Google Shuts The Hole In Its Desktop Software
Google Inc - the renowned search engine - has shut a potentially big cross-site scripting flaw in its "Google Desktop" software. The vulnerability could've allowed remote hackers to completely commandeer the compromised PC.
Users can search & index their PCs' contents with the help of "Google Desktop" just like Google.com does over the Internet. The vulnerability was found and reported to Google by Watchfire Inc - Waltham, Massachusetts based Web-application security provider - on 4 January 2007.
Free desktop product from Google, released for the first time in the year 2004, is popular among millions of users.
The system allows the users to set the indexing & searching capabilities of Google loose on both their system as well as the Web. Fast & easy way to located the documents, instant messaging transcripts, e-mails, archived WebPages and other tidbits socked way on the computers. It was once described by a Google executive as "the photographic memory of your PC".
Cross-site scripting could be used by the hackers for manipulating the functionality of Google Desktop for their own ends, divulged Danny Allan - Watchfire's security research director - in a statement that News.com published on 21 February 2007. The integration of desktop application with Google Search, public Internet searching application of Google, is a vulnerable spot, added Allan.
Allan continued, this implies that the flaw discovered by Watchfire could've been exploited with the information protection systems, firewalls and antivirus software failing to detect the attack.
However, the researchers from Watchfire discovered that the establishment was open to the cross-site scripting attacks that allow a scammer to place the malevolent code on the computer of "Google Desktop" user. The computer might be infected in many ways comprising an infected attachment in e-mail.
The flaw also would've enabled a hacker to compromise the feature "Search Across Computers" in "Google Desktop" which lets a user find out the information that' stored on his PC from any Internet connected system through his Google account.
According to Watchfire, it had reported the flaw with Google on 4 January, and got the assurance that the vulnerability had been patched on 1st February. The software for desktop search gets updated automatically. Therefore, users don't need to take any security measures themselves.
Regardless of the re-emergence of a threat of this kind through Google, Allan anticipates that there will be an overall increase in such flaws. Since, desktop software & Internet are getting more connected now. Consequently, he added, vendors of anti-virus need to develop techniques to detect & block such attacks.
Related article: Google Rectifies Gmail flaw in Three Days
» SPAMfighter News - 02-03-2007