Microsoft's Security Update IDs Google as Malicious Web Page

Microsoft's February Security Update included an antivirus and security software "fix" that told users that was infected with the Blackhole Exploit Kit.

A few hours after complaints began pouring in, Microsoft corrected the problem. A post on its Malware Protection Center site states: "On February 14, 2012, an incorrect detection for Exploit:JS/Blacole.BW was introduced," and notes that the company issued an update to take care of the problem.

Microsoft recommended that users download the most recent versions of the updates (signature versions 1.119.1988.0 and higher, for those keeping score.)

The false positive affected users of Microsoft's Forefront corporate security software and Security Essentials scanner software.

Reports of something amiss quickly began to surface on sites such as the SANS Institute's Internet Storm Center and Microsoft's TechNet forum. Posters to TechNet said the warning about Google began showing up about five minutes after users installed the updates. Most users posting comments to the site suspected it was a false positive.

The Blackhole Exploit Kit, which first appeared in August 2010, is crimeware developed in Russia that usually targets Windows operating systems and applications, looking to exploit common security flaws.

Blackhole has been used to infect the U.S. Postal Service's Rapid Information Bulletin Board System website in April 2011, and, most recently, to hack into, a WikiLeaks-style site that publishes leaked files and intelligence documents, eWeek reported.

In the Cryptome attack, which occurred Feb. 8, almost all of the 6,000 pages in the site's main directory and 5,000 files in subdirectories, were infected with malicious PHP script that redirected users to a third-party website, eWeek reported.

Microsoft rates the alert level for Blackhole as "severe," but visitors to Google who got the warning needn't be concerned, even if they were a bit annoyed.

Security writer Brian Krebs, who was among the first to report the snafu, points out that false positives happen to every antivirus vendor and "this one was fairly innocuous as these things go."

After all, it didn't do any damage, Google's home page wasn't infected, most users suspected right off the bat that it was a false positive, and Microsoft quickly addressed the problem.

But it's notable because it just happened to flag the most visited Web page in the world. It might also be notable that Microsoft and Google are fairly fierce rivals, but whether the false positive on Google was a coincidence or whether someone was having a little fun with a competitor may never be publicly known.


  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.