Google called again after I posted the latest follow up to the Google hack story. Wow, two calls from Google AR in the span of an hour! They were uncomfortable about the way I characterized the involvement of the corporate VPN in the Google attack. The official on-the-record word from Google is: "This is not accurate." So, I should rephrase how the attack happened:
a) A Google employee's machine that was running IE v6 was compromised via the IE vulnerability.
b) The attacker used the compromised machine to somehow gain access to Google servers (some of which housed critical information). The method of access, at some point, may have involved VPN, but Google does not agree with the characterization that "the compromised client used their corporate VPN to gain access to the servers." At Google's request, I retract that particular statement.
This is what we do know factually:
1) The attack on the Google server happened.
2) Google immediately decided to do an emergency update of their entire corporate VPN infrastructure.
Could these two things be entirely unrelated? I doubt it. But Google isn't going on the record to say that the attack came in via the VPN, and that's their official position.
On a positive note, Google is actively trying to schedule the security interview with me. So hopefully I'll have more to report shortly.