Go to page: 1 2  Printer Friendly Version

Though the New Years holiday was a long vacation for many, it was a long work weekend for those in Google's security operations.

A flaw was reported and fixed over the weekend, and there are allegations in the wild that a new crop of security issues may still exist.

Recent Intranet Journal Articles

Intranet Journal Product of the Year Awards SharePoint Governance, Part 1 ISYS Lauded, Open Text Humming Along Oracle Snares Stellent for Content Management FREE IT Management Newsletters bITa Planet CIO Update Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Grid Computing Planet HTML E-Security Planet Text E-Security Planet HTML DRM Watch HTML

Heather Adkins, information security manager at Google, said in a statement e-mailed to internetnews.com that over the holiday weekend Google was notified of a vulnerability that spanned multiple Google products.

"We were first notified that this issue affected Google Video and fixed it within a few hours of receiving the report," Adkins stated. "We were then notified that the same issue affected other Google products. The problem with the other products was resolved within 24 hours of the second report. To our knowledge, no one exploited the vulnerability and no users were impacted."

The vulnerability, if exploited, could have allowed Google users' Gmail contact lists and other information to be exposed to malicious attackers. Adkins noted that the vulnerability related to how Google uses certain JSON (JavaScript Object Notation) (define) object within some of its product code.

"The fix we employed made sure the objects could not be abused," Adkins said. Google engineer Matt Cutts wrote in a blog that Google fixed the JSON vulnerabilities with a number of different approaches.

"On some of them, we immediately fixed the code to properly stop JavaScript," Cutts wrote. "On others, the urls were blocked until the next push of that service will happen."

Cutts noted that since the issues were server side, as Google's applications are Web-based, the fixes were deployed much faster than they would have been had the vulnerabilities appeared client-side.

"Even this situation (where several Google properties needed to be changed) yielded a much faster fix than patching so many client-side applications, and much of this was happening on New Year's Eve and New Year's Day when most normal people are sleeping off the night before," Cutts wrote.

Google has a solid track record of fixing vulnerabilities rapidly, especially of late. In mid-December Google moved quickly ahead of a weekend to fix an alleged flaw in its money-making AdWords solution.

In that case the security researcher alerted Google before the vulnerability was publicly disclosed, a move that Google applauded.

Responsible disclosure is something that Google's Adkins is certainly very keen on. "We strongly encourage anyone who is interested in researching and reporting security issues to follow responsible disclosure practices, including giving vendors ample time to respond to reports," Adkins commented.

Go to page: 1 2 

Printer Friendly Version