Slashdot Mirror
Google Fixes IE Bug
aussie_a writes "Without accepting blame Google has quickly patched the vulnerability, without requiring users to download a patch. Previously covered by Slashdot, the flaw allowed people to access files and passwords on a computer via any website when viewed with IE while running Google Desktop." From the article: "'Google was able to address the problem quickly because it didn't require changing any code at the user's desktop,' MacDonald said. 'Google applied more stringent security controls on its main site, which shut down the exploit.' The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald. "
Well I'm just glad Google fixed the issue whether it's their fault or not.
//not that I use IE but you know still.
I don't care who's fault it is. Just fix the problem.
-Teiresias
As more and more desktop apps serve as an interface to a website, it'll become a lot easier to fix and deploy new functionality. This is a good thing.
Join the Free Software Foundation
...so why is it headlined "IE Bug"? It's not a bug in IE.....
The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald.
I question Mr. MacDonald's credibility. If this is the same gentleman I'm thinking of, he's an older man who has a farm...or at least had one.
The title sounds as if Google had fixed a bug in Internet Explorer's code. Shouldn't it be "Google fixes Google Desktop bug"?
Granted, it does make it sound less like news... but I suppose it's because it isn't, really. You don't see stories like "Adobe fixes Photoshop bug", "KDE team fixes Konqueror bug", etc... since of course that's just part of the daily life in development.
The filesystem is the package manager
Well, I guess.. like "why would you go with Microsoft who sit on a vulnerability for months, instead of someone who actually fixes security holes?"
While this does raise concerns about Google as a desktop, I think these same concerns should be voiced about any software vendor. Security is a process not a product.
My humor is probably your flamebait
Its my understanding that this flaw has nothing to do with Google Desktop per se -- but rather was just discovered on Google. Although I'm glad they shut down the flaw where Google is concerned, it seems that it still exists for other programs -- since the security breach itself is not specific to Google.
"Since Google is providing end-user software, it must be held to the same standards that you would hold other desktop software vendors to," he said.
That's when I realized this was an article by 'The Onion'.
Props to Google for taking responsability and fixing this so quickly. They could have spent a few weeks blaming Microsoft (their competition), as I thought they would, but they didn't.
Earn a % of cash back from Newegg, Tiger Direct, Walmart.com, and more: http://www.mrrebates.com?refid=458505
wth does that mean?
The root problem is in IE. They made a work-around for their software. Why should they accept blame?
Was this vulnerability able to be exploited by any website, if you had Google desktop installed on your machine, regardless of what you used to surf the Internet with from said machine? If so, then that wasn't a Google vulnerabilty, it was a Windows vulnerability. Seeing as how IE is hard to uninstall and comes with every single Windows machine, and all.
VOTE!
Generally, bash is superior to python in those environments where python is not installed.
First of all, Google did not fix an IE bug. All they did is make their own software a bit more tight in security, so that *they* are not suceptible to the IE bug. It does not *fix* it.
Second of all, the bug was *not* in Google Desktop, it *is* an IE bug, it just happens that people who use Google Desktop are vulnerable to it since it embeds IE.
But *ANY* app that embeds IE is (and remains) vulnerable, including many other pieces of software. For example, for all you poker players, if you have an account a UltimateBet, you *are* vulnerable to ths bug, and in theory someone could use it to steal your account information, which is very dangerous, since they may be able th initate withdraws from your account as well.
This is just the tip of the iceburgm there are literally hundreds of apps that embed the IE engine for rendering. All are at risk.
Um. Have you used Google Desktop? Have you looked at it, read the privacy policy, looked into it's 'Advanced Features'?
Oh. I didn't think so.
As long as we are fixing things, why not just go all the way? Oh well, I guess we all can dream.
I will be surfing over to http://labs.google.com/ just in case.
He who knows best knows how little he knows. - Thomas Jefferson
If g00 doesn't fix the bug and something bad happens to enough (or enough loud) people, it looks really bad for them. Especially when they could (apparently easily) fix it.
They did this to cover their own butts.
If I recall previous discussions correctly, the flaw was in MSIE. If that's the case, what's to prevent an attacker from exploiting the flaw with his own code?
If I remember correctly, he was far more concerned with EI than IE.
From CIO Today: The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald.
"Since Google is providing end-user software, it must be held to the same standards that you would hold other desktop software vendors to," he said.
Standards? What standards would those be? Last I checked, most software manufacturers are sending out buggy copies of their code hoping you won't notice, patching it up continuously, then going ahead and doing it repeatedly. And let's not forget that Microsoft is the king of them all!
And exactly how are we to hold them to these "standards"? So many people use Microsoft routinely that they have the lion's share of the market, and their competitors are left with the spoils. And while you may not like MS, many of their programs work just well enough that you believe you've got a decent, everday product. Of course they break down, and people scream and rant, but in the end what do they do? Do they immediately switch to something else? No! They patch up their flawed software and keep the status quo.
It's a classic case of addiction, a lot like gambling but in reverse. You use the software every day and most days it works. The one time it doesn't, you fret, but because you restart it or patch it and it works, you go right back to it, rather than exploring alternatives. And Microsoft counts on this. That's why they dominate - they have everybody "addicted" to their software.
GetOuttaMySpace - The Anti-Social Network
...Shouldn't it be "Google fixes Google Desktop bug"?...
Nope. Object-orientated programming. If the api documentation says that something should operate in a certain way and it does not then by fixing the problem on your side of things it weakens encapsulation of the function and makes it easier for future bugs to accumulate as the totality of code slowly turns to spaghetti.
Shh.
In other news, a large company covers its ass.
This is news, but it's not particularly unusual. When you are vulnerable to an attack, you take steps to remove the vulnerability using resources under your control.
Nothing to see here folks, move along.
So if Google already fixed it, when will MS?
Stop! Dremel time!
But seriously, Google responded quickly and fixed the problem once it was pointed out to them.
No comments like 'Most end users don't even know where their passwords are...'
I would hope that most corporate networks and government systems would lock down
their PC configurations to prevent the random installation of the Google toolbar (and other things).
But I have seen companies where I.T. security decisions are overruled by the executives, so
workers 'creativity' isn't restricted. (Very frustrating to the I.T. People who have to clean up end-user problems.)
It used to be that I.T. security had to fight just the virus programmers and kids,
but now-a-days it's a real battle to protect the company network from other corporations, spammers, and more professional threats.
a 3rd party application which permits to exploit a bug in a software and open a big security hole...?
And this 3rd party company are fixing their product to no longer be vulnerable to this bug.
So what is the big deal?
Yes. They are disabled.
-molo
Using your sig line to advertise for friends is lame.
Every software has some bugs.
These bugs should be fix according to their priority.
Google provides some software.
Google should fix it's bugs according to their priority.
I'm not sure what this article wants to tell us? That even Google can create bugs? Is this a surprise? Is Google special that this is actually worth to mention?
Why would a bug created by Google any better or worse than a bug by any other software vendor? Of course the bugs should be fixed and apparently Google did it. So this article tells us that a security flaw has been fixed for some special case, because apparently it can't fix it permanently unless it took over maintainence for IE.
Why this MacDonald guy needs a special plan for Google is beyond me though. Maybe somebody could enlighten me there.
Way to go Google. Fix issues that Microsoft would fail to address in a timely manor.
[%] Cingular Ringtones
As more and more desktop apps serve as an interface to a website, it'll become a lot easier to fix and deploy new functionality. This is a good thing.
I disagree. Having this ability encourages software companies to release buggy and unfinished software before adequate testing is done.
Religion for nerds. Stuff that really matters
Dick drives Jane's car.
Jane's car has a faulty parking brake.
Dick parks, engages the brake, but the car rolls away.
Dick stops parking on hills.
Important Points
Jane did not fix the parking brake
Dick did not fix the parking brake, but he no longer uses it.
Other drivers may or may not be aware of the broken parking brake.
The potential is still there for the car to roll away.
From an end user standpoint, it's good they fixed it even though it definatly wasn't their fault in the least bit.
However by fixing it, it would seem to the average Joe an admittance that it was a bug in their software. This isn't the case in the least bit. I remember the old slashdot story and the trolls were out that day. Google desktop was given as an example of one of the dozens, if not thousands of various web based programs affected by this IE bug. Make no mistakes about it, this was an IE bug.
This really goes to show really how much of an ethical company google really is. They took charge and created a workaround in their software for a problem that really isn't theirs. Sadly, this won't convince the google trolls and they'll just add this to the bug count.
If an officer ever threatens to taze you, say you have a pacemaker.
http://www.iol.ie/~locka/mozilla/control.htm#downl oad
These guys rock.
This is important to understand. This wasn't a google desktop bug. They just created a workaround to mitigate IE's bug MS won't fix. And because this is still an IE bug, MANY other programs are still affected.
If an officer ever threatens to taze you, say you have a pacemaker.
And companies don't do this now? There will always be bad seeds in whatever industry you want to look into, but they should never be allowed to control the market. Now i think Google did a great thing here, i'm not sure i would have even thought about fixing it if i was in their shoes, since it's obiviously a bug in IE. And for gods sake, for those people whining about having to rewrite from ActiveX to other technologies now, do you buy a car without a locking system and then whine when it gets stolen too?
I suppose when you get to the end it is all about IO.
You do realise no matter how much testing a company does, there will be bugs in their software and vulnerabilities?
"When Google Desktop encounters a situation in which Internet Explorer's security hole could be exploited, it raises E_IEIO" said MacDonald.
When a web browser and media player are "integral parts" of your O/S, you've got encapsulation problems.
Microsoft is kicking themselves for this one. They are finally given a juicy exploit that they could use to knock Google down a notch or two, but the exploit occurs because of IE's code. Microsoft's entire PR department is going, "Arrgh!" If the fault had lain anywhere else, Google would have had Microsoft-funded bad press everywhere. (And I think Slashdot would have toned down the Google love.)
Don't get me wrong. Google issued a quick (and relatively quiet) fix to cover their butts and should be given due credit. But let's not overstate the issue. Google dodged a potentially PR wrecking bullet. I just hope they're more careful in the future as the next issue may not be so easy to sweep under the carpet. Microsoft is waiting to pounce, and will do so at the first serious non-IE based error they can find in Google's chain of products.
do you buy a car without a locking system and then whine when it gets stolen too?
I don't accept situations like that as inevitable.
Bill: "Life sucks."
Ted: "Then fucking do something about it."
Religion for nerds. Stuff that really matters
Yes, a large part of Google Desktop will run in any browser.
But parts of the Sidebar component are rendered using an IE rendering engine. It is simple to verify if you check the references in the EXE and DLLs.
It's the fault of the most high-level system, and not the low-level system.
We all know about buffer-overflow exploits in C/C++ programs, do we blame it on the C/C++ language compilers? Do we blame on the C/C++ language designers? Do we blame it on the C/C++ libraries? Do we blame the designers of the computer?
No, offcourse not. We blame the most high-level application that had the buffer-overflow vulnerability.
So, it's Google's fault, not IE. They should accept the responsibility.
They didn't fix it by silently patching Google Desktop.... they made a change to www.google.com that patched the vulnerability
Is it just me? I'm using Ff 1.5 on Windows XP, and it just locks up halfway through loading that page.
So in other words they fixed the glitch. It will work its way out naturally.
The problem is solved from your end.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Old MCDonald had a server farm, he eyed the I/O...
The fact that this is patcheable with no exchange of files on the user side is bogus. All google did was close the vulnerability that allowed the problem to be exploited by people without their knowledge or approval. If the software on the local installation previously ALLOWED access to the local filesystem and no files were changed on that local software then it still allows local file access.
Digital is, by definition, imperfect. Analog is the way to go.
Given the fact that most microsoft employees are now working for google, it's no wonder they patched it ;)
I wouldn't be surprised if google has a "Let's Patch our former employer tuesday!" party each week.
Google desktop works around IE bug
Google didn't fix the IE bug. The IE bug still exists. Only Microsoft can fix the IE bug. What Google did was put in a work around so that exploiting the IE bug won't cause a security risk in Google Desktop.
The IE bug can still affect other software.
Google did not "clean its act up", nor did it need to -- as stated many times before, it was an IE problem. Google could have very well said "it's Microsoft's problem, too bad" but they instead made a workaround. Rather than clean up their own mess, they cleaned up the mess MS dumped on them.
The article notes that Google fixed it because they didn't have to update any client code (implying that if an update would be required, they wouldn't have done it). Ignoring the fact that that's not necessarily a good reason, my question is how is this possible at all? The article mentions that they simply "tightend" some setting on the main Google site. This is surprising. Google Desktop is an offline application -- you can use it when you are not on the Internet. Of course, the main way that the bug will be exploited is when you *are* on the internet and you browse a malicious site. So I have to presume that there is some file (like a .css or .html) that Desktop references from the main Google website rather than from it's local code, and that this somehow is related to the IE bug that can be exploited.
The article was completely vague on this. Anyone have more definitive information?
Yes, it does raise serious questions about Google, like "Why the hell don't we mandate it's use?"
Ok, /flame on /. elitists, I really can't see a difference.
I'm amazed at some of the comments here and just how bias people seem to be towards Google. Yes, they had a flaw, and yes the fixed it. But I've seen several comments modded up that essentially just say, "people should be using firefox anyways." How can Google expect to be a legitimate company if they only tailor to roughly 10% of the people on the Internet. Even if you count in other browsers, I'll be very generous and give that a 50% share. A company that only provides reliable service to 50% of its users...ok...So if car restaurants said they would serve men and women, but spit in any man's food. Yes, both sexes get food, but half of that food isn't something that anyone should eat. Yes, Google made a mistake. I'm glad they fixed it, but how is that different from Microsoft fixing a mistake? Except one company is hailed as good and the other evil by
so is microsoft happy about this or will they be throwing some more chairs in the morning
-- lol pwned
I'd like to clear up some of the confusion the mainstream media has caused.
The bug I found is in Microsoft Internet Explorer and not in Google Desktop. This bug remains in the browser and it is in no way fixed. This bug by itself is a pretty serious one and allows for exploitation of many sites that are not Google related.
My proof of concept code exploited Google Desktop to retrieve private information from a local machine. In order to do that I used the IE bug twice. First I used it on one of Google's sites in order to get a valid key so I can access the local web server that is Google Desktop's interface. The second time was to execute a query on the GDS server and retrieve the results.
Google basically found a quick hack that nullifies the first portion of the exploit, getting the valid key. They added the following piece of HTML code to their sites, right before the "Desktop" link is revealed: "<!--"/*"/*-->". This makes the IE CSS parser think the rest of the page is a comment so the link won't be visible while trying to read the CSS text.
The bug in IE remains at large. And GDS itself is still exploitable. If somebody found an XSS hole in one of Google's sites, he would be able to retrive the GDS key and then use the second portion of the exploit to retrieve local results.
As I said in my original article, this is a serious bug and there's no simple solution for it, at least until IE is fixed.
Matan
The fact that a change to Google's site closes a security risk for their offline software tells me Google's product design must suck donkey nuts.
When I saw the title and read the first few lines, I thought that I missed some MS initiative to go open-source or something. But I guess I was being silly for even thinking like that.
nt
Google Desktop apparently uses some CSS style sheets served by their site. The IE vulnerability was in its CSS logic and thus adjusting the CSS on their server avoids the exploit from the Google Desktop vector.
--
Q
>>It's a classic case of addiction..And Microsoft counts on this. That's why they dominate - they have everybody "addicted" to their software.
Funny, I was just discussing that with someone last night, regarding "pirate Windows copies." MSFT depends on pirated Windows copies to replentish their user base.
Don't we sue tobacco companies for these tactics?
Hey, I finally got my first freak! Took you long enough!
The whole bug is that there is a XSS vulnerability within the IE JavaScript engine around CSS imports. The vulnerability will let you load the contents of any other site into your own site and examin them. This is normally not allowed.
All the stuff you are describing is just details around how to use this exploit to get information from Google Desktop. But you can easily do the same thing to exploit any service who uses an embedded IE component to render data from a server, be it internal or external.
Take my Ultimate Bet example for instance. All you would need to do is have a webpage with the rogue code in it visited by the user at the same time they are logged into Ultimate Bet. You can then use the exploit to load up the user's account page (which will load fine, since they are already logged in), and get whatever the hell data you want, including withdrawing money from their account.
It's a very dangerous scenario. Someone could write a whole bunch of rogue scripts that looked for various exploitable applications to steal data, that all execute from one page. If the user happened to be running the app at that time they would be instantly screwed by visiting that page. The only reason Google Desktop is a particularly interesting target is that it is *always* running. But that is not a prerequisite for the exploit.
This article appears to be quite confused. In some way, it appears to point at google and claim somehow that the vulnerability was google's fault. Phrases like "Google Fixes Desktop Search Loophole" and "Since Google is providing end-user software, it must be held to the same standards that you would hold other desktop software vendors to" strongly imply this. In other parts the article is very explicit that the problem is an IE vulnerability that Microsoft hasn't patched.
So, which is it? Is google doing Microsoft a favor by avoiding the use of a feature that Microsoft flubbed? Or did google do something wrong in the first place? And precisely what standards are other makers of desktop software held to? The industry seems to almost gleefully accept an endless parade of the most egregious bugs from these vendors (Microsoft in particular). So, it seems that it would be meaningless to hold google to the same standard unless the complaint is that they have too few bugs.
Note that I have never worked for google or Microsoft.
Another annoyance is this sentence: "Does the researcher think he has really contributed to the security of Internet users worldwide by going public with details of the problem when no fix is available?" In the absence of any other data, that question can't be answered. If a vulnerability goes for longer than a month without the vendor fixing it, then I think a responsible security researcher has a duty to disclose the vulnerability so that people can protect themselves from it.
There is a fine balance to be struck. And as a rule, it is always a courtesy for a security research to disclose a vulnerability first to a vendor, and secondly to the net at large. It is never a requirement. If a vendor abuses the courtesy by not bothering to fix the bug, the researcher has every right (and indeed, a duty) to present the information to the public. You can be sure that people who are much more shadowy than the security researcher looking for a bit of acclaim have a good chance of already knowing about the bug, and are quietly exploiting it for themselves.
All in all, I find your article to be both too simplistic in its treatment of various issues, and confused and muddled about exactly where responsibility lies for various problems. You should be able to do better. You call yourselves 'CIO Today', and the average IT worker's biggest complaint about their bosses is how ill-informed their bosses are about technology while being absolutely certain that they know better than their employees. Perhaps this article points to the reason why.
Note that I have never worked for either Microsoft or google.
Need a Python, C++, Unix, Linux develop
The number of Bugs discovered is directly proportional to the number of vendors interfacing the software and the number of lines of code, add a bonus constant 'K' if the product has a web-based interface.
It amazed me how quickly Google can turn in a fix. For a company their size, they can still churn out code with speed. I wonder if Microsoft can learn a few things from Google. I also like the fact that you did not need to download a patch. It seems like a very good design was in place for these types of issues.
Intelligent Design
I wasn't invited to this "bug party" on /. since I use Firefox!
But if I switch the User Agent on FF to IE can you guys invite me? Please?
Woah, I didn't know IE went open-source!
Join the anonymous, help develop the network: http://www.i2p2.de
It was MOST DEFINITELY Al Gore's fault... He's the one that invented the internet in the first place.
401 - Attention span not found
Google was able to fix a problem by which your personal info is available by making server side changes! This means that the personal data was available through google's servers, and not by a direct connection to your machine via IE. Not so cool in my books that they have that info in the first place.
I've been as much a Google fanboy as anyone--Gmail, Google search on my Web sites and built in to my Web browser, AdSense, Blogger. Except that Blogger, owned by Google, has deleted my account with no discussion and no appeal.
I think the "not evil" ethical standards may be slipping just a bit.
Vista:XPSP2::ME:98SE
Ronald McDonald fixed my desktop for me!!!
Personally, I'm kind of worried that a server-side fix from Google can fix it--what else are they doing with a Google Desktop connection?
I don't bother with either the google toolbar or the local ("beagle") search. I fear it would make me too lazy to spend 10 minutes once a week to impose some organisation to my files.
Its like when my sister can't find anything after clickig throught eh whole "My Documents" crapfest. I tell her - make a directory outside of all that crap, call it some meaningful name, and stick everything relevant there.
More Google whining from the submitter. You know what? All you Google nay sayers can go fuck yourselves.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
In more ways than one. It will also keep the users PC's as benign viewer stations.
On the opposite side of the same token, it will make security breaches at the Web Application level much more dangerous.
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
Ummm, sorry, did I miss something? What's going on here?
Oh, ok, didn't realize it was already another Google worship session. Sorry for disturbing...
Yeah, if you release some software to be run within some 'platform' and this software opens some security hole in the platform though your application, then it is you problem too. It's not fair to assume the platform to be bug free. As somebody else pointed out, the same problem can arise in firefox too. Likewise, if you write a php application which allows the remote user to enter any shell command, it would open a security hole and in this case nobody would claim it is the fault of php interpreter or the web server itself. It would be called a backdoor instead. Yes, the web server could be setup in a chroot environment and php can be configured to disallow this, but it would still be a huge problem. When you provide some web server plugin, you must care even more about security issues.
Just further proof that MS doesn't like to fix it's bugs.
I've seen articles that say MS products tend to have lower numbers of bugs than Open Source products. The difference is that the OS developers actually FIX there's in a reasonable time. Not like MS who leave even very serious issues until their next scheduled patch or most times even later than that.
I'm actually looking forward to the Vista feature with the dynamic folder searches. It may have existed on something else first, but I don't really care and I still am looking quite forward to organizing dynamically and effectively. From what I've seen of the beta, it does work pretty well and very quickly.