Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Second Google Desktop Vulnerability

Posted by kdawson on from the anti-anti-anti-DNS-pinning dept.

zakkie writes "According to InfoWorld, Google's Desktop indexing engine is vulnerable to an exploit (the second such flaw to be found) that could allow crackers to read files or execute code. By exploiting a cross-site scripting vulnerability on google.com, an attacker can grab all the data off a Google Desktop. Google is said to be investigating. A security researcher is quoted: 'The users really have very little ability to protect themselves against these attacks. It's very bad. Even the experts are afraid to click on each other's links anymore.'"

7 of 80 comments (clear)

  1. I'd RTFA but... by Joebert · · Score: 4, Funny

    What's all the fuss about ?
    I'd RTFA but I'm afraid of what will happen if I do.

    --
    Wanna fight ? Bend over, stick your head up your ass, and fight for air.
  2. Misleading summary by Potor · · Score: 4, Informative
    TFA is clear that this does not refer to the Google Desktop vulnerability in specific, but rather to the general state of browser security. TFA:

    "A lot of these new attack techniques are going to require the browsers to improve," Grossman said. "The users really have very little ability to protect themselves against these attacks" he said. "It's very bad. Even the experts are afraid to click on each other's links anymore."
  3. Why Google Desktop is too frustrating to be used by Cato · · Score: 5, Insightful

    Google Desktop says that it automatically updates itself, but that doesn't work, and there's no 'force an update' feature as with Firefox.

    More infuriatingly, Google Desktop also doesn't understand that emails that it indexes in my Outlook Inbox won't stay there forever due to restrictions on server mailbox size, and doesn't re-index them when they move to an offline .PST file. So I frequently find an email, then try to open it in Outlook, then find I can't and have to find it manually by date/time. Same issue with files that are renamed or moved. Many people have complained about this, but the Google Desktop team ignored this, and instead spent their time producing the incredibly useless widgets, rather than *making the search features really work well*.

    Google Desktop still doesn't support the use of '-' to join two words, i.e. "foo bar" can be written as foo-bar. And the Google Desktop results within Outlook are still not a proper Outlook result list (as with Outlook Find), so you can't just drag items into a new email as attachments - no, you have to open up the email (if it can find it...), use Outlook to copy it to a temp folder, then drag from that folder into the new email.

    Google Desktop is simply too annoying to use any more, even though I've used it from version 1, and is actually a very un-Google-like product. Unlike the core Google.com search, which has been quietly optimised over the years to add stemming, proximity, spelling correction, etc, Google Desktop is actually a rather mediocre and barely usable desktop search tool whose primary benefit is that it integrates well with Google Toolbar.

  4. Google Desktop pre-loaded on Dells by PoconoPCDoctor · · Score: 4, Interesting

    I noticed a while ago that Google Desktop was preloaded on the Dells we buy. These Dells can wind up in areas that might access patient information. Since this is a major research hospital/medical school, I brought my concerns to the security group (HIPAA laws mandate privacy for patient information). Dell/Google assured us that this was a non-issue.

    The end result was that not much happened.

    My take? I still uninstall it whenever I see it.

    --
    "Let us raise a standard to which the wise and honest can repair" - George Washington
    1. Re:Google Desktop pre-loaded on Dells by synx · · Score: 5, Insightful

      Any hospital that is using whatever Dell or HP or any vendor has pre-installed on a box is being irresponsible.

      Those Dells should have been wiped and had a secure configuration reloaded. Yeeeesh

      What hospital are you at, so I can avoid it?

  5. The root cause and how I avoid it by Wills · · Score: 4, Insightful
    This kind of security bug never affects me for a simple reason -- I permanently turn off Javascript. But the main issue for me is actually not a concern about security; afterall serious holes tend to be fixed quickly. The issue is that I use the web primarily to to find information, to study, to learn and when I do those things, what I am mostly doing is reading text . I don't need fancy "interactivity" features which would be a distraction from reading text. I don't need the additional "beauty" that CSS enables. All I need is a good font and then I read. In other words, I am completely and totally satisfied with how web was in 1995 based on web standards of that time -- so-called Web 1.0. For me, this is very productive. I don't use Google Desktop.

    I realise there are many other people who see Web 1.0 as too limited for all the usual reasons, e.g. because they want interactivity features, or Flash movies, or proper CSS support for different display devices, etc, all of which are good reasons for them and do require the use of Javascript / AJAX. I don't need any of that, however, so I disable Javascript. I have yet to find a website with textual information that could not have been written or read by me based on good old HTML. Another reason I prefer websites that avoid relying heavily upon Javascript, even to make simple links between webpages, is that they can be properly indexed by search engines.

    --
    Scroogle
  6. Quick fix by infonote · · Score: 5, Insightful

    Vulnerabilities exist and will continue to exist. As long as it is fixed within a short period of time it is ok. Saying that, If I was a manager in a commercial organization, I would never allow Google Desktop on my employees computers as online security is still in its infancy.

    --
    Visit http://www.kaizenlog.com