Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Flaw Utilizes Google Desktop Search

Posted by Zonk on from the i-knew-that-would-come-back-to-haunt-me dept.

abscondment writes "An error in the way Internet Explorer parses CSS files has been discovered by Matan Gillon of Israel. The flaw can be exploited by any website, and used to access personal information via Google's Desktop Search program. Of course, Google contends that this is a flaw with IE, and not their search software."

5 of 165 comments (clear)

  1. Hm.. Evil Empire vs Company making great products by altoz · · Score: 5, Insightful

    Which do I believe?....

  2. Re:Nice submission troll by _Sharp'r_ · · Score: 4, Insightful

    The only connection to Google in this vulnerability is that the exploit allows access to local files that a web site isn't supposed to have access to and Google stores local files on the user's computer that can then be accessed.

    The google thing was a proof of concept (with a pretty page for showing it to people who use Google Desktop), not any particular relationship to the vulnerability.

    But I guess if you mention Google, it gets more attention? The summary could have just as easily said "vulnerability allows access to user's Hotmail email!!!!!!!!", which would be just as true, assuming the user is storing a cookie for easier access to hotmail.com.

    --
    The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
  3. Re:Hm.. Evil Empire vs Company making great produc by zootm · · Score: 4, Insightful

    Well, the idea is that once they're "in" the system, they can basically do what the hell they like. Desktop Search is just a convenient index of data that is used by a large number of people — the only flaw pertaining to Google's product here is that it's good at its job.

  4. Re:Just fix it. by rm69990 · · Score: 3, Insightful

    God would you people RTFA!!! It is a problem with IE, not with Google Desktop. Google Desktop does not integrate with IE, it uses the default browser on your system. When I double click on Google Desktop, Firefox opens for me.

    Also, Google Desktop was given as an EXAMPLE, the flaw can be used elsewhere.

    Of course, sitting around and pretending you know what you are talking about is easier, isn't it?

  5. Not Google's fault, or is it? by vagabond_gr · · Score: 4, Insightful

    The answer is not so simple. Sit down for a second a think.

    The flaw allows a malicious web page to open a window with a different web page and read information from there. So a script in 'www.badguy.com' can read data from 'www.goodguy.com'. Now how bad is up to here? Pretty bad, but not catastrophic. badguy.com could open, say, mail.yahoo.com, and provided you have a yahoo mail account and you login, it could read some of your mails. Is there a chance of reading private info? Yes. Is there a chance of reading a file in your disk. NO! badguy.com can't read a file in your disk using yahoo mail. And given the fact that really critical data are stored in the local disk, not webmail accounts, the danger is limited.

    Now imagine there exists a web site containing all your private local files! This is exactly what Google Desktop Search is! GDS creates a local web server at port 4664, bound only to the 127.0.0.1 to avoid remote access. It is a web site accessible only from your pc and google takes a lot of measures to ensure that. But the script at badguy.com runs in your pc, and using the exploit it can access this personal web site. Now how bad is the situation? Catastrophic. All indexed data, pretty much your whole hard disk, are accessible to badguy.com.

    Of course this wouldn't happen if there was no IE flaw. But who put all your data at a (local) web server? Google Desktop Search. IMHO, the problem is once again the tight integration of a browser to the rest of the system. If Google used a custom client to query the local index instead of the browser this wouldn't happen. It would require a flaw that allows remote code execution and these flaws are more rare and more difficult to exploit (ok, in case of MSIE it's every day routine, I agree). This exploit is a piece of cake, because local data are promptly served by GDS.

    Just to make things clear, I don't really blame Google for this. But to achieve good security you need good software design and integrating a browser with everything is not a good idea. Google made a decision on that so it has some responsibility.

    And then public opinion is a totally different subject. I totally understand someone who loses its credit card number and blames google for indexing this number and making it accessible to badguy.com. If amazon stores your credit card number in an Oracle database and the number gets stolen because of an Oracle flaw, will you blame Oracle or Amazon?