Security Spats Highlight Google And Microsoft Cold War

Microsoft and Google’s recent interactions have analysts questioning whether the two companies are engaged in indirect battle, using issues such as security and operating systems to launch broadsides at each other.

On 1 June, news leaked that Google was reportedly trying to transition its employees away from Windows-based systems because of security issues, following a January security breach that took advantage of an Internet Explorer vulnerability to steal some of Google’s intellectual property.

Google itself declined to confirm those reports, but Microsoft seemed anxious to counter reports that its flagship Windows platform was excessively vulnerable. “There’s been some coverage overnight about the security of Windows and whether or not one particular company is reducing its use of Windows,” Brandon LeBlanc, a spokesperson for Microsoft, wrote on 1 June on the official Windows blog. “When it comes to security, even hackers admit we’re doing a better job of making our products more secure than anyone else. And it’s not just the hackers; third-parties and industry leaders like Cisco tell us regularly that our focus and investment [continue] to surpass others.”

Google’s Windows Ban

But speculation quickly arose that Google’s alleged Windows ban was not, in fact, out of security concerns, and instead enacted to clear the way internally for its cloud-based Chrome OS. “I have to wonder how much of this is due to competitive drivers versus genuine desire to secure Google,” IDC analyst Al Hilwa told eWEEK. “After all, Google has operating systems, browsers, tools and productivity software that [are] head-to-head competitive with Microsoft, and so this may make sense for them.”

Barely had the issue died down, however, before another Windows-security-related one popped up, with Microsoft forced to issue a 10 June security advisory after Google engineer Tavis Ormandy uncovered a vulnerability affecting the Windows Help and Support Center function of both Windows XP and Windows Server 2003. Other Windows editions were apparently not affected by the bug.

“Launching the Help and Support Center via an hcp:// link is normally safe and is a supported way to launch help content,” reads a June 10 post on Microsoft’s Research & Defense blog. “This is due in part to an ‘allow list’ of safe pages that Help and Support Center checks before navigating to a passed-in page. The Google security researcher found a help page with a cross-site scripting vulnerability and also a mechanism by which to abuse the allow list functionality to access that page with an exploit query-string. Clicking on a malicious hcp:// link leverages the XSS vulnerability to circumvent helpctr.exe’s safety controls and ultimately run an arbitrary .exe installed on the machine.”

Ormandy reported that he informed Microsoft of the bug on 5 June. Nonetheless, he caught his share of flak from IT security professionals concerned that Ormandy’s decision to publish proof-of-concept attack code could ultimately be used to exploit the vulnerability.

“[Ormandy] used the same process on another bug he discovered earlier this year,” said Andrew Storms, director of security operations at nCircle. “You have to wonder if he is adding fuel to the very public fire between Microsoft and Google by continuing to draw negative attention to Microsoft’s security process.”

Research On Own Time

Google reportedly insists that Ormandy was acting independently, conducting research into the issue on his own time.

Microsoft is apparently working on a security update that will address the issue. “It is important to note that customers running Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 are not vulnerable to this issue or at risk of attack,” a Microsoft spokesperson, looking on the bright side, wrote in a 10 June e-mail to eWEEK. “We are not currently aware of any successful exploits of this activity.”

However, the spokesperson added, “Given the public disclosure of the details of the vulnerability, and how to exploit it, customers should be aware that broad attacks are likely.” As such, “customers running Windows XP and Windows Server 2003 are encouraged to review and apply the mitigation and workarounds discussed in Microsoft’s Security Advisory.”

Given the increased competition between Microsoft and Google—which extends not only to their respective search engines, but also to smartphone operating systems—you can see why some observers would interpret these incidents as part of a larger campaign. But whatever their underlying motives or actions, both Microsoft and Google seem to anticipate a long battle for market share in their shared tech segments.