Slashdot Mirror
IE Flaw Utilizes Google Desktop Search
abscondment writes "An error in the way Internet Explorer parses CSS files has been discovered by Matan Gillon of Israel. The flaw can be exploited by any website, and used to access personal information via Google's Desktop Search program. Of course, Google contends that this is a flaw with IE, and not their search software."
Which do I believe?....
The only connection to Google in this vulnerability is that the exploit allows access to local files that a web site isn't supposed to have access to and Google stores local files on the user's computer that can then be accessed.
The google thing was a proof of concept (with a pretty page for showing it to people who use Google Desktop), not any particular relationship to the vulnerability.
But I guess if you mention Google, it gets more attention? The summary could have just as easily said "vulnerability allows access to user's Hotmail email!!!!!!!!", which would be just as true, assuming the user is storing a cookie for easier access to hotmail.com.
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
[...]However, given the danger presented by this and other recent discoveries of IE security holes, I would strongly recommend that IE users consider downloading and using another browser, like Firefox, Opera or Netscape.
Go Brian Krebs !!!
On a more serious note, it's nice to see somebody post an article clearly promoting [generic non-IE browser], but IMHO security shouldn't be the only reason why FF is chosen over IE. If it turns out that FF is safer "only" because it isn't targeted by hackers/phishers/terrorists, then everything falls apart. We shouldn't lose sight of the initial raison-d'etre of FF, which is to be an open-source browser, not a "more secure" browser (which is an added side benefit).
Looks like the issue here is that IE tries to cleanup any bad html code.
In a way this is good because IE can render a page properly even if it has unclosed tags or as in this case incorrectly rendered CSS braces.
On the otherhand, this had led to web designers getting away with crappy html pages.
In this case, Looks like Google is properly sanitizing the url parameters on all their sites except news.google.com
This is a classic cross-site scripting attack.
In my opinion, Google should fix the news.google implementation rather than passing on the blame and exposing their customers to risk.
Well, the idea is that once they're "in" the system, they can basically do what the hell they like. Desktop Search is just a convenient index of data that is used by a large number of people — the only flaw pertaining to Google's product here is that it's good at its job.
God would you people RTFA!!! It is a problem with IE, not with Google Desktop. Google Desktop does not integrate with IE, it uses the default browser on your system. When I double click on Google Desktop, Firefox opens for me.
Also, Google Desktop was given as an EXAMPLE, the flaw can be used elsewhere.
Of course, sitting around and pretending you know what you are talking about is easier, isn't it?
The answer is not so simple. Sit down for a second a think.
The flaw allows a malicious web page to open a window with a different web page and read information from there. So a script in 'www.badguy.com' can read data from 'www.goodguy.com'. Now how bad is up to here? Pretty bad, but not catastrophic. badguy.com could open, say, mail.yahoo.com, and provided you have a yahoo mail account and you login, it could read some of your mails. Is there a chance of reading private info? Yes. Is there a chance of reading a file in your disk. NO! badguy.com can't read a file in your disk using yahoo mail. And given the fact that really critical data are stored in the local disk, not webmail accounts, the danger is limited.
Now imagine there exists a web site containing all your private local files! This is exactly what Google Desktop Search is! GDS creates a local web server at port 4664, bound only to the 127.0.0.1 to avoid remote access. It is a web site accessible only from your pc and google takes a lot of measures to ensure that. But the script at badguy.com runs in your pc, and using the exploit it can access this personal web site. Now how bad is the situation? Catastrophic. All indexed data, pretty much your whole hard disk, are accessible to badguy.com.
Of course this wouldn't happen if there was no IE flaw. But who put all your data at a (local) web server? Google Desktop Search. IMHO, the problem is once again the tight integration of a browser to the rest of the system. If Google used a custom client to query the local index instead of the browser this wouldn't happen. It would require a flaw that allows remote code execution and these flaws are more rare and more difficult to exploit (ok, in case of MSIE it's every day routine, I agree). This exploit is a piece of cake, because local data are promptly served by GDS.
Just to make things clear, I don't really blame Google for this. But to achieve good security you need good software design and integrating a browser with everything is not a good idea. Google made a decision on that so it has some responsibility.
And then public opinion is a totally different subject. I totally understand someone who loses its credit card number and blames google for indexing this number and making it accessible to badguy.com. If amazon stores your credit card number in an Oracle database and the number gets stolen because of an Oracle flaw, will you blame Oracle or Amazon?
I'd feel more comfortable using Apple's software than Googles, now that I think about it. Google seemed like a good company, but they didn't fully embrace Linux and *nix. I think that was a mistake. What it means is I don't have any loyalty to them whatsoever, as far as I'm concerned they are sellouts just the same as Microsoft and Apple. But at least Apple is selling out to style, attitude, open source, etc. Instead of just for the money.
I hope Google comes around, but I won't count on it.
By using the process of elimination, we know that MicroSoft can't be the "Company making great products" so they must be the "Evil Empire".
- These characters were randomly selected.
Google has done nothing so far to earn our distrust.
They have begun to scan several thousand books cover to cover, without the permission of the author or the publisher, and arguably in violation of copyright law.
That's enough for me to be wary of trusting them. Granted, their record is better than Microsoft's, but it still leaves something to be desired.
I wonder how you can completely ignore the fact that Google is supporting censorship in china. Yes, they are a company so seeking profits, but since the IPO, the "6. You can make money without doing evil." might have changed a *little* bit.
Can't blame a guy for getting lost in the endless list of IE flaws ;-)
-- Linux user #369862