Slashdot Mirror
Zero Day Hole In Google Desktop
40by40 writes "A Web application security specialist has figured out a way to launch man-in-the-middle attacks against a computer with a fully patched Google Desktop installed. With knowledge of the Google Desktop security model (a combination of one-time tokens, iFrames and JavaScript), hacker Robert Hansen figured out a way to sit between a target launching a Google search query and manipulate the search results to take control of other programs on the desktop. From the article: 'This should drive home the point that deep integration between the desktop and the web is not a good idea, without tremendous thought put into the security model. As Google's site is unencrypted, and they place their content that can run executables on their site, it can be subverted by an attacker," Hansen warns. Hansen's advisory comes just days after a Chris Soghoian's exposé of a similar man-in-the-middle attack scenario against a remote vulnerability in the upgrade mechanism used by a number of commercial Firefox extensions.'"
This guy is probably funded by M$. I mean, come on. Hello, Mr. FUD. You want to see dangerous deep integration? Internet Explorer. Durr. I have a news flash for this genius. Pretty much nothing is a good idea without giving careful consideration to security. Things like: installing software on your computer (any software), clicking on links in a browser, typing text into your computer, saving files to disk, taking a dump. Yep, pretty much all of them are potentially dangerous.
Web-desktop integration is already here and it isn't going anywhere. It's a perfectly good idea, not a bad one. And because it's a good idea and because it involves your data, it's also a good idea to address security concerns. That is the fair and unbiased statement.