Google Desktop Vulnerability Fixed

Google Desktop, which extends Google's Web search and indexing functions to local PC hard drives, is susceptible to a cross-site scripting attack (XSS) because of its failure to properly encode output data, according to researchers at security vendor Watchfire, which discovered the flaw in January.

Google mixes search results from a local desktop search with those from an online search, and the mixing of data creates the XSS vulnerability, said Mike Weider, CTO of Watchfire, Waltham, Mass.

"The connection between online and offline search results creates windows of attack that wouldn't otherwise exist," Weider said. Current malware detection applications don't look for such a vulnerability, he added.

Google issued a fix for the vulnerability soon after being notified by Watchfire, and users are being automatically updated with the patch, according to a Google spokesperson.

To exploit the flaw, hackers would have to trick a user into clicking on a specially crafted link in an e-mail or on a Web site, or they could infect RSS feeds with links that have an XSS payload embedded, Weider said.

After clicking the rigged link, the user's PC instantly would be infected by malicious code, allowing an attacker to access everything on the hard drive that Google indexes or even take control over the machine, Weider added.

Although Google has fixed this XSS vulnerability, the fact that the online and offline connection with Google Desktop still exists means that the software could still be vulnerable, according to Weider.

"To be totally safe, there should be an option to not mix online and offline search results," Weider said.

Google has added a layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future, the Google spokesperson said, adding that there have been no reports that the flaw has been exploited. Users are advised to make sure they're running the latest version of Google Desktop.