IE Flaw Utilizes Google Desktop Search

abscondment writes "An error in the way Internet Explorer parses CSS files has been discovered by Matan Gillon of Israel. The flaw can be exploited by any website, and used to access personal information via Google's Desktop Search program. Of course, Google contends that this is a flaw with IE, and not their search software."

Re:Nice submission troll

an see how the Slashbot must suffer over this - its Google, but its a security vulnerability, but its Microsoft, so its OK, but its still Google, so what do we do? Laugh, cry, sell stock?

According to the zdnet article Firefox and Opera aren't affected - so it really is Microsoft's problem, and independent of google

Who's contending otherwise?

[u2boy_nl]

Of course, Google contends that this is a flaw with IE, and not their search software.

And why shouldn't they?

I've read TFA, according to the article it's a design flaw in IE. No one seems to be blaming Google anyway?

(Well at least not yet.)

Ugh

[n0dalus]

Before everyone goes posting about MS vs Google rubbish, please RTFA. This has very little to do with Google.

"This issue could potentially allow an attacker to access content in a separate Web site, if that Web site is in a specific configuration," Microsoft said in the statement.

In other words, this flaw is just loading files from Google Desktop's internal http server. It could load the internal http server of hundreds of different programs (particularly administration tools).

Re:The bug is in Google's software

[joelsanda]

Yeah. Consider the 3rd party MacOS X Dashboard Widgets that mimmic Google Desktop features. Hell of a lot safer using Google services that way than via IE and Google Desktop.

Security hole has _nothing_ to do with google!

[ArsenneLupin]

Folks, RTFA!

Ok, so the FA is a bit long, so here you have a three sentence summary:

The exploit allows to read foreign Web pages by abusing a broken security check in the document.stylesheets javascript method.

The malicious code first loads the page to be snarfed as a CSS into the current document using addImport, and from there into a javascript variable using document.stylesheets. Finally the variable is posted back to the website of the exploiter.

The google desktop was only cited as an example. But basically any protected web page could have been targetted (a webmail site such as hotmail, any other password-protected page, intranet server not accessible from outside, ...)

Re:Security hole has _nothing_ to do with google!

[Tim+C]

abusing a broken security check in the document.stylesheets javascript method.

Technically, that's an element of the DOM, and is nothing to do with javascript, and is certainly not a javascript function. (In fact it's not a method at all, it's a property of the document object).

Corporate banning

[DietCoke]

This is the type of scenario we kept in mind when we decided to ban the use of the tool on our corporate PCs. It would have been nice if (at least at that time) Google had provided more than just a slight clue as to how to easily block the installation.

Of course, it didn't take too long and isn't incredibly tamper-proof, but it's kept the average user from really sitting down to find a way to get it installed.

This is a simple registry file that we run as part of the setup. Like I said, not too high-tech, but so far noone's spent enough time to figure out how to install it. All it does is block the filenames specified from executing. Anyhow, here's the reg code:

-start-

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer]
"disallowrun"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\disallowrun]
"1"="GoogleDesktop.exe"
"2"="GoogleDesktopSearchSetup.exe"
"3"="Troubleshoot Network.exe"
"4"="GoogleDesktopIndex.exe"

-end-

Save everything between the start and end notations to a text file, rename it to whatever_you_want.reg. There you go. It's been tested on Win2k and Xp.

Don't sue my ass for this. You're assuming the risk. In a perfect world corporate employees wouldn't have administrative rights, but the world isn't perfect.

Re:The bug is in Google's software

[stochastix]

it uses the default browser app not necessarily IE.
my desktop search opens up in firefox :-)

Re:Lawsuit?

[whitehatlurker]

How about this link instead. It has been a while since that affair. Some of the younger viewers might not remember. (And older ones forgotten about it.)

Re:Hm.. Evil Empire vs Company making great produc

[Michalson]

Didn't read the article, did you? Just spouting the same talking points over and over again. Microsoft didn't write the web application involved here (Google did), nor does the exploit have anything at all to do with Microsoft's use of IE for other purposes.

Now after reading the article, you'll see the issue being exploited involves the fact that css files are designed (by *all* major browsers) to be the one exception to the cross-domain rule, meaning that a page on site A can get the contents of a css file located on site B.

However IE can be exploited so that any file is a seen as a CSS file, just a very badly formatted one. Of course there are big limitations - namely that only valid css "data" from site B can be read by site A, so anything not formatted in name{stuff}; is invisible to site A.

This particular hack takes advantage of the fact that a person with Google Desktop installed will send a special cookie when they request most pages from Google. That cookie will cause a "desktop" link to be sent back to them somewhere on the page. This desktop link contains a secret password. As soon as you know that password, you basically have full access to that persons computer through Google Desktop uris, regardless of what browser (as long as that browser supports javascript, which IE, FireFox and Opera obviously do). In simple terms, if you gave a site this password that Google sends to you, they'd have full access (this misfeature of Google Desktop also creates a big proxy server/man in the middle attack vector against a persons PC, regardless of what browser they use).

The attack vector to obtain the password in this case is the IE css bug. A specific page on Google, Google News, puts the desktop link in such a place that if you provide a specific search query, it will end up making a section of the page around the special desktop link look like a valid css value. Because of this, site A can read the data inside that value, including the Google password. Once it has the password from that random junk of "css data", it can start accessing Google Desktop at will.

Oh well. I hope Microsoft is paying you good money to make OSS proponents look like idiots by spouting this kind of completely uninformed bs. The sea of white noise helps to hide any real, intelligent points brought up against Microsoft or its products.

Re:FF promotion article ?

[IntergalacticWalrus]

To average people? No, they're not.

Non-geek people I've converted (read: forced) to Firefox don't use tabs. They don't understand the concept, and/or don't think about using it.

Everything else you mentionned is technical stuff, or requires configuration. All minor stuff that won't convince people to install a new browser instead of simply using that blue 'e' that has always been there all along on their desktop, and that before you told them, thought *it* was *the Internet*.