IoT
IoT
Software // Enterprise Applications
News
2/21/2007
01:34 PM
50%
50%

Critical Vulnerability Caught In Google Desktop

Google is pushing out a fix to users through its auto updating system, but security pros recommend users manually update their systems.

A security company is advising people who use Google Desktop to immediately download the latest version to protect their computers from a critical vulnerability.

Danny Allan, director of security research at Watchfire, a security and analysis company, says researchers found a vulnerability in Google Desktop that puts users' private information at risk and enables remote attackers to run programs on the infected machines. Allan says they reported the vulnerability to Google on Jan. 4, and the online search leader created a fix for it on Feb. 1.

Allan notes that while Google says it can automatically update its software and take care of the vulnerability, he has had to manually update his three home computers. "The fix is in their latest version," he says. "My software did not [automatically] patch. We had some issues with the updating mechanism. It didn't work at all. We had to install it manually."

Barry Schnitt, a Google spokesman, says the company started pushing out auto updates a few weeks ago and is still in the process of getting to its millions of users. He also says the auto update will work in the "vast majority" of cases. "A fix was developed quickly, and users are being automatically updated with the patch. In addition, we have [added] another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future," Schnitt says.

Google hasn't received any reports of the vulnerability being exploited, Schnitt says. "However, users should make sure they are running the latest version of Google Desktop by going to http://desktop.google.com and downloading the latest version and installing it," he adds.

Watchfire's Allan says there actually are three separate flaws wrapped up in this vulnerability. All three are cross-scripting issues, which allow remote users to inject Java script into a Web application like Google Desktop. Allan says about 80% of Web applications are vulnerable to varying degrees to cross-scripting, but the Google Desktop vulnerability "constitutes the most serious outcome that I have seen."

Google Desktop has the ability to cache and remember all of a user's private and corporate information. It basically is a mini agent that lives on the desktop computer and crawls through e-mail, zip files, office documents, and Web sites visited. It indexes all of the information and stores it within its cache.

This vulnerability allows a remote attacker to access this cache and all the information in it, explains Allan.

The malware is introduced to the computer if the user clicks on a link in an e-mail or visits a malicious Web site. The malware connects to that link, according to Allan, and injects the malicious script onto the computer.

Once a computer is infected, the attacker can search for information on the computer and download it to his own system, control how the Web application functions, and run programs remotely on the computer. Allan notes that the first two uses are serious but calls the remote control a critical issue.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.