Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Flaw Utilizes Google Desktop Search

Posted by Zonk on from the i-knew-that-would-come-back-to-haunt-me dept.

abscondment writes "An error in the way Internet Explorer parses CSS files has been discovered by Matan Gillon of Israel. The flaw can be exploited by any website, and used to access personal information via Google's Desktop Search program. Of course, Google contends that this is a flaw with IE, and not their search software."

2 of 165 comments (clear)

  1. Re:Nice submission troll by Anonymous Coward · · Score: 5, Informative

    an see how the Slashbot must suffer over this - its Google, but its a security vulnerability, but its Microsoft, so its OK, but its still Google, so what do we do? Laugh, cry, sell stock?

    According to the zdnet article Firefox and Opera aren't affected - so it really is Microsoft's problem, and independent of google

  2. Security hole has _nothing_ to do with google! by ArsenneLupin · · Score: 5, Informative
    Folks, RTFA!

    Ok, so the FA is a bit long, so here you have a three sentence summary:

    The exploit allows to read foreign Web pages by abusing a broken security check in the document.stylesheets javascript method.

    The malicious code first loads the page to be snarfed as a CSS into the current document using addImport, and from there into a javascript variable using document.stylesheets. Finally the variable is posted back to the website of the exploiter.

    The google desktop was only cited as an example. But basically any protected web page could have been targetted (a webmail site such as hotmail, any other password-protected page, intranet server not accessible from outside, ...)