For a period of time yesterday (Tues 2/14/12) Microsoft’s security products, Forefront and Microsoft Security Essentials, reported that www.google.com was infected with the Blacole.BW exploit for users browsing with Internet Explorer.
It appears as though the definition updates Microsoft released alongside the other Patch Tuesday updates caused a false positive for google.com and users began posting on the TechNet forums about the false positive shortly after the updates rolled out.
My malware inspection updated to 1.119.1972.0 and within 5 minutes started blocking www.google.com because of JS/Blacole.BW. I’m almost sure this is a false positive given how queit the rest of the net is about it. Is anyone else encountering the same thing?
I’m getting it at my work as well:
Access to the requested file is blocked due to a detected infection:
Infection name: Exploit:JS/Blacole.BW
I’m just using https google instead.
False positives are not a rare occurrence. In fact I can’t think of one security provider who hasn’t – at one point – issued an update with a false positives. Unfortunately for Microsoft www.google.com is the most visited site on the net and this error was sure to draw immediate notice from users. Microsoft released updated definition files, which corrected the problem, almost 5 hours later and all is quiet on the exploit front.
My guess, and it is only a guess, is that this happened as the result of website hacks that have occurred over the past several days in which several high profile sites have been infected with the Blackhole Toolkit. In these recent incidents early reports indicate that the exploits were crafted to exclude Google’s IP address range. A mistake may have been made which associated Google’s IP’s with the attack instead of the exclusion from the attack. This is only a guess and a long shot at best.
If you run either Microsoft Security Essentials or Forefront you should check for updated definitions ASAP so you don’t experience the false positive and can continue happily browsing the internet!