RSSGoogle Desktop Flaw Disclosed, Fixed
By Ed Oswald | Published February 21, 2007, 12:52 PM
A flaw discovered in Google Desktop Search last year could have opened up users to the risk of having their personal data compromised. However, the issue was fixed within weeks of its discovery.
Google says that it had no evidence the vulnerability was ever exploited. According to a statement by Massachusetts-based Watchfire, the security firm that discovered the flaw, an attacker would be able to gain access to sensitive data, and in some cases full system control.
Watchfire says the problem is due to the way Google Desktop fails to encode output that contains malicious or unexpected characters. The company also said that the issue can be found in about four out of every five Web applications.
"Application security vulnerabilities need to be taken seriously," Watchfire CTO Michael Weider said. "As the potential damage of a Cross Site Scripting attack against a desktop application with a Web interface is enormous, Web application security must be comprehensively evaluated and continually monitored."
Vulnerable PCs could be infected in several ways, including through e-mail attachments. Once in, the attacker could use Google Desktop search itself in order to find and access sensitive data.
Google Desktop automatically updates itself, and the flaw had been repaired as of February 1, according to Watchfire. However, there could be other attempts on cracking data within the application, including one for the link that Google places between Web and desktop information.
But the search company denied that any risk was present, as it had taken all steps necessary to remedy the issues brought up by the security firm.
Firefox2 bookmark cross-domain surfing vulnerability
There is an interesting vulnerability in how Firefox handles bookmarks.
The flaw allows the attacker to steal credentials from commonly used
browser start sites (for Firefox, Google is the seldom changed default;
that means exposure of GMail authentication cookies, etc).
The problem: it is relatively easy to trick a casual user into bookmarking
a window that does not point to any physical location, but rather, is an
inline data: URL scheme. When such a link is later retrieved, Javascript
code placed therein will execute in the context of a currently visited
webpage. The destination page can then continue to load without the user
noticing.
The impact of such a vulnerability isn't devastating, but as mentioned
earlier, any attention-grabbing webpage can exploit this to silently
launch attacks against Google, MSN, AOL credentials, etc. In an unlikely
case the victim is browsing local files or special URLs before following a
poisoned bookmark, system compromise is possible.
Thanks to Piotr Szeptynski for bringing up the subject of bookmarks and
inspiring me to dig into this.
Self-explanatory demo page:
lcamtuf.coredump.cx/ffbook/
Score: 0
|It's OK, it's Google, we've got nothing to worry about :) If it were a Microsoft app on the other hand...
Score: 0
|We dumped this app after we saw severe performance degradation across the board on machines it was installed on. Look, searching shouldn't be that difficult. You build an index, and you try and do it without intruding on performance of the system. Google couldn't do it.
Score: 0
|same experience here, unfortunately.
Score: 0
|"However, the issue was fixed within weeks of its discovery". WEEKS being the keyword. A bit scary but not uncommon.
Score: 0
|Weeks after discovery--so google has to take extra time to patch since they are used by so many people?
Perhaps Microsoft is 'slower' than some others to fix flaws as well due to the testing to ensure the fixes don't break any version of any antivirus (from any year), any web browser, any anti-spyware, and any program version of any program. A quick and easy Google desktop fix may have broken Norton Antivirus 2004, and while I could give a rat's behind, those who use both Google Desktop and Norton 2004 certainly would get upset (lol yes I know, why gripe when the AV core is 3 years old? Because "google broke my network" would be all over the web, and google would be associated as the evil empire by those who currently associate Microsoft with that title).
Point is when you're big and everyone uses your programs, you must be 100% perfect or you will be slammed in forums all over the web. Therefore, spend the extra time testing the patch and take long as you need in order to prevent a PR catastrophe.
As a side, this is something Mozilla really hasn't had to deal with--yet.
Score: 0
|When your desktop search app breaks your AV, you have a major issue..
Score: 0
|