Google Inc. has plugged a dangerous flaw in its desktop search tool that could have exposed users' personal files to an attacker.
Google Desktop is used to index documents, email, instant messaging transcripts and archived Web pages. Once items are indexed by the application, users can conduct a search to quickly retrieve files and information.
The flaw, which enables a cross-site scripting attack, was discovered along with two other minor issues, last October by Yair Amit, security senior researcher at Waltham, Mass.-based Watchfire Corp., a security analysis provider. The hole allows an attacker to place malicious code on a user's computer and retrieve files in only a few seconds.
Once a PC is victimized by the cross-site scripting attack, a hacker could use Google Desktop to search the user's machine and take full control of the computer, said Danny Allan, director of security research at Watchfire. Although there has never been an attack documented in the wild, Allan said an attack could be conducted relatively easily after building an exploit system.
"It's probably one of most critical Web application vulnerabilities I've seen," Allan said. "Features built into Google allow an attacker to reach a thousand victims in a single search, so the potential outcome is very critical."
Google Desktop versions 5.0.0701.18382 and earlier are affected. Allan said it is unclear whether Google's Enterprise Search Appliance is similarly affected.
Google issued a statement saying it developed a fix several weeks ago after the hole was discovered, and that the flaw was never exploited in the wild. While Google says its automatic update would repair the vulnerability without user intervention, researchers at Watchfire said users should make sure they are using the latest version of the software.
"We've seen the automatic updates not necessarily working on all computers," said Mike Weider, chief technology officer and founder of Watchfire. "Consumers should manually validate that they are running the latest version, and if not, then they should go get it from Google's Web site."