Slashdot Mirror
IE Flaw Utilizes Google Desktop Search
abscondment writes "An error in the way Internet Explorer parses CSS files has been discovered by Matan Gillon of Israel. The flaw can be exploited by any website, and used to access personal information via Google's Desktop Search program. Of course, Google contends that this is a flaw with IE, and not their search software."
Which do I believe?....
I am shocked to learn of this, shocked and dismayed.
Will this be the flaw that breaks the patch cycle's back?
Puh-lease. This ridiculous question could be asked of any flaw. How about from the 'its 5pm lets leave early so we accept any sensationalist submission' department?
I can see how the Slashbot must suffer over this - its Google, but its a security vulnerability, but its Microsoft, so its OK, but its still Google, so what do we do? Laugh, cry, sell stock?
I want to delete my account but Slashdot doesn't allow it.
Here is the easiest way to stop this from hurting you:
Turn off your computer.
P.S. Okay, seriously, use Firefox.
Dashboard Widgets
So it's finally happened. Microsoft's first salvo against Google. What else could it be?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
This makes me wonder if Ballmer's chair throwing scream was actually "I will f##king end Google Desktop!" instead of "...end Google on the desktop."
Hmm...
Of course, Google contends that this is a flaw with IE, and not their search software.
And why shouldn't they?
I've read TFA, according to the article it's a design flaw in IE. No one seems to be blaming Google anyway?
(Well at least not yet.)
I wish I knew of this sooner
Who's who?
You are all a bunch of idots.
spyware gets access to your computer's resources. Doh.
The bug is that it uses IE in the first place.
--The universe will not be altered by forum threads, even those which are very wry. --Tycho Brahe (Penny Arcade)
[...]However, given the danger presented by this and other recent discoveries of IE security holes, I would strongly recommend that IE users consider downloading and using another browser, like Firefox, Opera or Netscape.
Go Brian Krebs !!!
On a more serious note, it's nice to see somebody post an article clearly promoting [generic non-IE browser], but IMHO security shouldn't be the only reason why FF is chosen over IE. If it turns out that FF is safer "only" because it isn't targeted by hackers/phishers/terrorists, then everything falls apart. We shouldn't lose sight of the initial raison-d'etre of FF, which is to be an open-source browser, not a "more secure" browser (which is an added side benefit).
And it's really quite interesting how he lays it all out. It seems IE's CSS @import (or more specifically the "addimport" jscript function) doesn't block access to outside domains. So essentially, I can import any stylesheet I want from the web. This also means I can import _anything_ that is mal-formed as a css rule. Javascript comes to mind with it's curly braces. with classic injection attacks, you can inject anything you want, including jscript. Scary stuff. I think I'll go look at everyone's hard drives now.
All is prevelant in the world...
Before everyone goes posting about MS vs Google rubbish, please RTFA. This has very little to do with Google.
"This issue could potentially allow an attacker to access content in a separate Web site, if that Web site is in a specific configuration," Microsoft said in the statement.
In other words, this flaw is just loading files from Google Desktop's internal http server. It could load the internal http server of hundreds of different programs (particularly administration tools).
Looks like the issue here is that IE tries to cleanup any bad html code.
In a way this is good because IE can render a page properly even if it has unclosed tags or as in this case incorrectly rendered CSS braces.
On the otherhand, this had led to web designers getting away with crappy html pages.
In this case, Looks like Google is properly sanitizing the url parameters on all their sites except news.google.com
This is a classic cross-site scripting attack.
In my opinion, Google should fix the news.google implementation rather than passing on the blame and exposing their customers to risk.
Ok, so the FA is a bit long, so here you have a three sentence summary:
The google desktop was only cited as an example. But basically any protected web page could have been targetted (a webmail site such as hotmail, any other password-protected page, intranet server not accessible from outside,No, the problem isn't the Windows platform, it's the insistance of Microsoft to use Internet Explorer for every web application on the Windows platform.
Why doesn't Google just use Mozilla's engine to render the content? (They are putting money into its development) They *would* have more control.
Get your Unix fortune now!
After the next security update, all cookies created by IE will be prefixed with $sys$.
Well, the idea is that once they're "in" the system, they can basically do what the hell they like. Desktop Search is just a convenient index of data that is used by a large number of people — the only flaw pertaining to Google's product here is that it's good at its job.
God would you people RTFA!!! It is a problem with IE, not with Google Desktop. Google Desktop does not integrate with IE, it uses the default browser on your system. When I double click on Google Desktop, Firefox opens for me.
Also, Google Desktop was given as an EXAMPLE, the flaw can be used elsewhere.
Of course, sitting around and pretending you know what you are talking about is easier, isn't it?
Its an awesome feature for Developers! Developers! Developers! - This feature has been in IE at least since IE 6 came out. That means Microsoft is again leading the field when it comes to AJAX and Web2.0 products.
Think of the awesome client-side applications people will be able to come up with now that they are no longer restricted by pesky cross-domain security policies!
The answer is not so simple. Sit down for a second a think.
The flaw allows a malicious web page to open a window with a different web page and read information from there. So a script in 'www.badguy.com' can read data from 'www.goodguy.com'. Now how bad is up to here? Pretty bad, but not catastrophic. badguy.com could open, say, mail.yahoo.com, and provided you have a yahoo mail account and you login, it could read some of your mails. Is there a chance of reading private info? Yes. Is there a chance of reading a file in your disk. NO! badguy.com can't read a file in your disk using yahoo mail. And given the fact that really critical data are stored in the local disk, not webmail accounts, the danger is limited.
Now imagine there exists a web site containing all your private local files! This is exactly what Google Desktop Search is! GDS creates a local web server at port 4664, bound only to the 127.0.0.1 to avoid remote access. It is a web site accessible only from your pc and google takes a lot of measures to ensure that. But the script at badguy.com runs in your pc, and using the exploit it can access this personal web site. Now how bad is the situation? Catastrophic. All indexed data, pretty much your whole hard disk, are accessible to badguy.com.
Of course this wouldn't happen if there was no IE flaw. But who put all your data at a (local) web server? Google Desktop Search. IMHO, the problem is once again the tight integration of a browser to the rest of the system. If Google used a custom client to query the local index instead of the browser this wouldn't happen. It would require a flaw that allows remote code execution and these flaws are more rare and more difficult to exploit (ok, in case of MSIE it's every day routine, I agree). This exploit is a piece of cake, because local data are promptly served by GDS.
Just to make things clear, I don't really blame Google for this. But to achieve good security you need good software design and integrating a browser with everything is not a good idea. Google made a decision on that so it has some responsibility.
And then public opinion is a totally different subject. I totally understand someone who loses its credit card number and blames google for indexing this number and making it accessible to badguy.com. If amazon stores your credit card number in an Oracle database and the number gets stolen because of an Oracle flaw, will you blame Oracle or Amazon?
How about this link instead. It has been a while since that affair. Some of the younger viewers might not remember. (And older ones forgotten about it.)
.. paranoid crackpot leftover from the days of Amiga.
Therefore, my advice to Google: be prepared for those lawsuits where M$ points the finger at you due to a flaw in their architecture.
Let the finger pointing games begin!!
By using the process of elimination, we know that MicroSoft can't be the "Company making great products" so they must be the "Evil Empire".
- These characters were randomly selected.
Didn't read the article, did you? Just spouting the same talking points over and over again. Microsoft didn't write the web application involved here (Google did), nor does the exploit have anything at all to do with Microsoft's use of IE for other purposes.
Now after reading the article, you'll see the issue being exploited involves the fact that css files are designed (by *all* major browsers) to be the one exception to the cross-domain rule, meaning that a page on site A can get the contents of a css file located on site B.
However IE can be exploited so that any file is a seen as a CSS file, just a very badly formatted one. Of course there are big limitations - namely that only valid css "data" from site B can be read by site A, so anything not formatted in name{stuff}; is invisible to site A.
This particular hack takes advantage of the fact that a person with Google Desktop installed will send a special cookie when they request most pages from Google. That cookie will cause a "desktop" link to be sent back to them somewhere on the page. This desktop link contains a secret password. As soon as you know that password, you basically have full access to that persons computer through Google Desktop uris, regardless of what browser (as long as that browser supports javascript, which IE, FireFox and Opera obviously do). In simple terms, if you gave a site this password that Google sends to you, they'd have full access (this misfeature of Google Desktop also creates a big proxy server/man in the middle attack vector against a persons PC, regardless of what browser they use).
The attack vector to obtain the password in this case is the IE css bug. A specific page on Google, Google News, puts the desktop link in such a place that if you provide a specific search query, it will end up making a section of the page around the special desktop link look like a valid css value. Because of this, site A can read the data inside that value, including the Google password. Once it has the password from that random junk of "css data", it can start accessing Google Desktop at will.
Oh well. I hope Microsoft is paying you good money to make OSS proponents look like idiots by spouting this kind of completely uninformed bs. The sea of white noise helps to hide any real, intelligent points brought up against Microsoft or its products.
I wonder how you can completely ignore the fact that Google is supporting censorship in china. Yes, they are a company so seeking profits, but since the IPO, the "6. You can make money without doing evil." might have changed a *little* bit.
Can't blame a guy for getting lost in the endless list of IE flaws ;-)
-- Linux user #369862
Google's on first.
Is calling somebody a "jew" supposed to be an insult or something in your book? If ones calls a human a "human", or an american an "american", isn't this just simply stating the obvious? Calling a person who isn't a jew, a "jew", simply because they find anti-semitic comments offensive, would be an ignorant and silly thing to do. "Human", "american", "chinese" and "jew", neither of these are insults.
Shut up, fag! And what's wrong with Chinese, are you racist?