Google blasts Windows security as it prepares launch of Chrome OS

As a rule, news stories attributed to anonymous corporate sources should not be taken at face value. Often such news leaks — like the one fueling the Financial Times’ report that Google has suddenly decided to curtail internal use of Windows because of security concerns — can serve a hidden agenda.

At first blush Google swearing off Windows  might seem noteworthy. However,  Google doesn’t use Windows very much internally. “When I worked there, it seemed like most developers used Unix anyway,” says Vanessa Fox, author of Marketing in the Age of Google. “So, I don’t know that a more formal step away from Windows will have much impact, at least within engineering.”

Moreover, Chris Wysopal, CTO at Veracode, points out that the folks who maintain the Open Source Vulnerability Database, or OSVDB, have tallied more security holes in Google Chrome and Apple Safari browsers than in Microsoft’s Internet Explorer browser thus far in 2010. Chrome has 51 vulnerabilities, Safari 34 and IE 31, according to OSVDB.

Windows 7: a safe choice

“Using historical vulnerability data alone would be a bad way to make security decisions as it is just one data point,” says Wysopal. “But this data point is clearly in Internet Explorer’s favor.”

Wysopal counts himself  among the security researchers who would say that Windows 7 is a more difficult platform to exploit vulnerabilities on than OS X. “So it is hard to understand why Windows 7 with IE 8 is not one of the secure choices,” he says.

Additionally, Google is in the midst of  ramping up its internal testing of the Chrome Operating System, says David Harry, president of search consultancy Reliable SEO. Google unveiled Chrome OS, a Windows alternative, at a press conference last November, promising its release by late this year.

Thus Google’s sniping at Windows security issues comes as Google is accelerating the “dog-fooding” of Chrome OS. Dog-fooding is how Google refers to the practice of testing new products internally amongst its employees.

Sharp PR move

Marissa Gluck, analyst at Radar Research, says Google’s emphasis on security concerns as the reason for jettisoning Windows, “is pretty savvy. It’s certainly good PR for Google, with the implication being that Chrome OS will be more secure than Windows.”

Gluck says Chrome OS appears to be on track for release in the November time frame. “In terms of dumping Windows, I’m surprised Windows was even still an option at Google,” observes Gluck. “I doubt Linux or Mac is an option for new hires at Microsoft. Most technology companies insist their employees used their own products, or go open source.”

Harry notes that Google dog-fooded the Chrome web browser and Android cell phone operating system prior to their respective public launches. “We can surely expect Google to ultimately turn to full internal use of their own operating system in the future, given the fact that Chrome OS is a natural extension of its browser namesake and Android OS,” says Harry.

Fox agrees that it “makes sense” for the search giant to have “employees use the Chrome OS extensively as part of the testing and development process.”

Update 02June2010: using Mac or Linux also risky

Other organizations would be making a mistake to adapt Google’s stated reasons for dropping  Windows because of  security concerns, contends Trusteer CEO Mickey Boodaei.

“Enterprises that are considering shifting to an operating system like Mac or Linux should realize that although there are less malware programs available against these platforms, the shift will not solve the targeted attacks problem and may even make it worse,” says Boodaei.

Boodaei says flatly:  “Mac and Linux are not more secure than Windows. They’re less targeted. There is a big difference. If you choose a less targeted platform then there is less of a chance of getting infected with standard viruses and Trojans that are not targeting you specifically. This could be an effective way of reducing infection rates for companies that suffer frequent infections.”

In targeted attacks where the thieves are going after specific assets, the bad guys “can very easily learn the type of platform used and then build malware that attacks this platform and release it against the targeted enterprise,” says Boodaei.

According to Boodaei, “The security community is years behind when it comes to security products for Mac and Linux. Therefore there is much less chance that any security product will be able to effectively detect and block this attack. By taking the action of that the enterprise increases its exposure to targeted attacks, not reducing it.”

By Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone