Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

IE Flaw Puts Google Desktop at Risk

By Nate Mook, BetaNews

December 2, 2005, 12:49 PM

Internet Explorer is not having a good week. After the discovery of an unpatched flaw in the ubiquitous Web browser and code to exploit it prompted Microsoft to issue a public advisory, a new vulnerability has been found that puts users of Google Desktop at risk -- even if they are running a fully patched system.

Uncovered by Israeli hacker Matan Gillon, the security hole involves a problem with the way IE imports cascading style sheets (CSS) from other Web sites, a technique referred to as cross site scripting (XSS). IE will import any type of file with a bracket, regardless of whether or not it's valid CSS.

By combining the flaw with Google's Desktop Search, a malicious Web site could read personal data off a visitor's machine.

"Much like classic XSS holes, this design flaw in IE allows an attacker to retrieve private user data or execute operations on the users behalf on remote domains," explained Gillon. "The difference is that in this case the target site doesn't have to be vulnerable to script injection. All an attacker has to do is lure a user to a malicious web page."

Specifically, the Web page could employ the IE flaw to gain access to a user's private Google Desktop Search key, which is used as a security measure to limit outside access. Once that key is obtained, the Web site could do a CSS import on the desktop search URL, retrieving potentially private information.

Gillon supplied proof of concept code to highlight the potential risk. "A complete exploit can also iterate through the result pages to get more data and log the results on a remote server," he said. "Needless to say, I don't log any of the results."

The vulnerability could extend beyond Google Desktop Search, however, to any service or application that relies on cross-domain security policies within Internet Explorer.

The exploit affects IE6 on Windows XP SP2 with all patches installed. Mozilla's Firefox is not affected, nor is Opera, "because it doesn't support the styleSheets collection," said Gillon.

Microsoft officials say the company is working on a fix, but is unaware of any actual attacks on customers. Google is investigating the report as well, and recommends that users disable JavaScript in IE or use an alternate Web browser to keep safe.

Add a Comment (53 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By raj_amal78@hotmail.com

edited Jan 11, 2008 - 1:43 AM

In My application is working fine in IE7 and firebox. but IE6 application is screwing(But not all system).Code are same in all system. we can't find the solution of this.If any one knows the solution please mail me. this is my mail id : raj_amal78@hotmail.com

Score: 0

By cunt

edited Dec 4, 2005 - 9:18 AM

This is web for you. better of playing a game.. or spend your money on a few porn maggs. he he he.

Score: 0

By paulm

posted Dec 3, 2005 - 7:27 PM

Just another excuse to bash MS.
I don't use GD, and don't intend to.

Score: 0

By mjm01010101

posted Dec 3, 2005 - 9:43 PM

people should just close their eyes ears, and minds when these sec vulns are discovered. We'd all be better off.

Score: 0

By wincement

posted Dec 4, 2005 - 12:45 AM

Ignore it and hope it goes away?

Score: 0

By lookwhatifound

edited Dec 3, 2005 - 5:39 AM

we haven't heard from Google about this yet, have we?

Score: 0

By dfish

posted Dec 2, 2005 - 8:36 PM

Another IE flaw. Gee, how unusual.

Check out www.iwantnetware.com, in the "MS (In)Security" section for other MS issues / flaws / exploits.

For the record, I use Firefox, now version 1.5.

Score: 0

By school1012

posted Dec 2, 2005 - 9:09 PM

It still as the same dam flaw (security problem) I reported to them over 4 months ago. I can get full access to a system with this problem. But unlike others I will not disclose this problem to anyone except Firefox. Never liked google anyway.

Score: 0

By dfish

posted Dec 3, 2005 - 12:08 AM

4 months ago? Interesting.

What's the beef with Google? To me, they're just another search engine, like how AltaVista used to be.

Of course, they're a bit bigger than AltaVista, but oh well. ;)

Score: 0

By Kramy

edited Dec 3, 2005 - 1:19 AM

Google Desktop Search broadcasts on localhost and displays results in a webpage...or something.

Naturally, any IE bug is a Google Desktop Bug, unless you run it out of FireFox.

Edit: Or Opera.

Score: 0

By dfish

posted Dec 3, 2005 - 12:45 PM

Oh - I didn't know. I don't use the Google Desktop.

I just right-click and Search from there. Quite frankly, I haven't seen a need for it.

Score: 0

By crashoverride

posted Dec 2, 2005 - 8:17 PM

Hmm, another flaw....I really didn't see that one coming.

Score: 0

By marlin1111

posted Dec 2, 2005 - 7:51 PM

It cant be Google's fault nothing is ever Google's fault. Man Iam so sick of Google

Score: 0

By eunichman

posted Dec 3, 2005 - 8:06 AM

did you read the full article? ANY site could do the same thing, it is a flaw in how IE handles importing cascading stylesheets. Google was named most likely because it was such a major site, often visited and as such was the first site to illicit such a response.
the way the article reads, you could code in a web site ANYWHERE and as long as it had brackets in the page code for the css, then the ie flaw allowed someone access to private infos.

Score: 0

By dfish

posted Dec 4, 2005 - 12:32 AM

But how could that be? Microsoft adheres to the most stringent Open Standards!

Surely you don't imply that Microsoft makes their own rules that are in conflict with how the rest of Planet Earth uses the internet, are you? ;)

Score: 0

By John_Bedin

posted Dec 2, 2005 - 5:02 PM

Not satisfied with screwing up it's own software , Microsoft is now , intentionally, screwing up Google

Score: 0

By JacenSolo

posted Dec 5, 2005 - 1:33 AM

Microsoft is not screwing up google, through I would back them if they did.

Internet Explorer is vulnerable to this problem, if you use GD or not. It's got nothing to do with Microsoft screwing up google.

If I read what I've read about GD correctly, then it's search features (like a lot of internet software's features) are powered by IE, regardless of if you use Opera, Firefox, or Lynx.

I've tried it before, and it places a toolbar on the taskbar. If you search from that, IE pops up a small window to show you the results.

Score: 0

By wincement

posted Dec 2, 2005 - 5:19 PM

...and my comments are frivolous.

Score: 0

By PC_Tool

posted Dec 2, 2005 - 5:07 PM

This flaw has likely been there for many years.

I *highly* doubt it was intentional.

Score: 0

By wincement

posted Dec 2, 2005 - 3:49 PM

"The exploit affects IE6 on Windows XP SP2 with all patches installed."

Good thing I'm using IE7/FF.

Score: 0

By John_Bedin

posted Dec 2, 2005 - 5:04 PM

wincement stop posting frivolous commentaries.you bore us

Score: 0

By JacenSolo

posted Dec 3, 2005 - 7:38 AM

YOU bore wincemeat

Score: 0

By wincement

posted Dec 2, 2005 - 5:19 PM

Objective: complete.

Score: 0

By fewt

posted Dec 2, 2005 - 5:56 PM

heh

Score: 0

By PC_Tool

posted Dec 2, 2005 - 5:08 PM

"you bore us."

Wow...you know each and every one of us that well, do you?

Score: 0

By PC_Tool

posted Dec 2, 2005 - 4:46 PM

Buyt since IE7 isn't released yet, it wasn't on theri testbed, and likely still has the flaw. :)

Just so ya know....and using FF doesn't affect it...it's Google Desktop, which utilizes the IE engine.

Score: 0

By Squire72

posted Dec 2, 2005 - 5:38 PM

does it really?

when I launched it it opened a FF window... I'm pretty sure Google Desktop runs browser independent. Just so happens that IE's CSS handling exposes Google Desktop - you have to be browsing with IE for the flaw to be exposed.

Score: 0

By wincement

edited Dec 2, 2005 - 4:50 PM

I dunno, IE7 has a lot of issues handling externally linked files right now. I've been running into all sorts of problems with external Javascript. I doubt IE7 can even import the CSS properly for the exploit to be possible. =p

"Just so ya know....and using FF doesn't affect it...it's Google Desktop, which utilizes the IE engine."

Yeah, I forgot that. Oops... Now I sound like a FF fanboy. Dangit.

Score: 0

By gawd21

posted Dec 2, 2005 - 2:36 PM

"After the discovery of an unpatched flaw in the ubiquitous Web browser and code to exploit it prompted Microsoft to issue a public advisory, a new vulnerability has been found that puts users of Google Desktop at risk -- even if they are running a fully patched system."

How is that IE's fault? It doesn't work without Google installed, ergo, it's on Google. IMO

Score: 0

By Paradise-FH-

posted Dec 2, 2005 - 2:41 PM

google is just one big public instance.

"The vulnerability could extend beyond Google Desktop Search, however, to any service or application that relies on cross-domain security policies within Internet Explorer."

read the articles more carefully:

"the security hole involves a problem with the way IE imports cascading style sheets (CSS) from other Web sites, a technique referred to as cross site scripting (XSS). IE will import any type of file with a bracket, regardless of whether or not it's valid CSS."

Score: 0

By gawd21

edited Dec 2, 2005 - 3:02 PM

Ok, I still see it as Google's problem they are the ones that are using IE and they should fix their software to run as a standalone. Yes, MS should fix the "whole"* and the hole, but so should Google.

*EDIT: That was spelled like that for a reason.

Score: 0

By fewt

posted Dec 2, 2005 - 5:26 PM

Honestly they should use a core that's multiplatform compatible.

They use Linux all over the place, I'm really very surprised they haven't built any Linux application compatibility into their desktop apps.

Score: 0

By gawd21

posted Dec 2, 2005 - 5:33 PM

That is partly my point. I just feel that companies should stop relying on IE all of the time. They should make their own core or just learn to write better. As I have said already MS should fix the bug, but Google should stop trying to steal others' employees and worry more about writing good code.

Score: 0

By eunichman

posted Dec 3, 2005 - 8:11 AM

google is following the rather successful microsoft model of business... beg borrow and steal :) cant blame them for emulating a VERY lucrative business model, no matter that the side effects of that model is substandard code...

If MS did it so can anyone else IMO

Score: 0

By trankin

edited Dec 2, 2005 - 9:35 PM

"but Google should stop trying to steal others' employees and worry more about writing good code."

Really, I just thought you were mis-informed at first because you seem to be under the impression that Google Desktop uses IE in some way, which it doesn't. Google Desktop provides it's own web serving engine that you can access with IE or FF or other browsers. The problem is that IE exposes the content in the Google Desktop "server", just as it would expose the content of other servers you could force it to load. Anyway when I read this last comment it was just too weird. Google not writing good code and stealing employees.... seriously.. WTH.

Score: 0

By gawd21

posted Dec 2, 2005 - 11:01 PM

You must be a shut in. Really. Google has tried to take several employees form other companies for a while now. It's been all over the new. And Yes Google does NEED IE to be installed to work. Check it out.

Score: 0

By trankin

posted Dec 3, 2005 - 9:04 PM

Believe me, I'm familiar with history behind Google taking Microsoft employees,, what I am misunderstanding here is exactly what that has to do with the security flaw in Internet Explorer. My response was to indicate how extremely off topic it is. And I do not see anywhere that Google has IE as a requirements.

6. What are the system requirements for running Google Desktop?

Google Desktop is currently available for Windows XP and Windows 2000 Service Pack 3 and above. To install it on an office machine, you should have administrator privileges (home users shouldn't have this problem). It requires 500MB of available space on your hard disk, and we recommend a minimum of 256MB of RAM and a 400MHz Pentium processor.

While I have not tried to install it without IE being installed, I don't see any reason that it would be required.

Score: 0

By PC_Tool

edited Dec 2, 2005 - 4:50 PM

????

"a problem with the way IE imports cascading style sheets"

This is a google problem because they expact the Operating System's CSS engine to work properly?

God forbid...

Score: 0

By wincement

posted Dec 2, 2005 - 5:20 PM

LOL

I'd have to agree. Google is in no way at fault IMO.

Score: 0

By jsc315

posted Dec 2, 2005 - 2:20 PM

What a surprise IE not doing well.

Score: 0

By bourgeoisdude

posted Dec 2, 2005 - 1:56 PM

LOL, don't use google desktop then :) No really--Nate, the statement "Internet Explorer is not having a good week." is your opinion on the matter. Why can't betanews be just that--NEWS? Put your opinions down here with the rest of us!

Score: 0

By drumcat

posted Dec 2, 2005 - 4:55 PM

Here, here. Nate - I can appreciate a little journalistic opinion, but you'd be better off reporting the news, and dropping an editorial separately.

Score: 0

By wincement

posted Dec 2, 2005 - 5:21 PM

Bah.

Nate: I'm not going to tell you how to do your job.

The articles are interesting.

The end.

Score: 0

By bourgeoisdude

posted Dec 2, 2005 - 5:51 PM

Yeah--you're right. Just had a 'brain fart' moment and the idiot that I am I decided that was a great time to make a post on betanews (good thing I don't write the articles!)

Score: 0

By wincement

posted Dec 2, 2005 - 3:48 PM

Well... I dunno.

Would anyone really look at this week and say IE IS having a good week?

Score: 0

By rijp

posted Dec 2, 2005 - 1:31 PM

Google is EVIL anyway... And the Google Desktop Search sucks anyway, Yahoo and Copernic is better.

Score: 0

By fewt

posted Dec 2, 2005 - 8:40 PM

How are they evil? List a few ways.

How is Yahoos search better than Googles? Metacrawler searches tell me that Google is better. Do you have any evidence otherwise? Lets see it.

Score: 0

By RADicalSatDude

edited Dec 3, 2005 - 10:14 AM

Well there aren't that many backend search technology providers, these search engine charts explain a lot:

I Help You Search engine partnership chart
http://www.ihelpyou.com/search-engine-chart.html

Blue Clay Search engine relationship chart
http://www.bruceclay.com...nerelationshipchart.htm

I use both via Twingine (http://twingine.com/). If you really want a side-by-side comparison, check it out.

To see differences between, Yahoo! Google & MSN its http://yagoohoogle.jp/?l=e.

Last one that takes the three best results from Yahoo!, Google, Ask Jeeves,and MSN is http://jux2.com/

Score: 0

By ZenWarrior

posted Dec 2, 2005 - 1:31 PM

Funny, but the *only* security breach I've ever experienced, in 20+ years, was while using...FireFox!

Score: 0

By zenarcher

edited Dec 2, 2005 - 5:52 PM

Just for the sake of clarity, that is not a comment of zenarcher. Don't want any confusion there.:)

Score: 0

By Squire72

edited Dec 2, 2005 - 5:41 PM

wow... you were using Firefox and IE 20+ years ago?

this is most likely because IE's vulnerabilities are well disguised, so you don't have to notice the evil hackers messing up your computer - they just steal your information, and leave you none the wiser.

Score: 0

By bourgeoisdude

edited Dec 2, 2005 - 6:54 PM

"wow... you were using Firefox and IE 20+ years ago?"

Umm...did you read his post? He said the only security vulnerability in 20+ years was from FF, he wasnt even saying necessarily that he used any web browser that long ago.

Score: 0

By fewt

posted Dec 2, 2005 - 2:15 PM

Which one?

Score: 0

Jul 25 - 11:52 AM ET AOL axes weak properties, halts blogs in budget emergency

Jul 25 - 11:32 AM ET Verizon to announce FiOS rollout in New York City

Jul 25 - 10:49 AM ET Sprint hands keys for cellular towers to third-party

Jul 24 - 8:00 PM ET HP ends Voodoo business unit, but not Voodoo gaming PCs

Jul 24 - 5:40 PM ET The danger of DRM: Yahoo will remove keys for authorizing music playback

Jul 24 - 5:20 PM ET Facebook to integrate Microsoft Web search, search ads

Jul 24 - 5:09 PM ET Hitachi introduces third-gen Blu-ray camcorder

Jul 24 - 4:51 PM ET WD's new 10,000 RPM 2.5-inch drives still aren't for laptops

Jul 24 - 4:50 PM ET Scrabulous creators sued in United States by Hasbro

Jul 24 - 4:23 PM ET Windows Live for Mobile updated, but still missing calendar sync