Google plugs dangerous flaw

News Analysis

Google plugs dangerous flaw

Robert Westervelt, News Editor
Google Inc. has plugged a dangerous flaw in its desktop search tool that could have exposed users' personal files to an attacker.
It's probably one of most critical Web application vulnerabilities I've seen.
Danny Allan,
director of security researchWatchfire

Google Desktop is used to index documents, email, instant messaging transcripts and archived Web pages. Once items are indexed by the application, users can conduct a search to quickly retrieve files and information.

The flaw, which enables a cross-site scripting attack, was discovered along with two other minor issues, last October by Yair Amit, security senior researcher at Waltham, Mass.-based Watchfire Corp., a security analysis provider. The hole allows an attacker to place malicious code on a user's computer and retrieve files in only a few seconds.

Once a PC is victimized by the cross-site scripting attack, a hacker could use Google Desktop to search the user's machine and take full control of the computer, said Danny Allan, director of security research at Watchfire. Although there has never been an attack documented in the wild, Allan said an attack could be conducted relatively easily after building an exploit system.

Google Desktop Search:
How to tame Google Desktop

Google Desktop gets scarier

Securing the internal Windows network

"It's probably one of most critical Web application vulnerabilities I've seen," Allan said. "Features built into Google allow an attacker to reach a thousand victims in a single search, so the potential outcome is very critical."

Google Desktop versions 5.0.0701.18382 and earlier are affected. Allan said it is unclear whether Google's Enterprise Search Appliance is similarly affected.

Google issued a statement saying it developed a fix several weeks ago after the hole was discovered, and that the flaw was never exploited in the wild. While Google says its automatic update would repair the vulnerability without user intervention, researchers at Watchfire said users should make sure they are using the latest version of the software.

"We've seen the automatic updates not necessarily working on all computers," said Mike Weider, chief technology officer and founder of Watchfire. "Consumers should manually validate that they are running the latest version, and if not, then they should go get it from Google's Web site."

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy