Microsoft security patch flagged Google as malicious site
- By Kevin McCaney
- Feb 15, 2012
Microsoft’s Valentine’s Day Patch Tuesday update inadvertently delivered an antivirus and security software “fix” that told users that Google.com was infected with the Blackhole Exploit Kit.
A few hours after complaints began pouring in, Microsoft corrected the problem. A post on its Malware Protection Center site states: “On February 14, 2012, an incorrect detection for Exploit:JS/Blacole.BW was introduced,” and notes that the company issued an update to take care of the problem.
Microsoft recommended that users download the most recent versions of the updates (signature versions 1.119.1988.0 and higher, for those keeping score.)
The false positive affected users of Microsoft's Forefront corporate security software and Security Essentials scanner software.
Reports of something amiss quickly began to surface on sites such as the SANS Institute’s Internet Storm Center and Microsoft’s TechNet forum. Posters to TechNet said the warning about Google began showing up about five minutes after users installed the updates. Most users posting comments to the site suspected it was a false positive.
The Blackhole Exploit Kit, which first appeared in August 2010, is crimeware developed in Russia that usually targets Windows operating systems and applications, looking to exploit common security flaws.
Blackhole has been used to infect the U.S. Postal Service’s Rapid Information Bulletin Board System website in April 2011, and, most recently, to hack into Cryptome.org, a WikiLeaks-style site that publishes leaked files and intelligence documents, eWeek reported.
In the Cryptome attack, which occurred Feb. 8, almost all of the 6,000 pages in the site’s main directory and 5,000 files in subdirectories, were infected with malicious PHP script that redirected users to a third-party website, eWeek reported.
Microsoft rates the alert level for Blackhole as “severe,” but visitors to Google who got the warning needn’t be concerned, even if they were a bit annoyed.
Security writer Brian Krebs, who was among the first to report the snafu, points out that false positives happen to every antivirus vendor and “this one was fairly innocuous as these things go.”
After all, it didn’t do any damage, Google’s home page wasn’t infected, most users suspected right off the bat that it was a false positive, and Microsoft quickly addressed the problem.
But it’s notable because it just happened to flag the most visited Web page in the world. It might also be notable that Microsoft and Google are fairly fierce rivals, but whether the false positive on Google was a coincidence or whether someone was having a little fun with a competitor may never be publicly known.
Kevin McCaney is a former editor of Defense Systems and GCN.