Google forced to patch Google Desktop against remote attack


Google forced to patch Google Desktop against remote attack

Antony Savvas

Google has been forced to patch three flaws in its Google Desktop search service after it was discovered the software was open to remote attack.

Google was informed of the security flaw by security software firm Watchfire at the turn of the year.

The search giant asked Watchfire to hold off from publicising the threat until it was able to patch the Google Desktop system, which allows users to search for local files and documents on their PCs.

Watchfire said the flaws were a result of the close integration between Google Desktop and the website, and Google Desktop's failure to properly encode output containing malicious or unexpected characters.

“These flaws take advantage of web application vulnerabilities and the increasing power of the web browser. Unlike traditional computer penetration attacks, there is no need for binary code to be injected,” said Watchfire.

Watchfire added, “The threat, which uses malicious javascript, emphasises the danger of the integration between desktop applications and web-based applications, as this opens an aperture for a malicious attacker to escalate his/her privileges by crossing from the web environment to the desktop application environment.”

Google has no plans to restrict Google Desktop’s close integration with the web.

Related article: A white paper on the flaws is available on the Watchfire website

Related article: Google and Vodafone team up on mobile maps

Comment on this article:

David Lacey’s security blog
The latest ideas, best practices, and business issues associated with managing security

Stuart King’s risk management blog
Dealing with the operational challenges of information security and risk management

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy