Technical Article Google claims analyst research firm site is an attack site, serving up malware October 10, 2008 by Lori MacVittie 3341 article firewall google internet malware security us waf web web security 0 I was reading an interesting article on the return on investment for WAN Optimization solutions as discussed by analyst research firm Aberdeen and decided to download the complimentary copy of the report. Reports are generally offered as PDF downloads, not displayed in Macromedia FlashPaper, so it was not easily obtainable for sharing with friends. However, there's a nice "e-mail to a friend" link so I clicked on it, thinking of many folks I know who might be interested in this report. The next thing I know my screen is screaming at me with a warning about malicious content and that the site had been blocked per my security settings. Note: the security settings in my browser (Firefox) are the default; I haven't changed them. I like to live dangerously like that. Needless to say this got my attention immediately. What could possibly be going on that would result in this site being designated as an "attack site" and therefore dangerous? After all, BusinessWeek was infected not so long ago, so it's not inconceivable that Aberdeen could be infected as well. So I opted to use the "Why was this site blocked? " button and see what Google had to say about the site. It wasn't pretty. No, not the diagnostic page, the information contained therein. According to the Google diagnostic page, "Of the 40 pages we tested on the site over the past 90 days, 10 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 09/30/2008, and the last time suspicious content was found on this site was on 09/30/2008." Several thoughts came to mind after reading the diagnostic page. Whoa. Really? That's scary stuff! That was two weeks ago. Shouldn't Google be more proactive in checking more regularly once it identifies an "attack site" to see if the situation has been remedied? Does Aberdeen know this? Did Google send them a nice note saying "Hey, your site is doing bad things. You should fix it." or is this process so completely automated as to ignore the fact that sometimes sites are infected by third-party content and isn't detected by the site owner until it's pointed out. Is this perhaps a problem with Adobe's Macromedia FlashPaper? A misidentification of intended functionality as malicious? Google's diagnostic page seems to indicate something more devious, but stranger things have happened, especially on the web. If the site is infected, and it was infected via some sort of injection (SQL, XSS, etc...) could it have been prevented by a web application firewall? Hey, the word marketing is in my title, after all, so don't look at me like that. I have to wonder about these kinds of things. Because hey, it could be a new vulnerability that involves FlashPaper or Adobe products in general, like the recently discovered clickjacking vulnerability. If this really is a problem and Aberdeen's site really is infected with malicious "stuff", then I'm thankful Google stopped me from viewing the site. But if it isn't a problem and Google's determination is incorrectly labeling intended functionality as malicious, then it's not so cool after all. It will be nice to find out what's really going on. Is Aberdeen's site really infected? Is there yet another vulnerability with Adobe's products? Is the Google safe browsing function really working? Does Joanie still love Chachi? So many questions, so few answers. last modified: October 10, 2008 0 Comment(s): You must be logged in to post comments.