07:42 PM
Connect Directly

Wrestling With Malware, Google Launches Security Blog

Google said it began tackling online security in a public manner last year.

In a continuation of its year-old effort to make the Web more secure, Google today launched an online security blog to keep Internet users informed about security threats. It makes no mention, however, of Google's ongoing vulnerability to redirection exploits.

The initial post by Panayiotis Mavrommatis and Niels Provos of Google's Anti-Malware Team attempts to clarify misinterpretation of the company's own study about the prevalence of malware online.

"Unfortunately, the scope of the problem has recently been somewhat misreported to suggest that one in 10 Web sites are potentially malicious," explained Mavrommatis and Provos. "To clarify, a sample-based analysis puts the fraction of malicious pages at roughly 0.1%."

While Google may be glad to set the record straight that only about one in 1,000 Web sites are potentially malicious, it says something about the state of online security that some simply accepted the 1-in-10 figure.

Google began tackling online security in a public manner last year. In January 2006, Google was among the companies that sponsored the launch of, a site conceived to fill the role of a neighborhood watch group on the Internet.

The insecurity of search came to the fore last May when a McAfee SiteAdvisor report found that search engines regularly returned risky sites when queried using popular keywords. Shortly before that report appeared, Google made an arguably long-overdue addition to its Webmaster Quality Guidelines: "Don't create pages that install viruses, Trojans, or other badware."

Three months ago in February, Google started to flag suspect search result links with the message, "This site may harm your computer." The company also disabled the links on flagged results, preventing users from visiting those sites unless they copied the URL and pasted it directly into their browser address bar.

That same month, Google also added a notification for owners of flagged sites to help those with good intentions identify and mitigate any malware they might be hosting.

While Google's efforts may provide some comfort to its users, cyberthieves appear to be unimpressed. Since last year, Google has been dealing with URL redirection exploits that allow phishers to disguise malicious URLs to look like Google links. While the company has closed some holes, others apparently remain.

"We're aware of the issue and working on a fix," said a Google spokesperson.

Indeed, Google has "started an effort to identify all Web pages on the Internet that could potentially be malicious," according to a security paper published by several Google engineers, Mavrommatis and Provos among them.

Even so, not everyone believes Google is moving fast enough. Writing about an exploit that Google closed in February, Robert Hansen, CEO of security consultancy SecTheory and the maintainer of under the name RSnake, said, "Google is riddled with these holes and they are incredibly easy to find."

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
Increasing IT Agility and Speed To Drive Business Growth
Learn about the steps you'll need to take to transform your IT operation and culture into an agile organization that supports business-driving initiatives.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.