Critical Vulnerability Caught In Google Desktop - InformationWeek
Software // Enterprise Applications
01:34 PM
Faster, More Effective Response With Threat Intelligence & Orchestration Playboo
Aug 31, 2017
Finding ways to increase speed, accuracy, and efficiency when responding to threats should be the ...Read More>>

Critical Vulnerability Caught In Google Desktop

Google is pushing out a fix to users through its auto updating system, but security pros recommend users manually update their systems.

A security company is advising people who use Google Desktop to immediately download the latest version to protect their computers from a critical vulnerability.

Danny Allan, director of security research at Watchfire, a security and analysis company, says researchers found a vulnerability in Google Desktop that puts users' private information at risk and enables remote attackers to run programs on the infected machines. Allan says they reported the vulnerability to Google on Jan. 4, and the online search leader created a fix for it on Feb. 1.

Allan notes that while Google says it can automatically update its software and take care of the vulnerability, he has had to manually update his three home computers. "The fix is in their latest version," he says. "My software did not [automatically] patch. We had some issues with the updating mechanism. It didn't work at all. We had to install it manually."

Barry Schnitt, a Google spokesman, says the company started pushing out auto updates a few weeks ago and is still in the process of getting to its millions of users. He also says the auto update will work in the "vast majority" of cases. "A fix was developed quickly, and users are being automatically updated with the patch. In addition, we have [added] another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future," Schnitt says.

Google hasn't received any reports of the vulnerability being exploited, Schnitt says. "However, users should make sure they are running the latest version of Google Desktop by going to and downloading the latest version and installing it," he adds.

Watchfire's Allan says there actually are three separate flaws wrapped up in this vulnerability. All three are cross-scripting issues, which allow remote users to inject Java script into a Web application like Google Desktop. Allan says about 80% of Web applications are vulnerable to varying degrees to cross-scripting, but the Google Desktop vulnerability "constitutes the most serious outcome that I have seen."

Google Desktop has the ability to cache and remember all of a user's private and corporate information. It basically is a mini agent that lives on the desktop computer and crawls through e-mail, zip files, office documents, and Web sites visited. It indexes all of the information and stores it within its cache.

This vulnerability allows a remote attacker to access this cache and all the information in it, explains Allan.

The malware is introduced to the computer if the user clicks on a link in an e-mail or visits a malicious Web site. The malware connects to that link, according to Allan, and injects the malicious script onto the computer.

Once a computer is infected, the attacker can search for information on the computer and download it to his own system, control how the Web application functions, and run programs remotely on the computer. Allan notes that the first two uses are serious but calls the remote control a critical issue.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
[Interop ITX 2017] State Of DevOps Report
[Interop ITX 2017] State Of DevOps Report
The DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll