Per article in Financial Times, Google is not deploying user systems with a Microsoft operating system without very high level clearance. The statement (not seemingly from an official spokesperson) is that they were tightening up security after the recent Aurora incident.
Let me make just a few observations:
- The IE vulnerability was a Zero-Day attack. If Google were to drop any browser vendor that was subject to a Zero day, I would assume that they won’t be using Chrome either?
- Sure the vulnerability was against IE, but it covered IE 6, 7, and 8. From all accounts it seems that Google was using IE 6 (at least that’s what all the exploit recounts are telling us). Any reason Google isn’t on a more current browser?
- A key piece of the exploit being possible was the social engineering aspect. Is Google replacing the employees that were “fooled” by these social engineering attempts for ones that are “more secure”?
- Better handing of user and admin rights. Since the remote code runs the exploit as the user running IE, a non-priviledged account would have prevented execution. Sure this is easily done in OSX or Linux, but it’s also possible in Windows. This is an issue of proper system management not the OS itself. Has Google changed this?
- Monitor internal DNS queries. Most command and control type malware make calls out to some dynamic dns hosts. Your clients (if well configured) should not being using dynamic DNS queries. Those requests should be aggregated and logged by local DNS responder. Assuming you are properly monitoring your logs that will offer more visibility. Google?
- Audit VPN user and config changes. The last step once admin accounts were compromised was to add a VPN user so the attackers had easy access into the network. A more robust account administration process with automated checks/controls and an audit process would have also brought the issues to light more quickly. Google, what process changes have happened there?
Sure Microsoft has a name for being not-so-secure. However it seems that Google may be using this to push the move to it’s new operating system and give themselves an excuse to do so. If they were concerned about improving their security posture, there would be a lot of process changes internally (and I’m quite certain there are), but let’s not try to focus the blame on Microsoft here.