Google's "Get Out of China" Free Card analyzed

Adobe and Microsoft -
Remember how we said that initially Google and other researchers thought it was a flaw in Adobe Reader?  This is an interesting statement by both Google and McAfee, you see for the better part of two years Adobe Products [Flash and the Acrobat Reader Plug-in] have been used as a vector for attack. In fact at the 2009 Pwn2Own it was a flaw in Flash that allowed Windows Vista to fall.  Still Adobe was not happy with being the scape goat on this one; they quickly released a statement saying there was no evidence that this was the case.

However, if you cannot blame Adobe, Microsoft is just as good. After all everyone knows that Microsoft products have tons of holes and flaws.  So Google and McAfee went for Internet Explorer. Finding a previously unknown flaw in IE is not out of the realm of possibility and is more than plausible. But, is it what happened?  Well, after a few updates and some additional information [we also spoke to a few white and black hats] we find that things are not so simple. As we mentioned, Google said the attack targeted IE; this prompted MS to take a look and to release a security advisory. However, MSA 979352 says something that is downright confusing... Here is a quote from the MSA

“At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”

Microsoft is admitting there is a flaw but also saying that the only known reports are against IE 6; so we see some things are not adding up. None of the information provided offers proof of the attack or investigation. It is quite simply PR statements being made with little supportive evidence.  All the players have things to gain and lose.