Security Spats Highlight Google And Microsoft Cold War

Microsoft and Google’s recent interactions have analysts questioning whether the two companies are engaged in indirect battle, using issues such as security and operating systems to launch broadsides at each other.

On 1 June, news leaked that Google was reportedly trying to transition its employees away from Windows-based systems because of security issues, following a January security breach that took advantage of an Internet Explorer vulnerability to steal some of Google’s intellectual property.

Google itself declined to confirm those reports, but Microsoft seemed anxious to counter reports that its flagship Windows platform was excessively vulnerable. “There’s been some coverage overnight about the security of Windows and whether or not one particular company is reducing its use of Windows,” Brandon LeBlanc, a spokesperson for Microsoft, wrote on 1 June on the official Windows blog. “When it comes to security, even hackers admit we’re doing a better job of making our products more secure than anyone else. And it’s not just the hackers; third-parties and industry leaders like Cisco tell us regularly that our focus and investment [continue] to surpass others.”

Google’s Windows Ban

But speculation quickly arose that Google’s alleged Windows ban was not, in fact, out of security concerns, and instead enacted to clear the way internally for its cloud-based Chrome OS. “I have to wonder how much of this is due to competitive drivers versus genuine desire to secure Google,” IDC analyst Al Hilwa told eWEEK. “After all, Google has operating systems, browsers, tools and productivity software that [are] head-to-head competitive with Microsoft, and so this may make sense for them.”

Barely had the issue died down, however, before another Windows-security-related one popped up, with Microsoft forced to issue a 10 June security advisory after Google engineer Tavis Ormandy uncovered a vulnerability affecting the Windows Help and Support Center function of both Windows XP and Windows Server 2003. Other Windows editions were apparently not affected by the bug.

“Launching the Help and Support Center via an hcp:// link is normally safe and is a supported way to launch help content,” reads a June 10 post on Microsoft’s Research & Defense blog. “This is due in part to an ‘allow list’ of safe pages that Help and Support Center checks before navigating to a passed-in page. The Google security researcher found a help page with a cross-site scripting vulnerability and also a mechanism by which to abuse the allow list functionality to access that page with an exploit query-string. Clicking on a malicious hcp:// link leverages the XSS vulnerability to circumvent helpctr.exe’s safety controls and ultimately run an arbitrary .exe installed on the machine.”

Ormandy reported that he informed Microsoft of the bug on 5 June. Nonetheless, he caught his share of flak from IT security professionals concerned that Ormandy’s decision to publish proof-of-concept attack code could ultimately be used to exploit the vulnerability.

“[Ormandy] used the same process on another bug he discovered earlier this year,” said Andrew Storms, director of security operations at nCircle. “You have to wonder if he is adding fuel to the very public fire between Microsoft and Google by continuing to draw negative attention to Microsoft’s security process.”

Research On Own Time

Google reportedly insists that Ormandy was acting independently, conducting research into the issue on his own time.

Microsoft is apparently working on a security update that will address the issue. “It is important to note that customers running Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 are not vulnerable to this issue or at risk of attack,” a Microsoft spokesperson, looking on the bright side, wrote in a 10 June e-mail to eWEEK. “We are not currently aware of any successful exploits of this activity.”

However, the spokesperson added, “Given the public disclosure of the details of the vulnerability, and how to exploit it, customers should be aware that broad attacks are likely.” As such, “customers running Windows XP and Windows Server 2003 are encouraged to review and apply the mitigation and workarounds discussed in Microsoft’s Security Advisory.”

Given the increased competition between Microsoft and Google—which extends not only to their respective search engines, but also to smartphone operating systems—you can see why some observers would interpret these incidents as part of a larger campaign. But whatever their underlying motives or actions, both Microsoft and Google seem to anticipate a long battle for market share in their shared tech segments.

Nicholas Kolakowski eWEEK USA 2013. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

13 hours ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

16 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

17 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

1 day ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

1 day ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

2 days ago