Slashdot Mirror
Zero Day Hole In Google Desktop
40by40 writes "A Web application security specialist has figured out a way to launch man-in-the-middle attacks against a computer with a fully patched Google Desktop installed. With knowledge of the Google Desktop security model (a combination of one-time tokens, iFrames and JavaScript), hacker Robert Hansen figured out a way to sit between a target launching a Google search query and manipulate the search results to take control of other programs on the desktop. From the article: 'This should drive home the point that deep integration between the desktop and the web is not a good idea, without tremendous thought put into the security model. As Google's site is unencrypted, and they place their content that can run executables on their site, it can be subverted by an attacker," Hansen warns. Hansen's advisory comes just days after a Chris Soghoian's exposé of a similar man-in-the-middle attack scenario against a remote vulnerability in the upgrade mechanism used by a number of commercial Firefox extensions.'"
I can see it now... A future where mankind lives in a free and secure society where we all live together in bliss running our favorite open-source customized version of the iGOOGLE operating system that checks our mail, orders our groceries, and feeds the cat without any human interaction.
File Deletion is Murder.
This should drive home the point that connections should flow over encrypted tunnels whenever possible, to reduce the ease of performing man in the middle attacks. If this session flowed over an SSL style connection, the man in the middle would first need to figure out how to get into that session. That strategy seriously reduces the places where malicious code can exist "in the middle". Don't throw the baby (rich client interaction with services in the cloud) out with the bathwater.
If you mod me down, I shall become more powerful than you could possibly imagine.
By now, everybody developing browser components should know that you do not provide functions which can execute arbitrary programs.
Usually, it's Microsoft doing this, with Outlook, IE, Office, etc. launching other applications. This is the source of most of the vulnerabilities involving web browsing. Now we have Google competing to offer similar security holes.
No offense to Linux, but I think that would offend Google's sense of style. Unix-style OSes are great when you need low-level access to the hardware (e.g. GoogleFS), but don't infer any sort of inherent advantage in the desktop arena. In fact, the classic Unix design is very desktop unfriendly, which is why all kinds of user-friendly packages like automounter have been created.
Given the number of Ph.D. brainiacs Google has their hands on, I would expect them to create a new OS from the ground up that is more focused on the issues of dealing with the web and network in general. e.g. If it can be coded to avoid buffer overflow situations, that would be a great start. Greater focus on caching services and integrated URL handling might also be things you would see more of. Unicode everything rather than dealing with different text formats. (Incoming formats would need to be converted before they could be used.) Overall minimalist design. i.e. Don't include anything that isn't absolutely necessary to getting the job done. (Compare: The number of features on Google homepage to the number of features on the average Linux desktop.)
I will happily eat crow if Google ever produces a Linux desktop, but gut instinct says that they won't. So don't get your hopes up.
Javascript + Nintendo DSi = DSiCade
GoOSE:
GOoogle Operating System Environment
Gotta teach those penguins a lesson sometime...
Yeah for sure, now that Apache runs 60% of the Web, all those crackers are finding tons of exploits for it everyday!
The more you know, the less you understand.
It sounds like this takes advantage of the "Google Integration" feature, where the Google Desktop software adds a link to your Google search results page. I found his explanation rather unclear, but it sounds like you can avoid this by going into Google Desktop's preferences, then the Display tab, then un-checking the last checkbox, "Show Desktop Search results on Google Web Search result pages".
I've always thought that was a scary idea anyway, since my desktop content should be in a clearly-partitioned security domain from Web content.
Once you are compromised this way the attack tries to take advantage of cross scripting vulnerabilities in a browser to run code in the compromised machine. I am not sure if there is anything unique to Google Desktop here. Could the same attack take advantage of the numerous ActiveX vulnerabilities?
Is the "security expert" trying to get more mileage by listing each exploitable hole of a man-in-the-middle attack as a separate discovery?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
It doesn't matter. Google desktop does not run on Ubuntu...
What?
"Piter, too, is dead."
How does one stop Google desktop from indexing executables? When I open the Google Desktop preferences, exe files aren't even listed as something I can index, but search for an executable like hypertrm.exe on Google desktop, and it shows up anyway, which is the 'meat' of this vulnerability.
It should be illegal to say that freedom of speech should be limited.
Anyone want to bet that this is the beginning of a little landslide?
I wish the Google team all the best in dealing with this issue... but I am scratching my head at the speed with which they are attempting to diversify their offerings.
Google did not become a dominant force overnight. They fought battles, learned lessons, and refined/defined search capabilities for the entire world. Why have they been shooting off in a dozen different directions? Is there any way that even they can stay on top of all the little details considering the number of immature products they are floating?
Anyhow, the next couple of days will go a long way towards showing exactly how far the Google team needs to go before I trust them on my desktop. Here's hoping they prove to have the response time/customer centric attitude that made them my preferred search provider.
Regards.
"Tremendous thought" is a weaker notion than transparency, public scrutiny, or even rigorous proof, which are really what's required.
Everything else is just hope; hide and seek.
Hopefully Google can learn and set an example here.
There are no karma whores, only moderation johns
this is even more of a problem since more and more installers like Irfanview's or Adobe's include Google Desktop (and/or toolbar) and there is no way to skip them when doing automated installs... what a sick trend.
Yes, Apache has a good reputation for security, but like most popular, complex programs, its history is far from exploit-free.
-snarkbot
You need to change this to read: "feed a cat". Google will feed your cat up until the index change after which it will start feeding another cat. To be grammatically precise: "a cat" will be fed. There is just no guarantee that it will be "the cat."
Did the industry and Google learn nothing from the mistakes Microsoft made?
Even MS has done a 180 and with Vista broke all the internal/external links that made XP/ActiveX/IE such a mess. So if MS is smart enough to learn from their mistakes you would thing a company like Google would not go out of their way to emulate the same bad security ideas.
Is it just me, or is Google racing to be the next big evil? Gmail scanning, search data compiling, Firefox reporting, desktop document reporting, and now making really stupid software design decisions?
I think the premise of the article is rather stupid in fact.
It is not Google's job to provide a secure channel.
I guess when I do a MITM attack to capture login prompts and transparently proxy that is google's problem also?
Or when I resolve DNS queries to my own box, that is likewise google at fault?
Lol.
It's the phrase which springs to mind with "web 2.0" applications. You have an exposed API on both sides, the client and the server.
Deleted
In fact, the classic Unix design is very desktop unfriendly, which is why all kinds of user-friendly packages like automounter have been created.
Your point is pretty vacuous. The user-friendly packages already exist, and as OS X and Ubuntu (as a Linux example) show, can be used to great effect.
But you're right. Google won't produce a Linux desktop. They'll probably use a BSD variant, should they ever produce a desktop at all.
After all, I am strangely colored.
Google Operating And Time Sharing Environment.
installing third-party applications that connect to someplace, download something, and do something on on your machine, and being exposed when those applications are shown to have bugs is news how?
;)
the google engineers aren't magicians. when they develop features, they do so under tight schedule, and make mistakes, especially those hired to code (as opposed to do PR). the only reason there haven't been more problems discovered is likely the fact that they don't distribute much software.
besides, google's main goal isn't promoting security. their primary goal is to hookup lotsa people -- and in their case, that means to deliver applications with lotsa features quickly, because people are hooked on the features, the competition ain't sleeping, and that first-comer advantage matters.
does that remind you of another company? it should, because all of them successful companies ain't that much different at all
Google is nice enough to offer SSL for most of its services these days. It would make a lot of sense for them to round out their secure offerings with an SSL search as well.
Right now, any request to an encrypted Google search URL redirects you to www.google.com.
Hrm... you seem unaware that the very desktop (and mobile) friendly Macintosh and the coming generation of iPhones, iPods, and probably other digital appliances from Apple are based on a real UNIX underneath? The UNIX foundation of the system design is partly responsible for the rapid pace of evolution of Mac OS X.
Although extreme hubris might combine with extreme resources (both dollars and talent) at Google to lead to the creation of an entirely new OS from the ground up, there may not be any need for that. The UNIX wheel is relatively round these days, particularly considering the Mac OS X / OSX example. Better yet, UNIX is nicely modular. If anyone devises a clever way to "avoid buffer overflow situations" it seems likely, on the basis of past evidence concerning technology development and adoption within UNIX systems in general, that it would be easier to integrate that language and compiler, or whatever technology it happens to be, into a UNIX operating system than it would be to create a fully capable system on top of it from whole cloth.
Since you seem genuinely interested in the topic, here are some reasonable books on operating system design which you might enjoy.
The Design and Implementation of the 4.4 BSD Operating System
Design of the UNIX Operating System
Operating System Design: The Xinu Approach
UNIX Internals: The New Frontiers
Mac OS X Internals: A Systems Approach
Solaris Internals
The other issues you raise are largely issues of interface design, which the open source community seems to do rather poorly, or at least not as well as it does other things. Google certainly does not need to re-invent the entire operating system wheel to improve URL integration, or provide a "minimalist" desktop interface, for example. They don't even need to strip features, really. Mac OS X, for example, provides enough of a minimalist default interface that novice computer users are comfortable with it. A Linux based OS from Google could take a similar approach, perhaps being even more spartan in the basic features, if that's really a desirable goal (which is another question entirely).
If you mod me down, I shall become more powerful than you could possibly imagine.
We'd better get used to Google becoming the butt of jokes usually aimed at ActiveX. Google Gears, Google Desktop, Google whatever. We now reaize that the developers that develop these technologies simply get traded between the big 3 (Google, MS, Yahoo) and others.
Are we all finally realizing that Google writes insecure apps just like ever other software development company that is made up of humans?
Why on this Earth would Google want an OS?? They already have it - it is called "The Browser". That's what they use to make money. They may want to extend its usage, but I doubt that Google will ever want to deal with the "desktop" in the same way as Microsoft, Apple or Linux community.
Google is about control. They want to control your information for their own profit. They show it again and again. That's how they make money. The more targeted the ads, the more money they can make. The only competitor I think they may have here is Amazon, but that only deals with your book preferences. Google wants your wants so they can sell something from one of their customers.
Thus it is NOT in the interest of Google to make a desktop. They are not in the business of making software like MS or Apple or GNU or even IBM. They are in business to manage information about you and me. Their "free" solutions are just there so you can give them more info about yourself.
Hope that is clear enough.