Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Fixes IE Bug

Posted by Zonk on from the quik-fix dept.

aussie_a writes "Without accepting blame Google has quickly patched the vulnerability, without requiring users to download a patch. Previously covered by Slashdot, the flaw allowed people to access files and passwords on a computer via any website when viewed with IE while running Google Desktop." From the article: "'Google was able to address the problem quickly because it didn't require changing any code at the user's desktop,' MacDonald said. 'Google applied more stringent security controls on its main site, which shut down the exploit.' The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald. "

20 of 225 comments (clear)

  1. If they can fix stuff at their end... that's cool! by byolinux · · Score: 5, Insightful

    As more and more desktop apps serve as an interface to a website, it'll become a lot easier to fix and deploy new functionality. This is a good thing.

    --
    Join the Free Software Foundation
  2. Credibility? by connah0047 · · Score: 5, Funny

    The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald.

    I question Mr. MacDonald's credibility. If this is the same gentleman I'm thinking of, he's an older man who has a farm...or at least had one.

  3. Misleading title by HishamMuhammad · · Score: 4, Informative

    The title sounds as if Google had fixed a bug in Internet Explorer's code. Shouldn't it be "Google fixes Google Desktop bug"?

    Granted, it does make it sound less like news... but I suppose it's because it isn't, really. You don't see stories like "Adobe fixes Photoshop bug", "KDE team fixes Konqueror bug", etc... since of course that's just part of the daily life in development.

    --
    The filesystem is the package manager
    1. Re:Misleading title by skyhawker · · Score: 4, Informative
      The title sounds as if Google had fixed a bug in Internet Explorer's code. Shouldn't it be "Google fixes Google Desktop bug"?

      Not really. The flaw is in IE and Google's use of CSS exposed it to their users. They were able to change their use of CSS to work around the exploit, but the exploit still remains in IE. Even Microsoft admits that.
      --

      The best diplomat I know is a fully activated phaser bank.
      -- Scotty.
  4. "Raises questions"? by argent · · Score: 4, Insightful

    Well, I guess.. like "why would you go with Microsoft who sit on a vulnerability for months, instead of someone who actually fixes security holes?"

  5. Re:The bug was Google's... by TCFOO · · Score: 4, Informative

    They fixed their code so that their Desktop Search program couldn't be used maliciously because of a flaw in IE.

  6. Ok everyone.... by brunes69 · · Score: 5, Informative
    This article summary, and also most comments posted so far, are total misinformed garbage.

    First of all, Google did not fix an IE bug. All they did is make their own software a bit more tight in security, so that *they* are not suceptible to the IE bug. It does not *fix* it.

    Second of all, the bug was *not* in Google Desktop, it *is* an IE bug, it just happens that people who use Google Desktop are vulnerable to it since it embeds IE.

    But *ANY* app that embeds IE is (and remains) vulnerable, including many other pieces of software. For example, for all you poker players, if you have an account a UltimateBet, you *are* vulnerable to ths bug, and in theory someone could use it to steal your account information, which is very dangerous, since they may be able th initate withdraws from your account as well.

    This is just the tip of the iceburgm there are literally hundreds of apps that embed the IE engine for rendering. All are at risk.

  7. Re:The bug was Google's... by TheRealMindChild · · Score: 4, Informative

    I think the problem was that the google's software was being run in the "Local Zone", which is almost always highly trusted. The flaw was that a site on the Internet could manipulate the toolbar. Sort of like an XSS vulnerability.

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  8. Re:The bug was Google's... by TedCheshireAcad · · Score: 4, Funny

    Who's to blame? MS? Google? Both? None? You decide.

    George W. Bush, clearly.

  9. Re:The bug was Google's... by FunkyELF · · Score: 4, Insightful

    The bug was an IE bug. Lets say there is a windows exploit out there and it has the potential to let people run arbitrary code on the victim's computer. If that code accesses e-mail files stored on the computer that have usernames / passwords / credit card information....it is not the fault of Thunderbird, Eudora, Netscape, or whatever e-mail client is running there. That isn't how they got in, they got in through the windows exploit. I'm sure google didn't fix the IE bug, they prevented people using that exploit from getting personal information from Google Desktop Search. The IE bug is still there. This will just put less pressure on Microsoft to fix their POS browser.

  10. What about the IE vulnerability? by erroneus · · Score: 4, Interesting

    If I recall previous discussions correctly, the flaw was in MSIE. If that's the case, what's to prevent an attacker from exploiting the flaw with his own code?

  11. Indeed by Gruneun · · Score: 5, Funny

    If I remember correctly, he was far more concerned with EI than IE.

    1. Re:Indeed by aug24 · · Score: 5, Funny

      Oh?

      --
      You're only jealous cos the little penguins are talking to me.
  12. What standards would those be? by Billosaur · · Score: 4, Insightful

    From CIO Today: The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald.

    "Since Google is providing end-user software, it must be held to the same standards that you would hold other desktop software vendors to," he said.

    Standards? What standards would those be? Last I checked, most software manufacturers are sending out buggy copies of their code hoping you won't notice, patching it up continuously, then going ahead and doing it repeatedly. And let's not forget that Microsoft is the king of them all!

    And exactly how are we to hold them to these "standards"? So many people use Microsoft routinely that they have the lion's share of the market, and their competitors are left with the spoils. And while you may not like MS, many of their programs work just well enough that you believe you've got a decent, everday product. Of course they break down, and people scream and rant, but in the end what do they do? Do they immediately switch to something else? No! They patch up their flawed software and keep the status quo.

    It's a classic case of addiction, a lot like gambling but in reverse. You use the software every day and most days it works. The one time it doesn't, you fret, but because you restart it or patch it and it works, you go right back to it, rather than exploring alternatives. And Microsoft counts on this. That's why they dominate - they have everybody "addicted" to their software.

    --
    GetOuttaMySpace - The Anti-Social Network
  13. Responsibilty. by headkase · · Score: 4, Insightful

    ...Shouldn't it be "Google fixes Google Desktop bug"?...

    Nope. Object-orientated programming. If the api documentation says that something should operate in a certain way and it does not then by fixing the problem on your side of things it weakens encapsulation of the function and makes it easier for future bugs to accumulate as the totality of code slowly turns to spaghetti.

    --
    Shh.
  14. Re:Thanks for Fixing the Problem by bigman2003 · · Score: 5, Interesting

    I create web apps for a very widely distributed organization. We have dozens of different offices, all using their own type of Internet connection.

    2 of our ISPs (which are actually government agencies) have blocked IE usage completely. They simply can't get on the network using IE.

    This was in response to last week's security issues.

    One of the apps we run uses IE specific (Active X) controls. They are not required but they just make it much easier for the users. Now those have been blocked in two locations- causing me a lot of headaches. Of course, the standard answer would be, "why did you use IE specific code?" It was an option for users...but they began to rely upon it.

    So I for one, wish that Microsoft would either:

    A- fix the security problems
    B- release an 'IE Secure' browser, that is stripped down but secure
    or
    C- Umm...short of fixing the problems I don't have many other needs.

    I really wouldn't mind if they had a totally secure version of their browser. Just stripped down functionality (cookies, javascript, etc) and pull out the other junk. Yes...we used some of the other junk, but at the time it seemed like a good idea.

    By the way, I am now on the market for a good cross-browser in-line WYSIWYG HTML editor. A flash version would be great too.

    --
    No reason to lie.
  15. An analogy for the comprehension-deficient... by Gruneun · · Score: 5, Insightful

    Dick drives Jane's car.
    Jane's car has a faulty parking brake.
    Dick parks, engages the brake, but the car rolls away.
    Dick stops parking on hills.

    Important Points
    Jane did not fix the parking brake
    Dick did not fix the parking brake, but he no longer uses it.
    Other drivers may or may not be aware of the broken parking brake.
    The potential is still there for the car to roll away.

  16. Re:Thanks for Fixing the Problem by Anonymous Coward · · Score: 5, Informative

    http://tinymce.moxiecode.com/
    http://dynarch.com/projects/htmlarea/
    http://fckeditor.net/
    http://bnl.gov/itd/htmleditor/

  17. Re:Thanks for Fixing the Problem by Chi-RAV · · Score: 4, Funny

    One of the apps we run uses IE specific (Active X) controls.
    release an 'IE Secure' browser, that is stripped down but secure
    Sure, we'll just take ActiveX out of IE and call it a "secure" version.

  18. Clearing up some of the confusion by matangillon · · Score: 5, Informative

    I'd like to clear up some of the confusion the mainstream media has caused.

    The bug I found is in Microsoft Internet Explorer and not in Google Desktop. This bug remains in the browser and it is in no way fixed. This bug by itself is a pretty serious one and allows for exploitation of many sites that are not Google related.

    My proof of concept code exploited Google Desktop to retrieve private information from a local machine. In order to do that I used the IE bug twice. First I used it on one of Google's sites in order to get a valid key so I can access the local web server that is Google Desktop's interface. The second time was to execute a query on the GDS server and retrieve the results.

    Google basically found a quick hack that nullifies the first portion of the exploit, getting the valid key. They added the following piece of HTML code to their sites, right before the "Desktop" link is revealed: "<!--"/*"/*-->". This makes the IE CSS parser think the rest of the page is a comment so the link won't be visible while trying to read the CSS text.

    The bug in IE remains at large. And GDS itself is still exploitable. If somebody found an XSS hole in one of Google's sites, he would be able to retrive the GDS key and then use the second portion of the exploit to retrieve local results.

    As I said in my original article, this is a serious bug and there's no simple solution for it, at least until IE is fixed.

    Matan