Google plugs dangerous flaw

An attacker could exploit a hole in Google Desktop to gain access to users' personal files. Google has released a patch, but experts say not all users are receiving it.

Google Inc. has plugged a dangerous flaw in its desktop search tool that could have exposed users' personal files to an attacker.
It's probably one of most critical Web application vulnerabilities I've seen.
Danny Allan,
director of security researchWatchfire

Google Desktop is used to index documents, email, instant messaging transcripts and archived Web pages. Once items are indexed by the application, users can conduct a search to quickly retrieve files and information.

The flaw, which enables a cross-site scripting attack, was discovered along with two other minor issues, last October by Yair Amit, security senior researcher at Waltham, Mass.-based Watchfire Corp., a security analysis provider. The hole allows an attacker to place malicious code on a user's computer and retrieve files in only a few seconds.

Once a PC is victimized by the cross-site scripting attack, a hacker could use Google Desktop to search the user's machine and take full control of the computer, said Danny Allan, director of security research at Watchfire. Although there has never been an attack documented in the wild, Allan said an attack could be conducted relatively easily after building an exploit system.

Google Desktop Search:
How to tame Google Desktop

Google Desktop gets scarier

Securing the internal Windows network

"It's probably one of most critical Web application vulnerabilities I've seen," Allan said. "Features built into Google allow an attacker to reach a thousand victims in a single search, so the potential outcome is very critical."

Google Desktop versions 5.0.0701.18382 and earlier are affected. Allan said it is unclear whether Google's Enterprise Search Appliance is similarly affected.

Google issued a statement saying it developed a fix several weeks ago after the hole was discovered, and that the flaw was never exploited in the wild. While Google says its automatic update would repair the vulnerability without user intervention, researchers at Watchfire said users should make sure they are using the latest version of the software.

"We've seen the automatic updates not necessarily working on all computers," said Mike Weider, chief technology officer and founder of Watchfire. "Consumers should manually validate that they are running the latest version, and if not, then they should go get it from Google's Web site."



Enjoy the benefits of CW+ membership, learn more and join.

Read more on Operating systems software



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:




  • Dissecting the Hack

    In this excerpt from chapter three of Dissecting the Hack: The V3RB0TEN Network, authors Jayson E. Street, Kristin Sims and Brian...

  • Digital Identity Management

    In this excerpt of Digital Identity Management, authors Maryline Laurent and Samia Bousefrane discuss principles of biometrics ...

  • Becoming a Global Chief Security Executive Officer

    In this excerpt of Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders, ...