News

Google forced to patch Google Desktop against remote attack

Google has been forced to patch three flaws in its Google Desktop search service after it was discovered the software was open to remote attack.

Google was informed of the security flaw by security software firm Watchfire at the turn of the year.

The search giant asked Watchfire to hold off from publicising the threat until it was able to patch the Google Desktop system, which allows users to search for local files and documents on their PCs.

Watchfire said the flaws were a result of the close integration between Google Desktop and the Google.com website, and Google Desktop's failure to properly encode output containing malicious or unexpected characters.

“These flaws take advantage of web application vulnerabilities and the increasing power of the web browser. Unlike traditional computer penetration attacks, there is no need for binary code to be injected,” said Watchfire.

Watchfire added, “The threat, which uses malicious javascript, emphasises the danger of the integration between desktop applications and web-based applications, as this opens an aperture for a malicious attacker to escalate his/her privileges by crossing from the web environment to the desktop application environment.”

Google has no plans to restrict Google Desktop’s close integration with the web.

Related article: A white paper on the flaws is available on the Watchfire website

Related article: Google and Vodafone team up on mobile maps

Comment on this article: computer.weekly@rbi.co.uk

David Lacey’s security blog
The latest ideas, best practices, and business issues associated with managing security

Stuart King’s risk management blog
Dealing with the operational challenges of information security and risk management


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy