Google called me, five minutes ago, confirmed that the attacker indeed came in via the corporate VPN access. On top of that, they told me that the victim machine was a corporate managed machine, not a home computer.
As to why Google employees were running IE v6, Google’s position is that someone might be running IE v6 for testing purposes. Whether this was indeed what happened, they wouldn’t say. Ok, I can buy that you might be running an older version of browser for testing purposes (for backwards compatibility), but why wasn’t the testing environment isolated from production and from access to critical assets? Isn’t that one of the first thing you do in setting up a test environment? Google assured me that they are taking steps to rectify the situation, and for the sake of everyone who trusts Google with their data and applications, I hope they do it soon.
A funny related note: I’ve been trying to get Google’s attention for over a week on a security interview, but they were too busy to respond (understandably, I guess), but five minutes after I put up this blog entry. Google calls me on my mobile. 
.
Your assumption that network segmentation between a corporation’s production and test systems may be partially flawed. Although this practice provides a layer of potential defense against attacks, it probably also means a complete duplication of infrastructure systems and services to offer an appropriate degree of function. This is not an affordable operating model in the ever growing IT cost control dominion, nor does it usually mitigate the risk of transitive access between environments, since there is usually a bi-directional means of connectivity provided to the developers and testers.
At a minimum, the media of a corporate network at layer 3 of the ISO model can be shared, as long as a company makes the appropriate effort to segment identity and authentication services between the production and test environments.
Otherwise, I agree with the sentiment intended by your raising of the point.
You are right in general it’s not always possible or economically feasible to entirely separate test environment from production. In this particular case, however, I am not sure that is what’s at play here. Clearly the Google employee used an IE 6 to surf the Internet, is that for testing purposes? We don’t know for sure. Also, clearly the desktop that is compromised had access to critical assets. Why is that necessary? We don’t know. What Google does concede is that they could have done a better job of desktop management, and they could have done a better job of VPN management. I suspect that the statement that “someone is using IE6 for testing purposes” is the best excuse Google can come up with for their poor desktop management. It’s a bit embarassing really, when you consider they even have their own browser, Chrome.