Slashdot Mirror
Zero Day Hole In Google Desktop
40by40 writes "A Web application security specialist has figured out a way to launch man-in-the-middle attacks against a computer with a fully patched Google Desktop installed. With knowledge of the Google Desktop security model (a combination of one-time tokens, iFrames and JavaScript), hacker Robert Hansen figured out a way to sit between a target launching a Google search query and manipulate the search results to take control of other programs on the desktop. From the article: 'This should drive home the point that deep integration between the desktop and the web is not a good idea, without tremendous thought put into the security model. As Google's site is unencrypted, and they place their content that can run executables on their site, it can be subverted by an attacker," Hansen warns. Hansen's advisory comes just days after a Chris Soghoian's exposé of a similar man-in-the-middle attack scenario against a remote vulnerability in the upgrade mechanism used by a number of commercial Firefox extensions.'"
I can see it now... A future where mankind lives in a free and secure society where we all live together in bliss running our favorite open-source customized version of the iGOOGLE operating system that checks our mail, orders our groceries, and feeds the cat without any human interaction.
File Deletion is Murder.
This should drive home the point that connections should flow over encrypted tunnels whenever possible, to reduce the ease of performing man in the middle attacks. If this session flowed over an SSL style connection, the man in the middle would first need to figure out how to get into that session. That strategy seriously reduces the places where malicious code can exist "in the middle". Don't throw the baby (rich client interaction with services in the cloud) out with the bathwater.
If you mod me down, I shall become more powerful than you could possibly imagine.
By now, everybody developing browser components should know that you do not provide functions which can execute arbitrary programs.
Usually, it's Microsoft doing this, with Outlook, IE, Office, etc. launching other applications. This is the source of most of the vulnerabilities involving web browsing. Now we have Google competing to offer similar security holes.
No offense to Linux, but I think that would offend Google's sense of style. Unix-style OSes are great when you need low-level access to the hardware (e.g. GoogleFS), but don't infer any sort of inherent advantage in the desktop arena. In fact, the classic Unix design is very desktop unfriendly, which is why all kinds of user-friendly packages like automounter have been created.
Given the number of Ph.D. brainiacs Google has their hands on, I would expect them to create a new OS from the ground up that is more focused on the issues of dealing with the web and network in general. e.g. If it can be coded to avoid buffer overflow situations, that would be a great start. Greater focus on caching services and integrated URL handling might also be things you would see more of. Unicode everything rather than dealing with different text formats. (Incoming formats would need to be converted before they could be used.) Overall minimalist design. i.e. Don't include anything that isn't absolutely necessary to getting the job done. (Compare: The number of features on Google homepage to the number of features on the average Linux desktop.)
I will happily eat crow if Google ever produces a Linux desktop, but gut instinct says that they won't. So don't get your hopes up.
Javascript + Nintendo DSi = DSiCade
GoOSE:
GOoogle Operating System Environment
Gotta teach those penguins a lesson sometime...
Yeah for sure, now that Apache runs 60% of the Web, all those crackers are finding tons of exploits for it everyday!
The more you know, the less you understand.
It sounds like this takes advantage of the "Google Integration" feature, where the Google Desktop software adds a link to your Google search results page. I found his explanation rather unclear, but it sounds like you can avoid this by going into Google Desktop's preferences, then the Display tab, then un-checking the last checkbox, "Show Desktop Search results on Google Web Search result pages".
I've always thought that was a scary idea anyway, since my desktop content should be in a clearly-partitioned security domain from Web content.
Once you are compromised this way the attack tries to take advantage of cross scripting vulnerabilities in a browser to run code in the compromised machine. I am not sure if there is anything unique to Google Desktop here. Could the same attack take advantage of the numerous ActiveX vulnerabilities?
Is the "security expert" trying to get more mileage by listing each exploitable hole of a man-in-the-middle attack as a separate discovery?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
"Tremendous thought" is a weaker notion than transparency, public scrutiny, or even rigorous proof, which are really what's required.
Everything else is just hope; hide and seek.
Hopefully Google can learn and set an example here.
There are no karma whores, only moderation johns
this is even more of a problem since more and more installers like Irfanview's or Adobe's include Google Desktop (and/or toolbar) and there is no way to skip them when doing automated installs... what a sick trend.
You need to change this to read: "feed a cat". Google will feed your cat up until the index change after which it will start feeding another cat. To be grammatically precise: "a cat" will be fed. There is just no guarantee that it will be "the cat."
In fact, the classic Unix design is very desktop unfriendly, which is why all kinds of user-friendly packages like automounter have been created.
Your point is pretty vacuous. The user-friendly packages already exist, and as OS X and Ubuntu (as a Linux example) show, can be used to great effect.
But you're right. Google won't produce a Linux desktop. They'll probably use a BSD variant, should they ever produce a desktop at all.
After all, I am strangely colored.
Google Operating And Time Sharing Environment.
The problem is that for some people, functionality trumps security every time. It's unfortunate, but true.
Sometime around 2002ish, Microsoft learned (the hard way) that functionality can NEVER trump security, and they've spent the better part of the past 5 years working on fixing the mistakes they made back in the 1990s (when functionality trumped security). You can see the fruits of that in their most recent offerings (IIS6 has had no exploitable holes in the 4 years it's been available, Vista, for all of its compatibility problems has already been shown to be dramatically better than XP was security-wise).
Until all the vendors "get it" and realize that security should win, stuff like this is going to continue to happen.
We'd better get used to Google becoming the butt of jokes usually aimed at ActiveX. Google Gears, Google Desktop, Google whatever. We now reaize that the developers that develop these technologies simply get traded between the big 3 (Google, MS, Yahoo) and others.
Are we all finally realizing that Google writes insecure apps just like ever other software development company that is made up of humans?
It is not Google's job to provide a secure channel.
Yes, it is. If they're exchanging data between their desktop app and their web service, they need to do encryption and key verification to make sure the pipe isn't compromised. Stuff outside of that (like local keyloggers) is your concern, or someone else's. But between their two endpoints, they need to secure the channel.
I guess when I do a MITM attack to capture login prompts and transparently proxy that is google's problem also?
Or when I resolve DNS queries to my own box, that is likewise google at fault?
Don't be daft, SSL was created to prevent exactly these attacks, so why isn't it being used? Why does the Google toolbar submit all your potentially authority-bearing https urls to their anti-spam service in clear text? As good as Google is in certain areas, they're absolutely horrid when it comes to basic security measures.
Higher Logics: where programming meets science.
That's great. When you graduate beyond armchair reading, perhaps you might consider getting out of your chair and learning about actually designing an Operating System? It's a very rewarding experience and teaches one about all the wonderful spagetti and legacy problems inherent in designs like Unix. It even shows how the greater resources present in modern computers can be utilized to reduce or eliminate the problems exhibited by previous OSes.
Javascript + Nintendo DSi = DSiCade