Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Flaw Utilizes Google Desktop Search

Posted by Zonk on from the i-knew-that-would-come-back-to-haunt-me dept.

abscondment writes "An error in the way Internet Explorer parses CSS files has been discovered by Matan Gillon of Israel. The flaw can be exploited by any website, and used to access personal information via Google's Desktop Search program. Of course, Google contends that this is a flaw with IE, and not their search software."

5 of 165 comments (clear)

  1. Just read the article. by XiticiX · · Score: 2, Interesting

    And it's really quite interesting how he lays it all out. It seems IE's CSS @import (or more specifically the "addimport" jscript function) doesn't block access to outside domains. So essentially, I can import any stylesheet I want from the web. This also means I can import _anything_ that is mal-formed as a css rule. Javascript comes to mind with it's curly braces. with classic injection attacks, you can inject anything you want, including jscript. Scary stuff. I think I'll go look at everyone's hard drives now.

    --
    All is prevelant in the world...
  2. Re:Hm.. Evil Empire vs Company making great produc by ImaLamer · · Score: 3, Interesting

    No, the problem isn't the Windows platform, it's the insistance of Microsoft to use Internet Explorer for every web application on the Windows platform.

    Why doesn't Google just use Mozilla's engine to render the content? (They are putting money into its development) They *would* have more control.

    --
    Get your Unix fortune now!
  3. Re:Who's contending otherwise? by Anonymous Coward · · Score: 2, Interesting

    This flaw can virtually affect any application installed on a computer, but Google Desktop was just used as a proof of concept.

    You can put the tinfoil hat away now.

  4. this has everything to do with Google by recharged95 · · Score: 2, Interesting
    By Google mainly creating products on the Windows platform, they will fall into Microsoft's trap: the 'integrated approach' philosophy. With the Microsoft approach to design, ease of installation is a fact, BUT an application is as weak as its weakest component (as someone mentioned). Unfortunately, that component is built into the operating system! And so since Microsoft controls that foundation, the can easily blame any 3rd party application since the OS still "works".


    Therefore, my advice to Google: be prepared for those lawsuits where M$ points the finger at you due to a flaw in their architecture.


    Let the finger pointing games begin!!

  5. Re:Not Google's fault, or is it? by vagabond_gr · · Score: 2, Interesting

    Since it's IE requesting the file, wouldn't "file:///c:/stealme/creditcrd.txt" work just as well?

    Good point. I cannot answer, it would be a very good question for the author of the exploit. Maybe it would work, maybe "file://" urls are treated differently by browsers for security reasons. But, of course, GDS makes things way too easy by allowing badguy.com to actually search for "password" in local files. Knowing the filename "stealme/creditcrd.txt" or opening thousands of files to search for a keyword is far more difficult.

    Anyway, as I said, I don't think it's really google's fault, I simply stated that it has some responsibility and that we shouldn't give right to them because GoogleIsNotEvil (TM).

    Btw, the question about "file:///" urls is very interesting. Could anyone inform us about the way these urls are treated by firefox? On the one hand they are practical. However, IMHO, it would be a good idea to disallow ANY DOM access to these urls whatsoever. It would be rather strange for a script to require access to such a url.