Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Fixes IE Bug

Posted by Zonk on from the quik-fix dept.

aussie_a writes "Without accepting blame Google has quickly patched the vulnerability, without requiring users to download a patch. Previously covered by Slashdot, the flaw allowed people to access files and passwords on a computer via any website when viewed with IE while running Google Desktop." From the article: "'Google was able to address the problem quickly because it didn't require changing any code at the user's desktop,' MacDonald said. 'Google applied more stringent security controls on its main site, which shut down the exploit.' The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald. "

32 of 225 comments (clear)

  1. Thanks for Fixing the Problem by teiresias · · Score: 3, Insightful

    Well I'm just glad Google fixed the issue whether it's their fault or not.

    I don't care who's fault it is. Just fix the problem. //not that I use IE but you know still.

    --
    -Teiresias
    1. Re:Thanks for Fixing the Problem by bigman2003 · · Score: 5, Interesting

      I create web apps for a very widely distributed organization. We have dozens of different offices, all using their own type of Internet connection.

      2 of our ISPs (which are actually government agencies) have blocked IE usage completely. They simply can't get on the network using IE.

      This was in response to last week's security issues.

      One of the apps we run uses IE specific (Active X) controls. They are not required but they just make it much easier for the users. Now those have been blocked in two locations- causing me a lot of headaches. Of course, the standard answer would be, "why did you use IE specific code?" It was an option for users...but they began to rely upon it.

      So I for one, wish that Microsoft would either:

      A- fix the security problems
      B- release an 'IE Secure' browser, that is stripped down but secure
      or
      C- Umm...short of fixing the problems I don't have many other needs.

      I really wouldn't mind if they had a totally secure version of their browser. Just stripped down functionality (cookies, javascript, etc) and pull out the other junk. Yes...we used some of the other junk, but at the time it seemed like a good idea.

      By the way, I am now on the market for a good cross-browser in-line WYSIWYG HTML editor. A flash version would be great too.

      --
      No reason to lie.
    2. Re:Thanks for Fixing the Problem by Anonymous Coward · · Score: 5, Informative

      http://tinymce.moxiecode.com/
      http://dynarch.com/projects/htmlarea/
      http://fckeditor.net/
      http://bnl.gov/itd/htmleditor/

    3. Re:Thanks for Fixing the Problem by Chi-RAV · · Score: 4, Funny

      One of the apps we run uses IE specific (Active X) controls.
      release an 'IE Secure' browser, that is stripped down but secure
      Sure, we'll just take ActiveX out of IE and call it a "secure" version.

    4. Re:Thanks for Fixing the Problem by zootm · · Score: 3, Informative

      Well, to be fair, it is extremely comparable to a Firefox extension or plugin, which have similar rights. I don't think there's really a browser which is safe from this.

      I'm not sure what the particular problem with ActiveX is other than the fact that its security model, particularly in old versions, was just pitifully weak (there just wasn't enough forcing people to check a component before installing it). If there's more specific problems, though, I'd like to hear them (always interested).

    5. Re:Thanks for Fixing the Problem by Kadin2048 · · Score: 3, Interesting

      I'm sorry, but I can't come up with much sympathy for you or your users, because you used those IE-only, ActiveX controls. It's not as if IE being insecure is exactly news; sure the last few weeks have been particularly bad, but a whole lot of people have been saying this is coming for a while. Years, really.

      Your attitude shows concern for your users, which is good -- it sounds like you put in this feature to make life easier for them, and I think that's great. However the way you implemented it was evidently a bad choice, exchanging ease of use for security, and now your clients have showed where their priorities are: security over ease-of-use.

      Now would probably be a good time to either go back to the drawing board and see how you can reimplement those ease of use features, without tying yourselves down to one browser (particularly one that's developing an ever-growing reputation for being insecure and slowly patched). The alternative seems to be dumping the functionality completely, if you can't figure out a way to do it without IE ActiveX. Just waiting or hoping for Microsoft to release a "Secure IE" (how do you know it's secure?) seems foolish, and just begging to be put in the same position again down the road.

      I admit I don't like Microsoft much, but I would be saying the same thing if you had written a Firefox-only interface and then some massive security hole was found with it.

      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  2. If they can fix stuff at their end... that's cool! by byolinux · · Score: 5, Insightful

    As more and more desktop apps serve as an interface to a website, it'll become a lot easier to fix and deploy new functionality. This is a good thing.

    --
    Join the Free Software Foundation
  3. Credibility? by connah0047 · · Score: 5, Funny

    The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald.

    I question Mr. MacDonald's credibility. If this is the same gentleman I'm thinking of, he's an older man who has a farm...or at least had one.

    1. Re:Credibility? by Jawju · · Score: 3, Funny

      So that means the bug isn't in IE - it's in EI-EI version 0.

  4. Misleading title by HishamMuhammad · · Score: 4, Informative

    The title sounds as if Google had fixed a bug in Internet Explorer's code. Shouldn't it be "Google fixes Google Desktop bug"?

    Granted, it does make it sound less like news... but I suppose it's because it isn't, really. You don't see stories like "Adobe fixes Photoshop bug", "KDE team fixes Konqueror bug", etc... since of course that's just part of the daily life in development.

    --
    The filesystem is the package manager
    1. Re:Misleading title by skyhawker · · Score: 4, Informative
      The title sounds as if Google had fixed a bug in Internet Explorer's code. Shouldn't it be "Google fixes Google Desktop bug"?

      Not really. The flaw is in IE and Google's use of CSS exposed it to their users. They were able to change their use of CSS to work around the exploit, but the exploit still remains in IE. Even Microsoft admits that.
      --

      The best diplomat I know is a fully activated phaser bank.
      -- Scotty.
  5. "Raises questions"? by argent · · Score: 4, Insightful

    Well, I guess.. like "why would you go with Microsoft who sit on a vulnerability for months, instead of someone who actually fixes security holes?"

  6. This maybe unfortunate by sgent · · Score: 3, Interesting

    Its my understanding that this flaw has nothing to do with Google Desktop per se -- but rather was just discovered on Google. Although I'm glad they shut down the flaw where Google is concerned, it seems that it still exists for other programs -- since the security breach itself is not specific to Google.

  7. Re:The bug was Google's... by TCFOO · · Score: 4, Informative

    They fixed their code so that their Desktop Search program couldn't be used maliciously because of a flaw in IE.

  8. Re:The bug was Google's... by Big+Nothing · · Score: 3, Insightful

    "The bug was Google's... ...so why is it headlined "IE Bug"? It's not a bug in IE..."

    Actually, the bug IS originally in the IE code. But Google's Desktop implementation of that code failed to address the security hole. In other words: Microsoft created the security hole and Google Desktop made it dangerous. Who's to blame? MS? Google? Both? None? You decide.

    --
    SIG: TAKE OFF EVERY 'CAPTAIN'!!
  9. I don't think Google 'patched' the vulnerability by kclittle · · Score: 3, Informative
    If I RTFA correctly, they just avoided using it. The vulnerability (in IE, which only MS can patch) is still there...

    --
    Generally, bash is superior to python in those environments where python is not installed.
  10. Ok everyone.... by brunes69 · · Score: 5, Informative
    This article summary, and also most comments posted so far, are total misinformed garbage.

    First of all, Google did not fix an IE bug. All they did is make their own software a bit more tight in security, so that *they* are not suceptible to the IE bug. It does not *fix* it.

    Second of all, the bug was *not* in Google Desktop, it *is* an IE bug, it just happens that people who use Google Desktop are vulnerable to it since it embeds IE.

    But *ANY* app that embeds IE is (and remains) vulnerable, including many other pieces of software. For example, for all you poker players, if you have an account a UltimateBet, you *are* vulnerable to ths bug, and in theory someone could use it to steal your account information, which is very dangerous, since they may be able th initate withdraws from your account as well.

    This is just the tip of the iceburgm there are literally hundreds of apps that embed the IE engine for rendering. All are at risk.

  11. Re:The bug was Google's... by TheRealMindChild · · Score: 4, Informative

    I think the problem was that the google's software was being run in the "Local Zone", which is almost always highly trusted. The flaw was that a site on the Internet could manipulate the toolbar. Sort of like an XSS vulnerability.

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  12. Re:The bug was Google's... by nicc777 · · Score: 3, Informative

    From the article: "Even though Internet Explorer is the root cause of the vulnerability, Google's changing its Desktop Search so that it was no longer remotely accessible though the vulnerability in IE was the responsible thing for Google to do," said Gartner Research vice president Neil MacDonald.

    --
    Need an ISP in South Africa?
  13. Re:The bug was Google's... by TedCheshireAcad · · Score: 4, Funny

    Who's to blame? MS? Google? Both? None? You decide.

    George W. Bush, clearly.

  14. Re:The bug was Google's... by FunkyELF · · Score: 4, Insightful

    The bug was an IE bug. Lets say there is a windows exploit out there and it has the potential to let people run arbitrary code on the victim's computer. If that code accesses e-mail files stored on the computer that have usernames / passwords / credit card information....it is not the fault of Thunderbird, Eudora, Netscape, or whatever e-mail client is running there. That isn't how they got in, they got in through the windows exploit. I'm sure google didn't fix the IE bug, they prevented people using that exploit from getting personal information from Google Desktop Search. The IE bug is still there. This will just put less pressure on Microsoft to fix their POS browser.

  15. What about the IE vulnerability? by erroneus · · Score: 4, Interesting

    If I recall previous discussions correctly, the flaw was in MSIE. If that's the case, what's to prevent an attacker from exploiting the flaw with his own code?

  16. Indeed by Gruneun · · Score: 5, Funny

    If I remember correctly, he was far more concerned with EI than IE.

    1. Re:Indeed by aug24 · · Score: 5, Funny

      Oh?

      --
      You're only jealous cos the little penguins are talking to me.
  17. What standards would those be? by Billosaur · · Score: 4, Insightful

    From CIO Today: The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald.

    "Since Google is providing end-user software, it must be held to the same standards that you would hold other desktop software vendors to," he said.

    Standards? What standards would those be? Last I checked, most software manufacturers are sending out buggy copies of their code hoping you won't notice, patching it up continuously, then going ahead and doing it repeatedly. And let's not forget that Microsoft is the king of them all!

    And exactly how are we to hold them to these "standards"? So many people use Microsoft routinely that they have the lion's share of the market, and their competitors are left with the spoils. And while you may not like MS, many of their programs work just well enough that you believe you've got a decent, everday product. Of course they break down, and people scream and rant, but in the end what do they do? Do they immediately switch to something else? No! They patch up their flawed software and keep the status quo.

    It's a classic case of addiction, a lot like gambling but in reverse. You use the software every day and most days it works. The one time it doesn't, you fret, but because you restart it or patch it and it works, you go right back to it, rather than exploring alternatives. And Microsoft counts on this. That's why they dominate - they have everybody "addicted" to their software.

    --
    GetOuttaMySpace - The Anti-Social Network
  18. Responsibilty. by headkase · · Score: 4, Insightful

    ...Shouldn't it be "Google fixes Google Desktop bug"?...

    Nope. Object-orientated programming. If the api documentation says that something should operate in a certain way and it does not then by fixing the problem on your side of things it weakens encapsulation of the function and makes it easier for future bugs to accumulate as the totality of code slowly turns to spaghetti.

    --
    Shh.
  19. An analogy for the comprehension-deficient... by Gruneun · · Score: 5, Insightful

    Dick drives Jane's car.
    Jane's car has a faulty parking brake.
    Dick parks, engages the brake, but the car rolls away.
    Dick stops parking on hills.

    Important Points
    Jane did not fix the parking brake
    Dick did not fix the parking brake, but he no longer uses it.
    Other drivers may or may not be aware of the broken parking brake.
    The potential is still there for the car to roll away.

  20. You're 1/2 right by brunes69 · · Score: 3, Informative

    Yes, a large part of Google Desktop will run in any browser.

    But parts of the Sidebar component are rendered using an IE rendering engine. It is simple to verify if you check the references in the EXE and DLLs.

  21. Misleading Title by mkraft · · Score: 3, Insightful

    Google didn't fix the IE bug. The IE bug still exists. Only Microsoft can fix the IE bug. What Google did was put in a work around so that exploiting the IE bug won't cause a security risk in Google Desktop.

    The IE bug can still affect other software.

  22. Re:Excuse me, but It's really Google's Fault by Anonymous Coward · · Score: 3, Informative

    Uhmm, not quite. We blame the one who did not do as they should have done. The reason we do not blame the compiler for a buffer overflow is the fact that the overflow resulted because the compiler acted the way it is supposed to. Instead, we blame the programmer who was not aware of this. So far, you're right.

    What would you to if your program used libfoo, and libfoo turns out to have a security vulnerability in one of the functions you use? You either update to a new version of libfoo, or you try to restructure your code to avoid using the problematic function.

    In this case, it would seem that Google made use of IE as it was supposed to (by API specification), but IE was not secure as it should have been, so Google decided to do it a different way. I do not see how the fault lies with Google, nor why they deserve particular praise. They found out that one of their underlying programs had a security vulnerability with no known fix, so they used a workaround to secure their application.

    Microsoft on the other hand just gets a "stupid!" from me for allowing something so easily fixed to blow up in their faces like this. Way too much bad press for such a little thing.

  23. Clearing up some of the confusion by matangillon · · Score: 5, Informative

    I'd like to clear up some of the confusion the mainstream media has caused.

    The bug I found is in Microsoft Internet Explorer and not in Google Desktop. This bug remains in the browser and it is in no way fixed. This bug by itself is a pretty serious one and allows for exploitation of many sites that are not Google related.

    My proof of concept code exploited Google Desktop to retrieve private information from a local machine. In order to do that I used the IE bug twice. First I used it on one of Google's sites in order to get a valid key so I can access the local web server that is Google Desktop's interface. The second time was to execute a query on the GDS server and retrieve the results.

    Google basically found a quick hack that nullifies the first portion of the exploit, getting the valid key. They added the following piece of HTML code to their sites, right before the "Desktop" link is revealed: "<!--"/*"/*-->". This makes the IE CSS parser think the rest of the page is a comment so the link won't be visible while trying to read the CSS text.

    The bug in IE remains at large. And GDS itself is still exploitable. If somebody found an XSS hole in one of Google's sites, he would be able to retrive the GDS key and then use the second portion of the exploit to retrieve local results.

    As I said in my original article, this is a serious bug and there's no simple solution for it, at least until IE is fixed.

    Matan

  24. Re:How did they fix it w/out updating Google Deskt by qray · · Score: 3, Informative

    Google Desktop apparently uses some CSS style sheets served by their site. The IE vulnerability was in its CSS logic and thus adjusting the CSS on their server avoids the exploit from the Google Desktop vector.
    --
    Q