Google Shuts Hole in Desktop Product

["Richard M. Smith" <rms () computerbytesman com>]

http://news.wired.com/dynamic/stories/G/GOOGLE_DESKTOP_SECURITY?SITE=WIRE
<http://news.wired.com/dynamic/stories/G/GOOGLE_DESKTOP_SECURITY?SITE=WIRE&S
ECTION=HOME&TEMPLATE=DEFAULT> &SECTION=HOME&TEMPLATE=DEFAULT
 
Feb 21, 7:51 AM EST


Google Shuts Hole in Desktop Product 

By BRIAN BERGSTEIN 
AP Technology Writer

BOSTON (AP) -- A potentially devastating hole in Google Inc.'s prevalent
desktop search product could have exposed personal files on users' computers
to data thieves. Google fixed the defect within weeks of being informed
about it and says it has no evidence the vulnerability was exploited.

The flaw was uncovered late last year by Watchfire Corp., a
security-analysis provider. While the vulnerability exists in roughly 80
percent of Web applications, this problem appeared far more extreme "given
the sensitive nature of what Google Desktop is doing," said Danny Allan, a
researcher at Waltham, Mass.-based Watchfire.

Google's free desktop product, first released in 2004, has millions of users
and remains popular. Internet tracker Hitwise says visits to
<http://desktop.google.com/> http://desktop.google.com tripled in January.

The system lets users set Google's indexing and searching capabilities loose
on their own computers in addition to the Web. The service offers a fast,
easy way to find documents, e-mails, instant-messaging transcripts, archived
Web pages and other tidbits socked away on PCs. A Google executive once
described it as "the photographic memory of your computer."

The Watchfire researchers discovered, however, that the setup was open to
something known as a cross-site scripting attack, which lets an attacker
place malicious code on a Google Desktop user's computer. The PC could be
infected a number of ways, including an infected e-mail attachment.

> From that instant, a hacker would have had free reign to use Google Desktop
to search the victim's machine - or multiple compromised machines at once -
and possibly to take full control of the computer, according to Watchfire.
Watchfire's founder and chief technical officer, Mike Weider, said the
attack would have gone undetected by firewalls or antivirus software.

Watchfire said it reported the security hole to Google on Jan. 4 and was
assured Feb. 1 that the flaw had been fixed. Google spokesman Barry Schnitt
said the desktop search software gets automatically updated, so users do not
need to take any steps to protect themselves.

While this particular avenue for data theft has been shut down, Watchfire
contends that another one could emerge because Google maintains a link
between desktop and Web data - a query on a computer with Google Desktop can
show search results from both realms.

"There's a high potential for this to happen again," Weider said.

However, Schnitt responded in an e-mail that Google has "taken many steps to
protect our users and mitigate such attacks."

"We've added an additional layer of security checks to prevent the types of
attacks pointed out by Watchfire and future possible attacks through this
vector as well," he wrote.

No matter whether such a threat re-emerges through Google, Allan expects to
see similar vulnerabilities increase overall, "as desktop software and the
Internet get more connected." As a result, he said, antivirus vendors should
develop techniques for detecting and blocking such attacks.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.