates should be "distributed via Microsoft's System Center Updates Publisher." If this is true, Windows IT pros who have Adobe products in their stack would be able to integrate the third-party products a little easier if they use System Center Configuration Manager and System Center Essentials. Such a process would help streamline patch management and also use up less network bandwidth and man hours.

Facebook Remains Privacy Target
There's lots of irony in a social networking site being benevolent about giving privacy back to willing participants, some of whom post their lattitude, longitude and shoe size in real time several times a day. Even though security critics have heaped praise on the social media stalwart for making so-called concessions, even irony won't keep the hackers away.

Roger Thompson, chief technology officer at antivirus vendor AVG Technologies, among others says spoofing, bait and switch hacks and the appearance of malicious links will all continue on Facebook.

Microsoft MVP Releases Security Guide
Microsoft MVP Marc Liron believes "owning a Windows computer in 2010 comes with a responsibility to be aware of the risks and potential security threats that lurk online." Windows and IE already have many security tools built in. Even so, Liron says there isn't really a centralized placed for those who are tech savvy but not security administrators to find out how to use the features and fine-tune them to an individual processing environment.

Thus, Liron's guide, which covers security tools in Windows XP, Vista and Windows 7 PCs -- ideal for beginners and experienced user, Liron says.