Flaw in Google's New Desktop Tool [Update: Fixed!] 266
silassewell writes "A Rice University computer scientist and two of his students have discovered a potentially serious security flaw [Sell your soul to the NYTimes to Read] in the desktop search tool for personal computers that was recently distributed by Google." Update: 12/21 03:15 GMT by T : An anonymous reader writes "It's being reported that the security problem in Google's Desktop Search has been plugged."
No Reg Required... (Score:5, Informative)
Re:No Reg Required... (Score:3, Funny)
Google Link (of course!) (Score:5, Informative)
At least they don't bury the bad news...
Re:Google Link (of course!) (Score:4, Insightful)
The whole Sell your soul to the NYTimes to Read is getting old... actually it was old a year ago, and now its simply ridiculous.
Re:Google Link (of course!) (Score:5, Informative)
Re:Google Link (of course!) (Score:2, Interesting)
Re:Google Link (of course!) (Score:2, Informative)
Re:Google Link (of course!) (Score:3, Insightful)
2) Most people here should already have a registration with NYT and a cookie, so they don't need to worry. NYT writes enough good stories that it's worth the trouble (which I had in about 1997).
what the heck (Score:3, Funny)
It is a dumbed-down explaination... (Score:5, Interesting)
Kjella
No, it is a dumb explaination... (Score:5, Insightful)
These guys tricked the google search tool into sending that information somewhere else.
So, we have a "composition flaw", between two components; Google's search tool, and... uh... a Java attack script. Hmm...
The "flaw" here is that Google's search tool sends personal information to an external host, plain and simple. If I don't want a third party attacker seeing arbitrary parts of my hard drive's contents, I probably don't want Google seeing them either.
Re:No, it is a dumb explaination... (Score:5, Informative)
It does sound like that, but that would be a terrible design, wouldn't it? It would mean your private search data is being sent to Google! And Google swore up and down that they wouldn't do this.
Actually, your private results are not sent to Google; rather, when the data comes back from Google, the toolbar mixes your private results into the web search results and passes that on to the browser. The problem is that it may not be the user directing the browser to do the request. It could be a Java applet, or maybe (with some help) some Javascript on a malicious web page. Then the nasty code sees the results and it can send them off to where they shouldn't go.
Re:It is a dumbed-down explaination... (Score:3, Insightful)
Shhhh. (Score:3, Funny)
Re:what the heck (Score:5, Informative)
nooo.. it's a fairly common way to find security holes. you can identify every input and every state a program can enter, test all that to be solid, and it can still yield security flaws when working together with another peice of software. This happens most especially on the web, where multiple technologies plug into each other, and unless the sandboxing is extremely solid, a combination of programs noone considered can easily have dastardly results. i think the usefulness of a desktop search tool to any bug looking for targets to infect is pretty obvious. The settings files for the programs are easily mined for info too, if they're not already stored in that abhorrent windows registry.
Re:what the heck (Score:5, Funny)
Windows, just sitting there on the CD isn't a secutity problem.
The PC, sitting there without an operating system isn't a secutity problem.
Put the two together -Microsoft magic!
Haiku of the Google Ad (Score:4, Funny)
Google deploys their search tool
All is exploited
Haiku for those affected (Score:2)
I installed this crap.
All the blame belongs to me.
I am a pinhead.
Re:Haiku for those affected (Score:2)
Google dies! My fault.
Windows dies! Blame Microsoft.
Google is smiling.
Re:Haiku for those affected (Score:2)
Re:Haiku for those affected (Score:2)
It's already been fixed (Score:5, Informative)
Re:It's already been fixed (Score:5, Funny)
Re:It's already been fixed (Score:2)
http://www.nytimes.com/2004/12/20/technology/20fl
don't worry (Score:5, Insightful)
Programs like these (i.e. Gator password program) are the reason why I am a minimalist. I keep on my computer exactly what I need (pr0n included) and nothing else. Anything that potentially interfaces w/the web is a no-no with me (I use zone alarm, so I can see any program trying to access the net).
Re:don't worry (Score:5, Funny)
Your definition of minimalism is probably different than a lot of other people's. Keep that in mind. I can't function unless I have at least a compiler, if not a full-blown IDE on the computer I'm using. Same thing goes for Photoshop and me.
You may not have either, and may disregard the need for me or anyone else to have these. Just remember, everyone's different. Because you don't find something useful doesn't mean someone else won't.
Re:don't worry (Score:2)
Re:don't worry (Score:2)
Desktop search is NEAT, but I don't need it. I keep my files organized to begin with, and since I use Mozilla at home and Thunderbird at work, none of the "tools" out there will help me search my e-mail anyway.
It's really a utility for the people who save files wherever the program defaults to, and never know where that is, who have their files scattered all over creation, and who need help organizing their data.
Re:don't worry (Score:2)
So people need it for various reasons...part of my needs is Zone Alarm, for nothing else then to block these programs from accessing th
Re:don't worry (Score:2)
Yes, Zone Alarm can be as annoying as Hell, and it can be a pain in the neck at times, but the payoff of having application by application control over Internet access is priceless.
Although one of these days I really need to get around to configuring it so it doesn't block SMB shares. I don't need it often, but when I do it's annoying to end up turning off ZA during the copy process.
Re:don't worry (Score:2)
Re:don't worry (Score:5, Funny)
Far too many people let shame take away their abilty to admit they like the stuff.
Re:don't worry (Score:3, Funny)
If i start telling people about my multi terabyte porn collection they start asking me to send it to them!!
wait... umm I don't have any porn.. nothing to see here...
Re:don't worry (Score:2)
>
>wait... umm I don't have any porn.. nothing to see here...
So, umm, then you've got nothing to lose by installing Google Desktop Search or MSN Desktop Search, or anybody else's Desktop Search utility then, right?
*taps foot for ten seconds*
So have you installed it yet? Huh? Haveya haveya haveya? Whenyagonna? Huh? Huh?
Re:don't worry (Score:2)
*cough* the never expiring google tracking cookie *cough* the full featured toolbar is spyware.
Ironically, MS doesn't want your private info, the data miners google sells data to do.
Re:don't worry (Score:2)
Christ, you're lazy. This is common information that can be easily searched.
Google tracking cookie. [google.com] Pick an article.
Google own "privacy" policy [google.com] regarding the full version of its toolbar. Yes, Virginia, that's spyware.
So, do I have the fixed version? (Score:3, Interesting)
Many will not like this concept, but I am happy to learn, I don't have to uninstall, re-install, and re-index to ensure I have it fixed.
Um what the ??? does one have to do with the other (Score:2)
Many will not like this concept, but I am happy to learn, I don't have to uninstall, re-install, and re-index to ensure I have it fixed."
I much prefer to have a button "Check for updates and install now" or "Download, but don't mess with the setup (i.e. install) until I tell you". But I still don't want to, nor need
Re:Um what the ??? does one have to do with the ot (Score:3, Insightful)
Re:Um what the ??? does one have to do with the ot (Score:2)
Yes, but you're in some sort of IT field. Most users, given the option of downloading and installing security patches, will not. That's why MS has been in so much trouble about not having that on by default, and why they turned it on in XP SP2.
Re:Um what the ??? does one have to do with the ot (Score:2)
"What? No, I didn't click on that - you tell me never to install things when I don't know what they are. Did it say Security Center? I don't know - I didn't read it. I don't have time for that, and I'm on deadline. Now, fix my computer."
(or)
"You told me last time to click to install any s
Fix for the flaw (Score:5, Informative)
Re:Fix for the flaw (Score:5, Funny)
Next Google "scandal": GDS updates automatically without user intervention!!!
Re:Fix for the flaw (Score:2)
Too much software assumes it can rewrite and install/upgrade itself.
I want to install software as admin and not as the user.
The Windows Admin (Score:2)
Windows has the admin/user distinction too (at least in 32-bit versions). The "every user an admin" situation in Windows is more cultural than technical.
I don't want to minimize the security flaws in Windows -- of which there are way too many. But security has a social component too. Right now, most computer users are to some degree their own system administrator -- and most of them just don't have the skills to do it.
It's perfectly simple to set
Re:Fix for the flaw (Score:4, Insightful)
I dont want such a critical program auto-updating without even giving the user a notice that he isnt running the same software version anymore.
Alone the fact that a new version can be downloaded and automatically executed SCREAMS security issue. One spoof/hack and we have a ton of google desktop zombies waiting for commands....
Re:Fix for the flaw (Score:5, Informative)
Re:Fix for the flaw (Score:2)
Re:Fix for the flaw (Score:3, Insightful)
Re:Fix for the flaw (Score:3, Insightful)
Better link (Score:3, Informative)
How it's probably done (Score:5, Interesting)
GDS runs a webserver on your computer which any local application can query, including any java or activex app with outgoing http priviledges.
Google stop this by requiring that some sort of random ID as a key to access the page. This ID is generated as part of the url when you double click on the GDS icon in the taskbar.
It's also embedded into any results page that comes back from google, and you can exploit this by having the java applet first request www.google.com, find the link to GDS, then run a GDS search, then return those results via another web request to a remote host.
But it sounds like it's fixed, so that's good.
Re:How it's probably done (Score:4, Informative)
Re:How it's probably done (Score:2)
Re:How it's probably done (Score:3, Informative)
IIRC most jvms assess the risk involved in granting a particular privilege to an applet, and accessing webservers is one of the lower risk permissions - versus socket operations and local filesystem access.
Most users will click yes to anything but the most dire warnings
Did the students pass the class? (Score:3, Interesting)
--Joe
From the article (I actually read it this time) (Score:3, Informative)
It seems like most non-email Internet attacks require you to visit an attacker's website before the payload can be delivered (there are some good articles about this at ISC [sans.org]). I would tend to think that unpatched browsers (<cough>IE<cough>) would still cause more problems that this.
Don't misunderstand me, though; I am not trying to excuse Google from the flaw, but the good news is that it's already fixed, and I'm sure the scum of the Internet are going to focus on these other (exciting, money-making) opportunities.
PS. I know Seth Fogarty, does that give me some sort of karma bonus
Re:From the article (I actually read it this time) (Score:2)
I like how there was a reference to one of my classes in one of the above comments, the link is "DJB's students" or something like that.
Hope graduate school is treating you well.
I'm actually somewhat impressed... (Score:3, Interesting)
Re:I'm actually somewhat impressed... (Score:2)
Re:I'm actually somewhat impressed... (Score:2)
Potential Uses (Score:2)
It's a dream exploit for finding users with illegal mp3s or video.
Trying to steal confidential information isn't so easy, since you'd have to have a fairly good idea what to search for first.
Re:Potential Uses (Score:2)
Re:Potential Uses (Score:2)
Re:Potential Uses (Score:3, Insightful)
Big Deal (Score:3, Insightful)
So let me get this straight, after successfully fooling a user that the site they are seeing is legit when it's actually spoofed, then they can get the results of local search queries, potentially seeing parts of a file. Don't get me wrong, that kind of stinks and all, but if you have already fooled someone into believing the sites they are looking at are legit, why bother with this? Show them a gmail login, or a yahoo mail login, or if you know a bit about them, their internet banking login.
This security flaw doesn't seem like that big of a deal and if anything, it highlights that Google is being proactive about such things; addressing the issue and releasing fixed software in a reasonable amount of time. Kudos.
How it works (Score:5, Informative)
The way it works is actually pretty simple. What happens normally is that the toolbar watches your outgoing and incoming web connections. When you make a Google query, it detects that and does a local search of its index of your disk. When the results come back from Google, it mixes in the results from the web with the results from your disk. This design is to protect your privacy.
The attack is for a malicious site to download a Java applet to your system. This applet does a Google query (via the malicious site as a proxy, to defeat applet sandboxing), and then reads the results which come back. When the results get back to the applet they have gone through the Google toolbar and gotten the local disk results integrated. The applet then sends the data to the malicious site, and presto, it knows a lot about the contents of your disk.
Re:How it works (Score:2)
Remind me again why I need this?
I dunno... there's too many solutions looking for problems out there.
So, um (Score:2)
Well, um, that's a pretty well-solved problem, isn't it? Just have the google search agent thingy use SSL, and refuse to let it incorporate local data unless the SSL cert checks out as Google's. Problem solved? Or am I missing something?
Intruder Alert. Kill the humanoid. (Score:5, Funny)
Then again, I'm sure someone will find an exploit in Calculator or Freecell given time.
Re:Intruder Alert. Kill the humanoid. (Score:3, Funny)
false alarm (Score:5, Funny)
Too Late (Score:3, Insightful)
I know a few people who think their porn is hidden on their computer, but those who live with them say otherwise.
Just think of all of the recent file lists and last used directories in your media players or image viewers, system logs with errors for codecs and paths to the problem files, browser history autocomplete and cookie names, disks with "missing" space or restricted directories, and the good old file search for mpg, avi, wmv, etc.
You're probably not the o
Re:Too Late (Score:4, Funny)
And that went on for a good 10 minutes or so.
All i could say was "Well, we do need to do the virus scan."
already fixed! (Score:3, Informative)
BTW, CNET reported this last night.
[obligatory jab at microsoft,typical at this point in a comment, is being left as an exercise for the readers....]
Stop the press! (Score:4, Funny)
Re:Stop the press! (Score:2)
Re:Stop the press! (Score:2)
You should be allowed to use Beta software for mission critical applications, Beta means bug free!!!
Since I don't see a clear explanation (Score:3, Informative)
This is based on Wired's much more clear and coherent description.
Desktop search installs an object that the browser instantiates on Google web pages to render local results along side of google results. No data is sent in this process.
The attack involves the fact that this data is present on the web page itself, and is added to the DOM. An attacker using JavaScript can traverse the DOM and read the exerpts of files shown on the search page.
It cannot follow this to the document itself in the cache, and it can see nothing other than the quoted excerpt.
It's beta software, bound to be problems. This particular problem is because the object isn't "locked to the page."
The vulnerability doesn't effect any other desktop search tool that is currently available, because none of them use an object in the browser to integrate search results with their web page. All the other tools are either search your desktop or search the web, not search both at once.
Using FireFox, without the object, you won't get the integrated search results, so you won't have the problem.
Common Sense (Score:3, Interesting)
- dshaw
Ah, but... (Score:2)
Straight from the horse's mouth (Score:3, Informative)
Re:Straight from the horse's mouth (Score:3, Informative)
PLEASE! (Score:3, Insightful)
Both IE and Firefox extensions available. This copy/paste might be useful if you formatted it instead of karma whoring for first post points.
Congratulations! (Score:5, Funny)
This elusive prize is given by sharp moderators who rate your posts on the basis of what future posts might contain!
Do break your paragraphs next time.
Re:So you don't have to regsiter.... (Score:2)
"The researchers said that Google had responded quickly to their alert last month and had begun releasing a corrected version of the program on Dec. 10.
The Google desktop program includes an update feature that permits the company to automatically install new versions of the program on users' computers without user intervention or knowledge.
The Rice researchers said that it was possible for users to tell if their version of the Google program had been pa
Re:Thanks, Windows! (Score:2)
Re:Thanks, Windows! (Score:2, Funny)
Re:So (Score:2)
Personally I thought it was a problem with the program itself and not Windows. Then again I read the article so I might be more confused than someone who apparently didn't and is trying to make a lame joke.
Re:So (Score:2)
They're called grep and find.
Re:The first Test (Score:2)
Re:No update here!? (Score:3, Informative)
Re:I don't know about anyone else (Score:3, Interesting)
Re:I don't know about anyone else (Score:2, Insightful)
Re:I don't know about anyone else (Score:2)
technological advantage of the latecomer (Score:2, Interesting)
Re:How did they fix it? (Score:2, Funny)
Re:Professor Wallach taking all the credit? (Score:4, Informative)
so what? (Score:2)
Re:purpose (Score:2)
I wonder if something like this will be applied to P2P (or if it is even needed.)