Google Fixes IE Bug

aussie_a writes "Without accepting blame Google has quickly patched the vulnerability, without requiring users to download a patch. Previously covered by Slashdot, the flaw allowed people to access files and passwords on a computer via any website when viewed with IE while running Google Desktop." From the article: "'Google was able to address the problem quickly because it didn't require changing any code at the user's desktop,' MacDonald said. 'Google applied more stringent security controls on its main site, which shut down the exploit.' The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald. "

This maybe unfortunate

[sgent]

Its my understanding that this flaw has nothing to do with Google Desktop per se -- but rather was just discovered on Google. Although I'm glad they shut down the flaw where Google is concerned, it seems that it still exists for other programs -- since the security breach itself is not specific to Google.

What about the IE vulnerability?

[erroneus]

If I recall previous discussions correctly, the flaw was in MSIE. If that's the case, what's to prevent an attacker from exploiting the flaw with his own code?

Re:Thanks for Fixing the Problem

[bigman2003]

I create web apps for a very widely distributed organization. We have dozens of different offices, all using their own type of Internet connection.

2 of our ISPs (which are actually government agencies) have blocked IE usage completely. They simply can't get on the network using IE.

This was in response to last week's security issues.

One of the apps we run uses IE specific (Active X) controls. They are not required but they just make it much easier for the users. Now those have been blocked in two locations- causing me a lot of headaches. Of course, the standard answer would be, "why did you use IE specific code?" It was an option for users...but they began to rely upon it.

So I for one, wish that Microsoft would either:

A- fix the security problems
B- release an 'IE Secure' browser, that is stripped down but secure
or
C- Umm...short of fixing the problems I don't have many other needs.

I really wouldn't mind if they had a totally secure version of their browser. Just stripped down functionality (cookies, javascript, etc) and pull out the other junk. Yes...we used some of the other junk, but at the time it seemed like a good idea.

By the way, I am now on the market for a good cross-browser in-line WYSIWYG HTML editor. A flash version would be great too.

Re:Thanks for Fixing the Problem

[Kadin2048]

I'm sorry, but I can't come up with much sympathy for you or your users, because you used those IE-only, ActiveX controls. It's not as if IE being insecure is exactly news; sure the last few weeks have been particularly bad, but a whole lot of people have been saying this is coming for a while. Years, really.

Your attitude shows concern for your users, which is good -- it sounds like you put in this feature to make life easier for them, and I think that's great. However the way you implemented it was evidently a bad choice, exchanging ease of use for security, and now your clients have showed where their priorities are: security over ease-of-use.

Now would probably be a good time to either go back to the drawing board and see how you can reimplement those ease of use features, without tying yourselves down to one browser (particularly one that's developing an ever-growing reputation for being insecure and slowly patched). The alternative seems to be dumping the functionality completely, if you can't figure out a way to do it without IE ActiveX. Just waiting or hoping for Microsoft to release a "Secure IE" (how do you know it's secure?) seems foolish, and just begging to be put in the same position again down the road.

I admit I don't like Microsoft much, but I would be saying the same thing if you had written a Firefox-only interface and then some massive security hole was found with it.