Microsoft Security Woes Suggest More Google Conflict

Microsoft's newly announced Windows XP vulnerability was first reported by a Google researcher, potentially raising more behind-the-scenes conflict between the two companies. Earlier in June, reports leaked that Google had begun transitioning its employees off Windows, apparently because of security concerns. Some analysts are questioning how these public security revelations will affect the two companies' competitive stance, and whether Microsoft will be negatively affected in the longer term.

Microsoft and Google's recent interactions have analysts questioning whether the two companies are engaged in indirect battle, using issues such as security and operating systems to launch broadsides at each other.

On June 1, news leaked that Google was reportedly trying to transition its employees away from Windows-based systems because of security issues, following a January security breach that took advantage of an Internet Explorer vulnerability to steal some of Google's intellectual property.

Google itself declined to confirm those reports, but Microsoft seemed anxious to counter reports that its flagship Windows platform was excessively vulnerable.

"There's been some coverage overnight about the security of Windows and whether or not one particular company is reducing its use of Windows," Brandon LeBlanc, a spokesperson for Microsoft, wrote June 1 on the official Windows blog. "When it comes to security, even hackers admit we're doing a better job of making our products more secure than anyone else. And it's not just the hackers; third-party influentials and industry leaders like Cisco tell us regularly that our focus and investment [continue] to surpass others."

But speculation quickly arose that Google's alleged Windows ban was not, in fact, out of security concerns, and instead enacted to clear the way internally for its cloud-based Chrome OS.

"I have to wonder how much of this is due to competitive drivers versus genuine desire to secure Google," IDC analyst Al Hilwa told eWEEK. "After all, Google has operating systems, browsers, tools and productivity software that [are] head-to-head competitive with Microsoft, and so this may make sense for them."

Barely had the issue died down, however, before another Windows-security-related one popped up, with Microsoft forced to issue a June 10 security advisory after Google engineer Tavis Ormandy uncovered a vulnerability affecting the Windows Help and Support Center function of both Windows XP and Windows Server 2003. Other Windows editions were apparently not affected by the bug.

"Launching the Help and Support Center via an hcp:// link is normally safe and is a supported way to launch help content," reads a June 10 post on Microsoft's Research & Defense blog. "This is due in part to an -allow list' of safe pages that Help and Support Center checks before navigating to a passed-in page. The Google security researcher found a help page with a cross-site scripting vulnerability and also a mechanism by which to abuse the allow list functionality to access that page with an exploit querystring. Clicking on a malicious hcp:// link leverages the XSS vulnerability to circumvent helpctr.exe's safety controls and ultimately run an arbitrary .exe installed on the machine."

Ormandy reported that he informed Microsoft of the bug June 5. Nonetheless, he caught his share of flak from IT security professionals concerned that Ormandy's decision to publish proof-of-concept attack code could ultimately be used to exploit the vulnerability.

"[Ormandy] used the same process on another bug he discovered earlier this year," said Andrew Storms, director of security operations at nCircle. "You have to wonder if he is adding fuel to the very public fire between Microsoft and Google by continuing to draw negative attention to Microsoft's security process."

Google reportedly insists that Ormandy was acting independently, conducting research into the issue on his own time.

Microsoft is apparently working on a security update that will address the issue. "It is important to note that customers running Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 are not vulnerable to this issue or at risk of attack," a Microsoft spokesperson, looking on the bright side, wrote in a June 10 e-mail to eWEEK. "We are not currently aware of any successful exploits of this activity."

However, the spokesperson added, "Given the public disclosure of the details of the vulnerability, and how to exploit it, customers should be aware that broad attacks are likely." As such, "customers running Windows XP and Windows Server 2003 are encouraged to review and apply the mitigations and workarounds discussed in Microsoft's Security Advisory."

Given the increased competition between Microsoft and Google-which extends not only to their respective search engines, but also to smartphone operating systems-you can see why some observers would interpret these incidents as part of a larger campaign. But whatever their underlying motives or actions, both Microsoft and Google seem to anticipate a long battle for market share in their shared tech segments.