Google has fixed a serious vulnerability in its popular Google Desktop software that could allow remote attackers to access confidential data and gain full control over affected PCs.
Google Desktop, which extends Google's Web search and indexing functions to local PC hard drives, is susceptible to a cross-site scripting attack (XSS) because of its failure to properly encode output data, according to researchers at security vendor Watchfire, which discovered the flaw in January.
Google mixes search results from a local desktop search with those from an online search, and the mixing of data creates the XSS vulnerability, said Mike Weider, CTO of Watchfire, Waltham, Mass.
"The connection between online and offline search results creates windows of attack that wouldn't otherwise exist," Weider said. Current malware detection applications don't look for such a vulnerability, he added.
Google issued a fix for the vulnerability soon after being notified by Watchfire, and users are being automatically updated with the patch, according to a Google spokesperson.
To exploit the flaw, hackers would have to trick a user into clicking on a specially crafted link in an e-mail or on a Web site, or they could infect RSS feeds with links that have an XSS payload embedded, Weider said.
After clicking the rigged link, the user's PC instantly would be infected by malicious code, allowing an attacker to access everything on the hard drive that Google indexes or even take control over the machine, Weider added.
Although Google has fixed this XSS vulnerability, the fact that the online and offline connection with Google Desktop still exists means that the software could still be vulnerable, according to Weider.
"To be totally safe, there should be an option to not mix online and offline search results," Weider said.
Google has added a layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future, the Google spokesperson said, adding that there have been no reports that the flaw has been exploited. Users are advised to make sure they're running the latest version of Google Desktop.
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
