Bloggers fixate on Google security moves

It was only a few weeks ago that I wrote about the buzz over Google’s security endeavors. But with Google announcing its acquisition of security vendor Postini, another column about the search giant is in order because the blogosphere is totally fixated on the subject.

Since so many people have become so utterly dependent on Google’s vast array of search tools, I see a lot of relief among bloggers that the company has security on its radar screen.

“Congrats to the folks at Google for acquiring another great company,” Brad Feld, managing director at Foundry Group and Mobius Venture Capital, wrote in his Feld Thoughts blog. “Now Google will really engage in the mission of eliminating the evilness of spam from the universe.”

Tech blogger Richard MacManus wrote that the Postini acquisition marks a defining moment for Google.

“This Postini acquisition, more than any other previous development or acquisition, marks Google’s entry into Web Office for enterprises (of course we already knew they were competing with Microsoft in office software, but now there’s no denying it),” he wrote.

He pointed to a telling quote from Rajen Sheth, product manager for Google Apps, in the Official Google Enterprise Blog: “Larger organizations are frequently forced to choose between taking advantage of the latest innovations that will make employees more productive and ensuring security and corporate compliance.” MacManus says the implication is that enterprises have been reluctant to use Google Applications due to security and compliance worries, preferring the “more robust, desktop-based solutions offered by the likes of Microsoft and IBM.” He suggests this move to bolster security will give the big IT vendors a run for their money.

I too am encouraged to see Google taking security seriously. But Google enthusiasts shouldn’t forget that there are still plenty of ways for the bad guys to exploit all these handy tools for their own sinister purposes.

I wrote a story a couple months ago about the threat of Google hacking and the need for IT security pros to keep an eye on Google to make sure their proprietary information isn’t leaking into the public domain, though not everyone agreed that it’s a serious threat. There are ways for sensitive information to be released accidentally, and Google is an easy place for the bad guys to fish for it. It’s just one more thing for IT shops to keep an eye on.

Alex Eckelberry, president of Clearwater, Fla.-based security vendor Sunbelt Software, offered some examples of how to use Google to counterattack the bad stuff in the Sunbelt blog this week:

“As we’ve blogged about before, there are quite a few .edu sites that have been hacked to serve spyware or porn. And it’s pretty easy to find: Just use Google. For example, the search term “f—-d hardcore site:edu” (I’ve removed the offensive language) brings back over 100,000 search results. Many have hardcore porn in them. Many have already been cleaned. And many, of course, are legitimate university Web page.”

After showing a long list of some of the seedier search results he found, Eckelberry wrote, “There you have it: Google as a poor-man’s security scanner, which an IT administrator might use to see what might be missed in his/her own network — simply by regularly doing Google searches on their site with a few keywords.”

Like most of the computing tools we take for granted, Google is going to be used as a tool for both good and evil.

Debate continues over IE-Firefox zero-day

I wrote earlier this week about some disagreement in the security community regarding a zero-day flaw that puts Internet Explorer or Firefox users in peril, depending on who you believe.

Some history: Researchers Billy (BK) Rios, Nate Mcfeters, Raghav “the Pope” Dube and Thor Larholm all reported an issue affecting one or both browsers.

Larholm had this to say in his blog:

“There is an input validation flaw in Internet Explorer that allows you to specify arbitrary arguments to the process responsible for handling URL protocols. This is the same type of input validation vulnerability that I discovered in the Safari 3 beta (see Safari for Windows, 0day exploit in 2 hours). When Firefox is installed it registers a URL protocol handler called FirefoxURL. When Internet Explorer encounters a reference to content inside the FirefoxURL URL scheme it calls ShellExecute with the EXE image path and passes the entire request URI without any input validation.”

Symantec said an attacker could exploit this to carry out cross-browser scripting attacks by using the ‘-chrome’ argument. This can allow attackers to run JavaScript code with the privileges of trusted Chrome context that has full access to Firefox’s resources. Exploiting the issue would permit a remote attacker to influence command options that can be called through the ‘FirefoxURL’ handler and therefore execute commands and script code with the privileges of a user running the applications, Symantec added.

In an email to SearchSecurity.com, Secunia CTO Thomas Kristensen said his firm tested the flaw and found that it’s a problem for Firefox and not Internet Explorer.

“Since Firefox 2.0.0.2, a new URI handler was registered on Windows systems to allow Web sites to force launching Firefox if the “firefoxurl://” URI was called (like ftp://, http://, or similar would call other applications),” he wrote. “However, the way in which the URI handler was registered by Firefox causes any parameter to be passed from IE (or another application) to Firefox when firefoxurl:// is activated. Due to the implementation of the “-chrome” parameter, it became possible to inject code that would be executed within Firefox.”

Since I posted that, Mozilla security chief Window Snyder has sounded off about the flaw in her blog.

“It is important to note that if you are using Firefox to browse the Web you *are not* vulnerable to this attack,” she wrote. “While we have seen no evidence of attackers exploiting this issue, there is proof -of -concept code available publicly. So we recommend that people use Firefox and as always take care when browsing unknown Web sites.”

So there you have it. More disagreement over who is actually affected by this flaw.

In the final analysis, regardless of which program is affected, the lesson for users is the same: You need to stay away from untrusted Web sites. If you are visiting porn and gambling sites or shopping online using a site that doesn’t clearly outline how the merchant is protecting your credit card data, you’re asking for trouble no matter which browser you’re using.

Symantec going private?

Everyone is on constant watch for the latest merger-acquisition or IPO, but for something a bit different, the folks at RiskBloggers.com are chewing over rumors that Symantec may be about to make a dramatic announcement.

“This is only a rumor, if it were an actual event you would be instructed by the authorities where to redeem your SYMC stock … Multiple friends of Risk Bloggers have told me that Symantec has been in talks with investors over their strategic options, with the most likely outcome (if anything happens) being a move to go private!” Jim Reavis wrote. “Stepping out of the public markets would likely accelerate the massive industry shakeup we have been seeing, it may soon become pointless to have information security indices if we don’t have stocks to track.”

He noted that Symantec’s stock has been up and down of late, and while he believes John Thompson is “a great CEO and has made some very smart moves to beef up their enterprise solutions,” a couple of years sans SOX will allow the execs to focus more on the business and aligning their healthy security and storage product portfolio with market needs.

Whatever happens with Symantec, he said, “We can be certain that the megadeals we have seen in information security are not over. I would certainly think that since Google bought Postini, MessageLabs will get picked up soon, I would assume their Star Technologies Services spinoff announcement in June was the necessary precursor to get a deal done.”

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Technorati Tags: Google+security, Symantec, Google, Postini, Firefox, zero-day,