The Google Breach, or How Running Their Archrivals' Software Cost Them

Posted on January 14, 2010

Update: McAfee investigation points to IE zero day. This finding makes my point for me.

In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer. We informed Microsoft about this vulnerability and Microsoft is expected to publish an advisory on the matter soon.

While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios. So there very well may be other attack vectors that are not known to us at this time. That said, contrary to some reports our findings to date have not shown a vulnerability in Adobe Reader being a factor in these attacks.

I’m intentionally keeping my commentary on this issue brief (there is already enough).

The attack vector against the Google corporate network is reported as an email with an attached PDF backdoor; i.e. the exploit relies on a security vulnerability in a local installation of Adobe Reader.

Google is web services. And they regularly remind us that they “eat their own dog food” by relying on those same services to run their business.

Google’s vision is the world run ChromeOS, a thin OS with just enough capabilities to plug into, and interact with, Google Services.

Google’s arch-enemy, Microsoft is about software (and now software + services). With a historical stranglehold on the endpoint, it’s hard to do business without running MS on at least some endpoints.

Google must be running Adobe Reader on something. I suspect – but I don’t know – that this is Windows.

How ironic is it that internal use of their rivals’ thick client desktop software (as the underlying platform) and 3rd party software – the very antithesis or the Google philosophy – was the key enabler in the breach?

(yes, web services and browsers introduce their own security issues)

There’s no suggestion so far that Microsoft software was at fault. The culprit appears to be Adobe. But “sophisticated” post-exploitation pivoting and data exfiltration software doesn’t just drop out of thin air. Nor does the implementation of stealth features. This stuff takes time to develop and embed. Sure, post-exploitation code exists for other platforms but APT consistently targets Windows based Corporate America. What was it Dr Geer (et al) warned us of?

If you were Google, what software would you mandate for employee endpoints now?