Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Second Google Desktop Vulnerability

Posted by kdawson on from the anti-anti-anti-DNS-pinning dept.

zakkie writes "According to InfoWorld, Google's Desktop indexing engine is vulnerable to an exploit (the second such flaw to be found) that could allow crackers to read files or execute code. By exploiting a cross-site scripting vulnerability on google.com, an attacker can grab all the data off a Google Desktop. Google is said to be investigating. A security researcher is quoted: 'The users really have very little ability to protect themselves against these attacks. It's very bad. Even the experts are afraid to click on each other's links anymore.'"

23 of 80 comments (clear)

  1. I'd RTFA but... by Joebert · · Score: 4, Funny

    What's all the fuss about ?
    I'd RTFA but I'm afraid of what will happen if I do.

    --
    Wanna fight ? Bend over, stick your head up your ass, and fight for air.
  2. I can't be the only one... by Wilson_6500 · · Score: 2, Interesting

    Even the experts are afraid to click on each other's links anymore.

    Does anyone else think that was tremendously funny in a sixth-grade-humor sort of way? Maybe I just am up too early.

  3. Experts? by notlisted · · Score: 3, Insightful

    "Even the experts are afraid to click on each other's links anymore."

    Umm.. Google desktop runs on Windows.. Seriously, how many "security experts" do you know running Windows?

    1. Re:Experts? by MichaelSmith · · Score: 3, Insightful

      Seriously, how many "security experts" do you know running Windows?

      Since most of the money (and challenges) for security is on Windows, I supose they could hardly be using anything else.

      --
      http://michaelsmith.id.au
    2. Re:Experts? by notlisted · · Score: 3, Insightful

      Since most of the money (and challenges) for security is on Windows, I supose they could hardly be using anything else.

      Certainly.. they run it just like it's supposed to be, as a VMWare image sandboxed inside their *nix/BSD workstation. Again, anyone that's using a web browser running under the same account permissions as any sensitive data on that machine is _not_ a security "expert".
    3. Re:Experts? by MillionthMonkey · · Score: 3, Funny

      Seriously, how many "security experts" do you know running Windows?

      Not me. *I* find my Windows XP SP2 vulnerabilities using a Commodore 64 and a Commodore 1541 disk drive with a VM in its controller.
    4. Re:Experts? by MichaelSmith · · Score: 2, Interesting

      Certainly.. they run it just like it's supposed to be, as a VMWare image sandboxed inside their *nix/BSD workstation. Again, anyone that's using a web browser running under the same account permissions as any sensitive data on that machine is _not_ a security "expert".

      Yes, I agree with you. But where I work if you are in any senior position you would be running windows on your desktop. Our "IT manager" has no IT experience at all, beyond knowing who has what contracts. Thats the guy in charge of security.

      --
      http://michaelsmith.id.au
    5. Re:Experts? by value_added · · Score: 3, Informative

      [T]hey run it just like it's supposed to be, as a VMWare image sandboxed inside their *nix/BSD workstation.

      BSD isn't supported as a VMWare host OS.

  4. Misleading summary by Potor · · Score: 4, Informative
    TFA is clear that this does not refer to the Google Desktop vulnerability in specific, but rather to the general state of browser security. TFA:

    "A lot of these new attack techniques are going to require the browsers to improve," Grossman said. "The users really have very little ability to protect themselves against these attacks" he said. "It's very bad. Even the experts are afraid to click on each other's links anymore."
  5. Welcome to ubiquity, Google by caywen · · Score: 3, Interesting

    I wonder how many more exploits would be found if Google Desktop ended up on 90% of desktop computers?

  6. Why Google Desktop is too frustrating to be used by Cato · · Score: 5, Insightful

    Google Desktop says that it automatically updates itself, but that doesn't work, and there's no 'force an update' feature as with Firefox.

    More infuriatingly, Google Desktop also doesn't understand that emails that it indexes in my Outlook Inbox won't stay there forever due to restrictions on server mailbox size, and doesn't re-index them when they move to an offline .PST file. So I frequently find an email, then try to open it in Outlook, then find I can't and have to find it manually by date/time. Same issue with files that are renamed or moved. Many people have complained about this, but the Google Desktop team ignored this, and instead spent their time producing the incredibly useless widgets, rather than *making the search features really work well*.

    Google Desktop still doesn't support the use of '-' to join two words, i.e. "foo bar" can be written as foo-bar. And the Google Desktop results within Outlook are still not a proper Outlook result list (as with Outlook Find), so you can't just drag items into a new email as attachments - no, you have to open up the email (if it can find it...), use Outlook to copy it to a temp folder, then drag from that folder into the new email.

    Google Desktop is simply too annoying to use any more, even though I've used it from version 1, and is actually a very un-Google-like product. Unlike the core Google.com search, which has been quietly optimised over the years to add stemming, proximity, spelling correction, etc, Google Desktop is actually a rather mediocre and barely usable desktop search tool whose primary benefit is that it integrates well with Google Toolbar.

  7. Re:Joanna Rutkowska? by notlisted · · Score: 2

    Not sure if you consider he as a security expert but Joanna Rutkowska uses Windows Vista. She was running Windows XP 64 bit before Vista was released IIRC.
    And if you check out her "about" page on her personal site you'll see she runs Linux as her OS of choice. The Windows system she uses for testing.

    "Soon after she switched to Linux world, got involved with some system and kernel programming, focusing on exploit development for both Linux and Windows x86 systems."

  8. Google Desktop pre-loaded on Dells by PoconoPCDoctor · · Score: 4, Interesting

    I noticed a while ago that Google Desktop was preloaded on the Dells we buy. These Dells can wind up in areas that might access patient information. Since this is a major research hospital/medical school, I brought my concerns to the security group (HIPAA laws mandate privacy for patient information). Dell/Google assured us that this was a non-issue.

    The end result was that not much happened.

    My take? I still uninstall it whenever I see it.

    --
    "Let us raise a standard to which the wise and honest can repair" - George Washington
    1. Re:Google Desktop pre-loaded on Dells by synx · · Score: 5, Insightful

      Any hospital that is using whatever Dell or HP or any vendor has pre-installed on a box is being irresponsible.

      Those Dells should have been wiped and had a secure configuration reloaded. Yeeeesh

      What hospital are you at, so I can avoid it?

  9. The root cause and how I avoid it by Wills · · Score: 4, Insightful
    This kind of security bug never affects me for a simple reason -- I permanently turn off Javascript. But the main issue for me is actually not a concern about security; afterall serious holes tend to be fixed quickly. The issue is that I use the web primarily to to find information, to study, to learn and when I do those things, what I am mostly doing is reading text . I don't need fancy "interactivity" features which would be a distraction from reading text. I don't need the additional "beauty" that CSS enables. All I need is a good font and then I read. In other words, I am completely and totally satisfied with how web was in 1995 based on web standards of that time -- so-called Web 1.0. For me, this is very productive. I don't use Google Desktop.

    I realise there are many other people who see Web 1.0 as too limited for all the usual reasons, e.g. because they want interactivity features, or Flash movies, or proper CSS support for different display devices, etc, all of which are good reasons for them and do require the use of Javascript / AJAX. I don't need any of that, however, so I disable Javascript. I have yet to find a website with textual information that could not have been written or read by me based on good old HTML. Another reason I prefer websites that avoid relying heavily upon Javascript, even to make simple links between webpages, is that they can be properly indexed by search engines.

    --
    Scroogle
  10. Quick fix by infonote · · Score: 5, Insightful

    Vulnerabilities exist and will continue to exist. As long as it is fixed within a short period of time it is ok. Saying that, If I was a manager in a commercial organization, I would never allow Google Desktop on my employees computers as online security is still in its infancy.

    --
    Visit http://www.kaizenlog.com
  11. People keep complaining bout my sig by TheLink · · Score: 3, Interesting

    People keep complaining about my sig. But they should just learn.

    Browsers suck. javascript is unsafe and most sites/webapps don't sign url/form parameters. So learn to think before you click.

    And if you are thinking of clicking on some strange stuff, open a pristine VM, and use a clean browser there (you can even "sort of" put the VM on a different network from your computer - get two NICs).

    --
  12. Who uses this crap anyway? by Anonymous Coward · · Score: 2, Interesting

    I tried google desktop... consumed 10gb of disk space, had a process that ran 100% cpu eating nearly 700MB of ram, and kept indexing usb devices so you couldn't eject them. All this and it couldn't tell when you moved a file from one directory to another... or deleted it entirely! Hell the Windows XP "Search" can at least find a file if you know the name of it.

  13. Re:Hindsight... by jorgevillalobos · · Score: 2

    Same here. Even when I used Windows I decided that it was kind of risky to install such an app on my desktop. Sure, it sounded tempting to have such a powerful indexing scheme and be able to find everything on your hard drive with relative ease and a very innovative UI for it, but I came to the conclusion that is was not worth it given that I don't search for files that often, and I don't want to trust Google with absolutely everything (I use gmail and Google calendar though).

    It's a non-issue with Spotlight now :).

  14. Doesn't affect all Google Desktop users by fname · · Score: 3, Interesting

    This doesn't appear to affect all Google Desktop users. The article talks about data being intercepted as it is sent to Google. IOW, this is only applicable for users who are storing a complete index of their hard drive on Google's servers. As if that wasn't an obvious security threat!

    Simple solution: make sure you disable the "feature" allowing you to index your hard drive on Google's servers. IMHO, a terrible feature that has caused Google far more harm than good. Many companies have banned Google Desktop because of this capability. It was even more inexcusable when it was enabled by default.

    Moral of the story: even if they aim to "do no evil," Google's self-assuredness often leaves the user paying the price for Google's mistakes.

    1. Re:Doesn't affect all Google Desktop users by blchrist · · Score: 2, Informative

      If you read the whole whitepaper, the authors say (p15) that an attacker could use the vulnerability to turn on the "search across computers" feature.
      The whitepaper is well written and worth the read. It's a pretty scary vulnerability.

  15. Snort signatures here: by farker+haiku · · Score: 2, Interesting

    I've said it before and I'll say it again. Snort signatures available here

    --
    Your sig(k) has been stolen. There is a puff of smoke!
  16. Re:Why Google Desktop is too frustrating to be use by costas · · Score: 2, Insightful

    To add to your list: GDS doesn't index Outlook/email attachments even if they are in a format that it does know how to index. Like you mention, it doesn't deal well with documents moving from one location to another (not just within Outlook, anywhere in the filesystem). And the bug you mention about email is much worse than just not able to locate a moved email: it means that spam that gets moved by a client-filter to a folder you've told GDS not to index, will still be in the GDS index because it usually indexes it before the spam filter gets to move it. So, your index eventually gets clogged up with spam too.

    It gets worse: GDS actually "forgets" about documents it has previously indexed (so results get *worse* over time, not better). And its index keeps growing (yes, even though its results are getting worse). And as the parent mentions, it doesn't have a "re-index now" option, so you are forced to uninstall and re-install.

    The only good thing about GDS is its integration with google.com (who's embracing and extending now?). I am no MS apologist and I put up with GDS for over 1.5 years, but I switched to Windows Desktop Search and never looked back: WDS is head-and-shoulders above GDS (BTW, it can be downloaded into XP and is pretty much the same as the WDS in Vista): better results, better UI, way better integration with Windows, smaller index, ability to re-set the index whenever and faster to index the drive than GDS to begin with. WDS started life as Lookout, a third-party freeware app that was bought by MS, and it was better than GDS back then (oh what 4 years ago?).

    If only developers would embrace WDS to fix some obvious shortcomings (no Firefox/Thunderbird indexing, no hotkeys like GDS). I doubt Microsoft has anything to fear from Google competing for the desktop if GDS is any indication...