Slashdot Mirror
IE Flaw Utilizes Google Desktop Search
abscondment writes "An error in the way Internet Explorer parses CSS files has been discovered by Matan Gillon of Israel. The flaw can be exploited by any website, and used to access personal information via Google's Desktop Search program. Of course, Google contends that this is a flaw with IE, and not their search software."
This is a complex technical issue. I can easily imagine that users of the Google software will say to themselves:
Google Toolbar allows badguy to get data -> Google software bad
But on the other hand, perhaps the users will say to themselves:
Oh -- MicroSoft made yet another security mistake. Rats!
But normally I've seen people blame the additional software -- but as software folks, we know that if you have to add a feature (in this case, the IE plugin) on a crappy foundation, normally you see the faults in the addition, and not necessarily in the main software.
It will be neat to see how this plays out.
http://www.thebricktestament.com/the_law/when_to_
And it's really quite interesting how he lays it all out. It seems IE's CSS @import (or more specifically the "addimport" jscript function) doesn't block access to outside domains. So essentially, I can import any stylesheet I want from the web. This also means I can import _anything_ that is mal-formed as a css rule. Javascript comes to mind with it's curly braces. with classic injection attacks, you can inject anything you want, including jscript. Scary stuff. I think I'll go look at everyone's hard drives now.
All is prevelant in the world...
No, the problem isn't the Windows platform, it's the insistance of Microsoft to use Internet Explorer for every web application on the Windows platform.
Why doesn't Google just use Mozilla's engine to render the content? (They are putting money into its development) They *would* have more control.
Get your Unix fortune now!
This flaw can virtually affect any application installed on a computer, but Google Desktop was just used as a proof of concept.
You can put the tinfoil hat away now.
Think of the awesome client-side applications people will be able to come up with now that they are no longer restricted by pesky cross-domain security policies!
like this ?, except they dont need a browser flaw, just a few hidden 302 redirects, only phsically blocking the server with a firewall or hosts file can protect you, oh and it works on every browser and every platform that supports server redirects
and its still in use to this day
Therefore, my advice to Google: be prepared for those lawsuits where M$ points the finger at you due to a flaw in their architecture.
Let the finger pointing games begin!!
Since it's IE requesting the file, wouldn't "file:///c:/stealme/creditcrd.txt" work just as well?
Good point. I cannot answer, it would be a very good question for the author of the exploit. Maybe it would work, maybe "file://" urls are treated differently by browsers for security reasons. But, of course, GDS makes things way too easy by allowing badguy.com to actually search for "password" in local files. Knowing the filename "stealme/creditcrd.txt" or opening thousands of files to search for a keyword is far more difficult.
Anyway, as I said, I don't think it's really google's fault, I simply stated that it has some responsibility and that we shouldn't give right to them because GoogleIsNotEvil (TM).
Btw, the question about "file:///" urls is very interesting. Could anyone inform us about the way these urls are treated by firefox? On the one hand they are practical. However, IMHO, it would be a good idea to disallow ANY DOM access to these urls whatsoever. It would be rather strange for a script to require access to such a url.