News Stay informed about the latest enterprise technology news and product updates.

Google plugs dangerous flaw

An attacker could exploit a hole in Google Desktop to gain access to users' personal files. Google has released a patch, but experts say not all users are receiving it.

Google Inc. has plugged a dangerous flaw in its desktop search tool that could have exposed users' personal files to an attacker.

It's probably one of most critical Web application vulnerabilities I've seen.
Danny Allan,
director of security researchWatchfire

Google Desktop is used to index documents, email, instant messaging transcripts and archived Web pages. Once items are indexed by the application, users can conduct a search to quickly retrieve files and information.

The flaw, which enables a cross-site scripting attack, was discovered along with two other minor issues, last October by Yair Amit, security senior researcher at Waltham, Mass.-based Watchfire Corp., a security analysis provider. The hole allows an attacker to place malicious code on a user's computer and retrieve files in only a few seconds.

Once a PC is victimized by the cross-site scripting attack, a hacker could use Google Desktop to search the user's machine and take full control of the computer, said Danny Allan, director of security research at Watchfire. Although there has never been an attack documented in the wild, Allan said an attack could be conducted relatively easily after building an exploit system.

Google Desktop Search:
How to tame Google Desktop

Google Desktop gets scarier

Securing the internal Windows network

"It's probably one of most critical Web application vulnerabilities I've seen," Allan said. "Features built into Google allow an attacker to reach a thousand victims in a single search, so the potential outcome is very critical."

Google Desktop versions 5.0.0701.18382 and earlier are affected. Allan said it is unclear whether Google's Enterprise Search Appliance is similarly affected.

Google issued a statement saying it developed a fix several weeks ago after the hole was discovered, and that the flaw was never exploited in the wild. While Google says its automatic update would repair the vulnerability without user intervention, researchers at Watchfire said users should make sure they are using the latest version of the software.

"We've seen the automatic updates not necessarily working on all computers," said Mike Weider, chief technology officer and founder of Watchfire. "Consumers should manually validate that they are running the latest version, and if not, then they should go get it from Google's Web site."

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.