- Protecting yourself from a new online scam
- Diary of a deliberately spammed housewife
- Silly Internet traditions: A concise history
- How to avoid laptop loss at the airport
- Top 10 worst uses for Windows
News | Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
Google has fixed a security flaw in the company’s desktop search product that could have let hackers take control of a personal computer, but the security company that discovered the flaw says the design of the Google application could lead to similar threats in the future.
Google Desktop is a free application that searches a computer for e-mails, Web history and various files. Watchfire, a company that provides security analysis software, notified Google last month that the desktop application was vulnerable to a cross-site scripting attack, which places malicious code on a user’s computer.
A computer running Google Desktop could have been exploited if a user clicked on an infected e-mail file or a Web site or RSS feed loaded with the attack, says Mike Weider, CTO of Watchfire.
The flaw was serious because it could have allowed hackers to access all the personal documents on a computer.
“I would definitely say by a large margin this is the most serious flaw we’ve discovered with Google or maybe any other Web application,” Weider says.
Google fixed the error by early February, he says.
Google says there have been no reports of the vulnerability being exploited. It developed a patch to fix the security flaw and says each user’s version of Google Desktop is being updated automatically.
“Google claims it happens automatically. It didn’t for me and other people at Watchfire when we tried it,” Weider says. “It definitely seems as though there are cases where it doesn’t automatically update.”
In a statement to media, Google says, “We have [added] another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future. We have received no reports that this vulnerability was exploited. However, users should make sure they are running the latest version of Google Desktop by going to [here] and downloading the latest version and installing it.”
Weider says users could be made vulnerable again in the event another cross-site scripting method of attack is identified, because there is a connection between the Google Web site and desktop application.
According to Weider, Google could prevent these vulnerabilities in the future by giving users the ability to disconnect the desktop application from the Google Web site.
The Diane's of the industry should be acknowledged for their understanding of why products fail when...- Anon
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Comment