Zero Day Hole In Google Desktop

40by40 writes "A Web application security specialist has figured out a way to launch man-in-the-middle attacks against a computer with a fully patched Google Desktop installed. With knowledge of the Google Desktop security model (a combination of one-time tokens, iFrames and JavaScript), hacker Robert Hansen figured out a way to sit between a target launching a Google search query and manipulate the search results to take control of other programs on the desktop. From the article: 'This should drive home the point that deep integration between the desktop and the web is not a good idea, without tremendous thought put into the security model. As Google's site is unencrypted, and they place their content that can run executables on their site, it can be subverted by an attacker," Hansen warns. Hansen's advisory comes just days after a Chris Soghoian's exposé of a similar man-in-the-middle attack scenario against a remote vulnerability in the upgrade mechanism used by a number of commercial Firefox extensions.'"

Easily solved

[tedhiltonhead]

It sounds like this takes advantage of the "Google Integration" feature, where the Google Desktop software adds a link to your Google search results page. I found his explanation rather unclear, but it sounds like you can avoid this by going into Google Desktop's preferences, then the Display tab, then un-checking the last checkbox, "Show Desktop Search results on Google Web Search result pages".

I've always thought that was a scary idea anyway, since my desktop content should be in a clearly-partitioned security domain from Web content.

Re:Google imitating Microsoft security holes.

[WalterGR]

you do not provide functions which can execute arbitrary programs.... This is the source of most of the vulnerabilities involving web browsing. Now we have Google competing to offer similar security holes.

Firefox offers the exact same mechanism. Firefox extensions can contain (and run) executable code. (See below.)

As the Greasemokey security vulnerability demonstrated, web pages can "script" Firefox extensions.

ActiveX = executable code + scripting from the web browser. Firefox extensions introduce the same risks as ActiveX.

Take for instance FoxyTunes, which is listed on the Recommended Add-ons page. Download the XPI file, rename it to ZIP. Open it in WinZip or whatever. You'll notice several files:

• FoxyTunes.dll
• FoxyTunes.dll.linux
• FoxyTunes.dll.mac
• FoxyTunesBonobo.so.file

DLL files are executable code on Windows. I'm assuming the *.linux and *.mac are similar. SO files are executable code under Linux, not sure why it has .file after it. I'm sure there are more extensions with executable code, that was just the first I looked at. Look for any extension that integrates with external software - almost always there will be a DLL or EXE.

Re:armchair OS designer's reading list

[AKAImBatman]

armchair OS designer's reading list

That's great. When you graduate beyond armchair reading, perhaps you might consider getting out of your chair and learning about actually designing an Operating System? It's a very rewarding experience and teaches one about all the wonderful spagetti and legacy problems inherent in designs like Unix. It even shows how the greater resources present in modern computers can be utilized to reduce or eliminate the problems exhibited by previous OSes.