Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Fixes IE Bug

Posted by Zonk on from the quik-fix dept.

aussie_a writes "Without accepting blame Google has quickly patched the vulnerability, without requiring users to download a patch. Previously covered by Slashdot, the flaw allowed people to access files and passwords on a computer via any website when viewed with IE while running Google Desktop." From the article: "'Google was able to address the problem quickly because it didn't require changing any code at the user's desktop,' MacDonald said. 'Google applied more stringent security controls on its main site, which shut down the exploit.' The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald. "

13 of 225 comments (clear)

  1. Misleading title by HishamMuhammad · · Score: 4, Informative

    The title sounds as if Google had fixed a bug in Internet Explorer's code. Shouldn't it be "Google fixes Google Desktop bug"?

    Granted, it does make it sound less like news... but I suppose it's because it isn't, really. You don't see stories like "Adobe fixes Photoshop bug", "KDE team fixes Konqueror bug", etc... since of course that's just part of the daily life in development.

    --
    The filesystem is the package manager
    1. Re:Misleading title by skyhawker · · Score: 4, Informative
      The title sounds as if Google had fixed a bug in Internet Explorer's code. Shouldn't it be "Google fixes Google Desktop bug"?

      Not really. The flaw is in IE and Google's use of CSS exposed it to their users. They were able to change their use of CSS to work around the exploit, but the exploit still remains in IE. Even Microsoft admits that.
      --

      The best diplomat I know is a fully activated phaser bank.
      -- Scotty.
  2. Re:The bug was Google's... by TCFOO · · Score: 4, Informative

    They fixed their code so that their Desktop Search program couldn't be used maliciously because of a flaw in IE.

  3. I don't think Google 'patched' the vulnerability by kclittle · · Score: 3, Informative
    If I RTFA correctly, they just avoided using it. The vulnerability (in IE, which only MS can patch) is still there...

    --
    Generally, bash is superior to python in those environments where python is not installed.
  4. Ok everyone.... by brunes69 · · Score: 5, Informative
    This article summary, and also most comments posted so far, are total misinformed garbage.

    First of all, Google did not fix an IE bug. All they did is make their own software a bit more tight in security, so that *they* are not suceptible to the IE bug. It does not *fix* it.

    Second of all, the bug was *not* in Google Desktop, it *is* an IE bug, it just happens that people who use Google Desktop are vulnerable to it since it embeds IE.

    But *ANY* app that embeds IE is (and remains) vulnerable, including many other pieces of software. For example, for all you poker players, if you have an account a UltimateBet, you *are* vulnerable to ths bug, and in theory someone could use it to steal your account information, which is very dangerous, since they may be able th initate withdraws from your account as well.

    This is just the tip of the iceburgm there are literally hundreds of apps that embed the IE engine for rendering. All are at risk.

  5. Re:The bug was Google's... by TheRealMindChild · · Score: 4, Informative

    I think the problem was that the google's software was being run in the "Local Zone", which is almost always highly trusted. The flaw was that a site on the Internet could manipulate the toolbar. Sort of like an XSS vulnerability.

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  6. Re:The bug was Google's... by nicc777 · · Score: 3, Informative

    From the article: "Even though Internet Explorer is the root cause of the vulnerability, Google's changing its Desktop Search so that it was no longer remotely accessible though the vulnerability in IE was the responsible thing for Google to do," said Gartner Research vice president Neil MacDonald.

    --
    Need an ISP in South Africa?
  7. Re:Thanks for Fixing the Problem by Anonymous Coward · · Score: 5, Informative

    http://tinymce.moxiecode.com/
    http://dynarch.com/projects/htmlarea/
    http://fckeditor.net/
    http://bnl.gov/itd/htmleditor/

  8. You're 1/2 right by brunes69 · · Score: 3, Informative

    Yes, a large part of Google Desktop will run in any browser.

    But parts of the Sidebar component are rendered using an IE rendering engine. It is simple to verify if you check the references in the EXE and DLLs.

  9. Re:Thanks for Fixing the Problem by zootm · · Score: 3, Informative

    Well, to be fair, it is extremely comparable to a Firefox extension or plugin, which have similar rights. I don't think there's really a browser which is safe from this.

    I'm not sure what the particular problem with ActiveX is other than the fact that its security model, particularly in old versions, was just pitifully weak (there just wasn't enough forcing people to check a component before installing it). If there's more specific problems, though, I'd like to hear them (always interested).

  10. Re:Excuse me, but It's really Google's Fault by Anonymous Coward · · Score: 3, Informative

    Uhmm, not quite. We blame the one who did not do as they should have done. The reason we do not blame the compiler for a buffer overflow is the fact that the overflow resulted because the compiler acted the way it is supposed to. Instead, we blame the programmer who was not aware of this. So far, you're right.

    What would you to if your program used libfoo, and libfoo turns out to have a security vulnerability in one of the functions you use? You either update to a new version of libfoo, or you try to restructure your code to avoid using the problematic function.

    In this case, it would seem that Google made use of IE as it was supposed to (by API specification), but IE was not secure as it should have been, so Google decided to do it a different way. I do not see how the fault lies with Google, nor why they deserve particular praise. They found out that one of their underlying programs had a security vulnerability with no known fix, so they used a workaround to secure their application.

    Microsoft on the other hand just gets a "stupid!" from me for allowing something so easily fixed to blow up in their faces like this. Way too much bad press for such a little thing.

  11. Clearing up some of the confusion by matangillon · · Score: 5, Informative

    I'd like to clear up some of the confusion the mainstream media has caused.

    The bug I found is in Microsoft Internet Explorer and not in Google Desktop. This bug remains in the browser and it is in no way fixed. This bug by itself is a pretty serious one and allows for exploitation of many sites that are not Google related.

    My proof of concept code exploited Google Desktop to retrieve private information from a local machine. In order to do that I used the IE bug twice. First I used it on one of Google's sites in order to get a valid key so I can access the local web server that is Google Desktop's interface. The second time was to execute a query on the GDS server and retrieve the results.

    Google basically found a quick hack that nullifies the first portion of the exploit, getting the valid key. They added the following piece of HTML code to their sites, right before the "Desktop" link is revealed: "<!--"/*"/*-->". This makes the IE CSS parser think the rest of the page is a comment so the link won't be visible while trying to read the CSS text.

    The bug in IE remains at large. And GDS itself is still exploitable. If somebody found an XSS hole in one of Google's sites, he would be able to retrive the GDS key and then use the second portion of the exploit to retrieve local results.

    As I said in my original article, this is a serious bug and there's no simple solution for it, at least until IE is fixed.

    Matan

  12. Re:How did they fix it w/out updating Google Deskt by qray · · Score: 3, Informative

    Google Desktop apparently uses some CSS style sheets served by their site. The IE vulnerability was in its CSS logic and thus adjusting the CSS on their server avoids the exploit from the Google Desktop vector.
    --
    Q