Friday, June 4, 2010

Google vs Microsoft - What's In It For You

Tech blogs are abuzz over Google's recent announcement that they are tossing Windows overboard due to security concerns.

Is this another example of blades of grass (us) suffering when elephants (them) tussle? I don't think so, but let's look at some background.

Google blames Microsoft for the Operation Aurora attacks in which Google systems were compromised and key data stolen, allegedly at the behest of Chinese government officials. In particular, a Microsoft Internet Explorer zero-day exploit was leveraged in the attacks, and Google spent much time and expense cleaning up and securing their environment after the incident.

Microsoft products enjoy a significant, if dwindling, saturation point among both home users and the enterprise. In fact, Google's launch of the Chrome browser and Android mobile platform, along with their upcoming operating system, will result  in Google snatching more market share from Microsoft than from Apple or Linux.

So it makes sense for Google to peel away from Microsoft for all sorts of business reasons outside of security concerns. Internet Explorer is eminently buggy and continually vulnerable, and its percentage of the browser market was dropping even before Chrome was released as users moved to alternatives like Firefox and Opera. Aside from Google developers keeping Internet Explorer around to ensure their products are compatible and render correctly for IE users, there's no compelling reason for anyone other than the coders to have it on their desktops.

The same rationale can be posited from an operating system perspective. If Google's upcoming OS is indeed ready for prime time, Google employees should be using it. Period. Call it the "school of eating your own dog food" if you like, but if you want to convince casual users, application developers, and large companies that your product is worthy of their dollars, you'd better be willing to be a living, breathing use-case.

Speaking as a security guy, there are two concerns I have with Google's announcement. First, the operating system is just one of a myriad of attack vectors available for hackers and exploit frameworks. Secondly, consolidating on a single platform for an enterprise makes life easier for the bad guys.

Let's examine the operating system angle Five years ago, targeting the OS was easy, because Microsoft had a 98% deployment share and, let's face it, their code had more holes in it than Swiss cheese.

As time went on and Microsoft slowly began to execute on their Trustworthy Computing initiative, it became a bit more difficult to penetrate the operating system directly. Part of the solution was the implementation of UAC in Vista and Windows 7 which segregated some of the core kernel functions from direct access, but the enforcement lacks some of the rigor of similar Linux-based controls, and users can dumb down UAC to the point where it isn't all that effective.

Coupled with weak UAC, attackers also stopped breaking down the door and started looking for unlocked windows, pardon the pun, and they found them in peripheral applications like Adobe Reader & Flash, QuickTime, and Microsoft Office. Since these apps also suffer from readily exploitable vulnerabilities and are available in versions that sit atop various operating systems, Google moving away from Windows on the desktop and server is a lesser security achievement than the folks in Palo Alto are trumpeting.

Given that the second most popular attack vector - after peripheral applications - is web-based applications vulnerable to cross-site scripting and SQL injection attacks, it's difficult to believe much protection is gained by switching. Again, regardless of the operating system, you're still at risk if you have poor application development practices that allow such attacks to succeed.

What about moving from a heterogeneous IT environment to a homogeneous shop? Well, there are downsides to that approach, too.

Single platform infrastructures can be a security and resiliency concern. Attackers typically use fingerprinting techniques to systemically profile an organization's IT blueprint. Over time, it becomes apparent what products and versions are in use, and what preventative and detective security controls are in place. This is much easier for attackers when everything is based off of the same underlying code.

Similarly, when a weakness is found, it can be leveraged across the whole enterprise. That can increase both the impact of any attack (or unanticipated failure) and the subsequent time and resources needed to recover and resume normal operations. Having a multi-platform environment lessens that risk, but increases the complexity of an enterprise infrastructure. Few organizations take the resources saved from an uncomplicated, homogeneous environment and pour them back into hardening the underlying backbone.

Google may be firing a marketing shot across Microsoft's bow with their announcement. From a technical perspective, Microsoft is playing catch-up, having lost the cool kids to Apple and Google already. Losing the enterprise customer would be the final nail in Redmond's coffin, and if Google can demonstrate to Fortune 500 companies that they can provide a cost-effective, feature-rich replacement for Windows and Office, they'll be happy to hand businesses the hammer.

Images via Wikimedia Commons

No comments:

Post a Comment

Please tell me what you think.