The Financial Times reported last night that Google was going to phase out internal use of Microsoft Windows due to security concerns. The migration away from Windows is reported to have started in January, motivated by the Chinese Aurora attacks on the company that exploited a flaw in Internet Explorer 6.
In the story, the FT said that new Google employees would be given the choice between systems using Mac OS X and Linux. Windows machines will only be available with CIO approval. This would put an end to the existing policy, whereby employees were generally free to pick the platform that they preferred. Google has refused to comment.
This seems surprisingly extreme, given that there are practical reasons for Google employees to use Windows. The company produces Windows software, such as the Chrome Web browser and Google Desktop Search. The company also has a great many Web properties, all of which need testing on Windows. As such, Windows is sure to remain a part of the Google ecosystem, at least for anyone involved in end-user facing applications. It's just too important to ignore.
In the aftermath of the Google hack, even Microsoft said that people should stop using Internet Explorer 6, as it lacks the defence-in-depth measures found in Internet Explorer 8 when used on Windows Vista and Windows 7.
But switching to the latest version of Windows, and ditching a browser that should be left behind, is a far cry from leaving Windows altogether. There are certainly reasons why Google might want to do so: Microsoft is in competition with Google, and so every user that Google can get off of Windows and Office is a net win for the advertising giant.
But to do so as a response to the Aurora hacks? That doesn't make a lot of sense. The IT industry doesn't always like to admit it, but the truth is, Windows' security is actually pretty good.
I know, I know. Windows machines are routinely hacked, there are huge botnets of machines running Windows, viruses are rampant, and so on. This is true. But I would argue that it's not actually relevant in this case. The Google attack was not your common-or-garden indiscriminate mass attack, intended to snaffle credit card numbers and banking passwords, and send millions of spam e-mails.
These attacks are common, but in general depend on exploitation of patched vulnerabilities. They're aimed at the low-hanging fruit: the (admittedly abundant) people who haven't updated their software for years. Who have no malware protection installed. Who will click on anything and, well, everything.
Windows, with its dominant market share, is certainly susceptible to such attacks. These broad-based attacks are financially motivated, with the goal being to collect as many sets of personal data or recruit as many zombies as possible. As such, it's not a surprise that attackers are aiming at the platform with the most users. They get more money that way.
For a user uninterested in keeping their system up-to-date, Mac OS X or Linux would certainly provide an advantage of sorts against this kind of attack. It might not be the most robust protection possible, but absent any drastic growth in Mac OS X or Linux market share, it's likely to be effective nonetheless.
The Google attack, however, was not this kind of attack. It was a targeted attack that was aimed specifically at certain companies. On top of this, it used a previously undisclosed (and hence unpatched) vulnerability in Internet Explorer 6. Use of undisclosed vulnerabilities is not unheard of, but it's relatively unusual. There is a black market for undiscovered flaws, but they are expensive to buy (nobody really knows for sure, but figures of $100,000 per exploit have been claimed), and for widespread scattergun attacks, there's just not much point. Unpatched systems are sufficiently abundant that it's likely to be much more cost-effective to simply use vendor security bulletins and patches as the source of flaws.
Attackers using non-public flaws gain several advantages. Most obviously, their victims will always be vulnerable (no need to hope that they've not patched their systems). Also important is the fact that typical anti-malware measures—anti-virus software, anti-rootkit software, intrusion detection systems, etc.—won't generally detect such attacks.
The decision to specifically target particular companies also makes it easier for the attackers to encourage a victim to visit a malicious webpage (or read a malicious PDF, open a malicious e-mail, etc.). It's easy to dismiss e-mails that are obviously fraudulent—e-mails telling you about the iTunes purchases you haven't made, the Fedex deliveries that you haven't ordered—but when an e-mail arrives with your name, or address, or other personal information, it's a lot harder to ignore.
It's these properties that make the Google attack unusual, and it's these properties that make switching platforms ineffective. Worse than ineffective: if this is the kind of threat that Google is concerned with, Windows 7 is one of the safer operating systems to use.
The thing about targeted attacks is that the relative obscurity that might provide some semblance of protection to normal, everyday users stops working. If a hacker wants to break into a specific organization, then that hacker will exploit the specific software that's used by that organization. That more people outside the target organization use Windows becomes irrelevant in this scenario. So the question of which OS to use changes—it's no longer "Which OS is less likely to be attacked?" but rather "Which software is less likely to be exploitable?" and "Which OS will protect me best in the event that I am attacked?"
With regard to the former, there's no especially good solution. All Web browsers have exploitable flaws, and this is a persistent and recurring problem. Internet Explorer 6 let Google down, but as the recent pwn2own competition showed, Internet Explorer 8, Firefox 3.5, and Safari 4 were all exploitable.
Google's own Chrome wasn't exploited, but whether this represents genuine immunity is not clear. The flaw used to exploit Safari was in the WebKit rendering engine—which is also used by Chrome. Chrome mitigates the impact of such flaws through its use of sandboxing, and its success in pwn2own has been widely attributed to that sandboxing. Internet Explorer 8 also uses sandboxing—however, breaking out of the sandbox wasn't necessary to win pwn2own.
Of course, in a targeted attack, the vector doesn't have to be a browser anyway. Just some application that you know the victim will use. Browsers are a good choice, because they're so widely used, but the Google attackers could have gone after Office or Adobe Reader, say, if they'd wanted to. And this is where the OS comes into play. Windows has a range of features designed to make software exploits harder to pull off even in the event of bug in a program. These features are not insurmountable, but they nonetheless serve as a hindrance to attackers.
Microsoft has also invested heavily in development methodologies that attempt to systematically reduce the number of security defects that occur, and reduce the impact of those defects that are left. Though not perfect, these methods do yield results for Redmond, with researchers saying that Windows' code auditing is better than Apple's.
The net result is that fully-patched Windows 7 machines, especially running 64-bit software, represent a tough nut to crack for attackers. Assuming Google's system administrators are competent, modern versions of Windows would provide decent—not impenetrable, but good nonetheless—protection against precisely the kind of attack that Google is apparently striving to guard against. So banning Windows for security reasons makes no sense.
Linux doesn't have the same organized development process as Microsoft—that's just the nature of a decentralized open source development effort. It does, however, have a range of complex and powerful security capabilities, if you elect to use them. The result is that by default Linux may be a bit easier to attack than Windows; conversely, it can also be made harder to attack. If Google wants to avoid another Aurora, Linux, too, could be a good choice.
Where things get a bit weird, however, is Google's alleged decision that Mac OS X is a good alternative. Though Apple likes to trumpet the security of its platform, the reality is quite different. Mac OS X is easy, even fun to exploit. Safari, too, is "easy pickings" for hackers.
Even when Mac OS X does implement exploit mitigation techniques, these implementations are often weak or flawed. Apple also lacks an equivalent to Microsoft's secure development methodologies, an omission criticized by security researchers. Apple is beginning to take security more seriously, but it still lags behind other vendors.
The result of all this is that any hacker wanting to attack a company that uses Mac OS X is going to have an easier job than if they were attacking a company that uses Windows 7. Depending on the distribution and configuration, Linux too may represent a softer target than Redmond's offerings. Mac OS X and Linux would certainly leave the company less exposed to the bulk, non-specific attacks (though keeping systems patched and filtering e-mail already handles that problem pretty effectively), but as a defense against the next Aurora-like attack, the decision is a very strange one indeed.
