A Second Google Desktop Vulnerability

zakkie writes "According to InfoWorld, Google's Desktop indexing engine is vulnerable to an exploit (the second such flaw to be found) that could allow crackers to read files or execute code. By exploiting a cross-site scripting vulnerability on google.com, an attacker can grab all the data off a Google Desktop. Google is said to be investigating. A security researcher is quoted: 'The users really have very little ability to protect themselves against these attacks. It's very bad. Even the experts are afraid to click on each other's links anymore.'"

I'd RTFA but...

What's all the fuss about ?
I'd RTFA but I'm afraid of what will happen if I do.

Hindsight...

In hindsight I'm glad I never installed Google Desktop.

I can't be the only one...

Even the experts are afraid to click on each other's links anymore.

Does anyone else think that was tremendously funny in a sixth-grade-humor sort of way? Maybe I just am up too early.

Misleading summary

TFA is clear that this does not refer to the Google Desktop vulnerability in specific, but rather to the general state of browser security. TFA:

"A lot of these new attack techniques are going to require the browsers to improve," Grossman said. "The users really have very little ability to protect themselves against these attacks" he said. "It's very bad. Even the experts are afraid to click on each other's links anymore."

Experts?

"Even the experts are afraid to click on each other's links anymore."

Umm.. Google desktop runs on Windows.. Seriously, how many "security experts" do you know running Windows?

Re:Experts?

Seriously, how many "security experts" do you know running Windows?

Since most of the money (and challenges) for security is on Windows, I supose they could hardly be using anything else.

Re:Experts?

[T]hey run it just like it's supposed to be, as a VMWare image sandboxed inside their *nix/BSD workstation.

BSD isn't supported as a VMWare host OS.

Re:Experts?

Seriously, how many "security experts" do you know running Windows?

Not me. *I* find my Windows XP SP2 vulnerabilities using a Commodore 64 and a Commodore 1541 disk drive with a VM in its controller.

Afraid to click on links?

A security researcher is quoted: 'The users really have very little ability to protect themselves against these attacks. It's very bad. Even the experts are afraid to click on each other's links anymore.'"

That's all those "security experts" out there who use Google Desktop (yeeesh).

Google Desktop pre-loaded on Dells

I noticed a while ago that Google Desktop was preloaded on the Dells we buy. These Dells can wind up in areas that might access patient information. Since this is a major research hospital/medical school, I brought my concerns to the security group (HIPAA laws mandate privacy for patient information). Dell/Google assured us that this was a non-issue.

The end result was that not much happened.

My take? I still uninstall it whenever I see it.

Re:Google Desktop pre-loaded on Dells

Any hospital that is using whatever Dell or HP or any vendor has pre-installed on a box is being irresponsible.

Those Dells should have been wiped and had a secure configuration reloaded. Yeeeesh

What hospital are you at, so I can avoid it?

Welcome to ubiquity, Google

I wonder how many more exploits would be found if Google Desktop ended up on 90% of desktop computers?

Why Google Desktop is too frustrating to be used

Google Desktop says that it automatically updates itself, but that doesn't work, and there's no 'force an update' feature as with Firefox.

More infuriatingly, Google Desktop also doesn't understand that emails that it indexes in my Outlook Inbox won't stay there forever due to restrictions on server mailbox size, and doesn't re-index them when they move to an offline .PST file. So I frequently find an email, then try to open it in Outlook, then find I can't and have to find it manually by date/time. Same issue with files that are renamed or moved. Many people have complained about this, but the Google Desktop team ignored this, and instead spent their time producing the incredibly useless widgets, rather than *making the search features really work well*.

Google Desktop still doesn't support the use of '-' to join two words, i.e. "foo bar" can be written as foo-bar. And the Google Desktop results within Outlook are still not a proper Outlook result list (as with Outlook Find), so you can't just drag items into a new email as attachments - no, you have to open up the email (if it can find it...), use Outlook to copy it to a temp folder, then drag from that folder into the new email.

Google Desktop is simply too annoying to use any more, even though I've used it from version 1, and is actually a very un-Google-like product. Unlike the core Google.com search, which has been quietly optimised over the years to add stemming, proximity, spelling correction, etc, Google Desktop is actually a rather mediocre and barely usable desktop search tool whose primary benefit is that it integrates well with Google Toolbar.

The root cause and how I avoid it

This kind of security bug never affects me for a simple reason -- I permanently turn off Javascript. But the main issue for me is actually not a concern about security; afterall serious holes tend to be fixed quickly. The issue is that I use the web primarily to to find information, to study, to learn and when I do those things, what I am mostly doing is reading text . I don't need fancy "interactivity" features which would be a distraction from reading text. I don't need the additional "beauty" that CSS enables. All I need is a good font and then I read. In other words, I am completely and totally satisfied with how web was in 1995 based on web standards of that time -- so-called Web 1.0. For me, this is very productive. I don't use Google Desktop.

I realise there are many other people who see Web 1.0 as too limited for all the usual reasons, e.g. because they want interactivity features, or Flash movies, or proper CSS support for different display devices, etc, all of which are good reasons for them and do require the use of Javascript / AJAX. I don't need any of that, however, so I disable Javascript. I have yet to find a website with textual information that could not have been written or read by me based on good old HTML. Another reason I prefer websites that avoid relying heavily upon Javascript, even to make simple links between webpages, is that they can be properly indexed by search engines.

Quick fix

Vulnerabilities exist and will continue to exist. As long as it is fixed within a short period of time it is ok. Saying that, If I was a manager in a commercial organization, I would never allow Google Desktop on my employees computers as online security is still in its infancy.

People keep complaining bout my sig

People keep complaining about my sig. But they should just learn.

Browsers suck. javascript is unsafe and most sites/webapps don't sign url/form parameters. So learn to think before you click.

And if you are thinking of clicking on some strange stuff, open a pristine VM, and use a clean browser there (you can even "sort of" put the VM on a different network from your computer - get two NICs).

Who uses this crap anyway?

I tried google desktop... consumed 10gb of disk space, had a process that ran 100% cpu eating nearly 700MB of ram, and kept indexing usb devices so you couldn't eject them. All this and it couldn't tell when you moved a file from one directory to another... or deleted it entirely! Hell the Windows XP "Search" can at least find a file if you know the name of it.

Overconfidence?

It seems to me Google urgently needs to hire some people that really understand software security and give them real influence on design decision. Making it work only does not cut it today, not if you are a high-profile target....

Doesn't affect all Google Desktop users

This doesn't appear to affect all Google Desktop users. The article talks about data being intercepted as it is sent to Google. IOW, this is only applicable for users who are storing a complete index of their hard drive on Google's servers. As if that wasn't an obvious security threat!

Simple solution: make sure you disable the "feature" allowing you to index your hard drive on Google's servers. IMHO, a terrible feature that has caused Google far more harm than good. Many companies have banned Google Desktop because of this capability. It was even more inexcusable when it was enabled by default.

Moral of the story: even if they aim to "do no evil," Google's self-assuredness often leaves the user paying the price for Google's mistakes.

Snort signatures here:

I've said it before [slashdot.org] and I'll say it again. Snort signatures available here [bleedingsnort.com]