Google Desktop Search Bug Fixed

Dan Wallach, an assistant professor of computer science at Houston's Rice University, discovered the vulnerability with the help of two graduate students, Seth Fogarty and Seth Nielson. Wallach characterized the flaw as "serious," and said in an online advisory posted to the Computer Security Lab's Web site that an attacker would be able to read small pieces of files indexed by Google Desktop Search.

"If you had a file with a list of passwords, for example, an attacker might be able to read some of those passwords," said Wallach in the advisory.

The hacker, said Wallach, would most likely have to entice users to a Web site that hosted a malicious Java applet, but other scenarios -- including unsecured Wi-Fi connections, such as those in public hotspots -- might let the attacker inject the exploit into any Web page.

Google isn't the only search site that's pushing into desktop search. While it beat rivals to market by releasing the free-of-charge Desktop Search in mid-October, Microsoft, Yahoo, and Ask Jeeves recently released preview versions of similar tools or announced that they would debut tools shortly.

Wallach and his two graduate students believe that only Google is vulnerable to this bug, since it's the only one so far to actually integrate Web and local search results.

Google, which was told in November of the goof, has updated the tool and begun rolling out a new version via its automatic update feature. Users can check the "About" item in Desktop Search to determine if they have the protected edition: if the version number is 121004 (for December 10, 2004) or newer, the user's safe from the bug.

A more technical explanation of the Desktop Search problem can be found here in PDF format.