A Second Google Desktop Vulnerability

zakkie writes "According to InfoWorld, Google's Desktop indexing engine is vulnerable to an exploit (the second such flaw to be found) that could allow crackers to read files or execute code. By exploiting a cross-site scripting vulnerability on google.com, an attacker can grab all the data off a Google Desktop. Google is said to be investigating. A security researcher is quoted: 'The users really have very little ability to protect themselves against these attacks. It's very bad. Even the experts are afraid to click on each other's links anymore.'"

I'd RTFA but...

[Joebert (946227)]

What's all the fuss about ?
I'd RTFA but I'm afraid of what will happen if I do.

I can't be the only one...

[Wilson_6500 (896824)]

Even the experts are afraid to click on each other's links anymore.

Does anyone else think that was tremendously funny in a sixth-grade-humor sort of way? Maybe I just am up too early.

Misleading summary

[Potor (658520)]

TFA is clear that this does not refer to the Google Desktop vulnerability in specific, but rather to the general state of browser security. TFA:

"A lot of these new attack techniques are going to require the browsers to improve," Grossman said. "The users really have very little ability to protect themselves against these attacks" he said. "It's very bad. Even the experts are afraid to click on each other's links anymore."

Experts?

[notlisted (645771)]

"Even the experts are afraid to click on each other's links anymore."

Umm.. Google desktop runs on Windows.. Seriously, how many "security experts" do you know running Windows?

Re:Experts?

[MichaelSmith (789609)]

Seriously, how many "security experts" do you know running Windows?

Since most of the money (and challenges) for security is on Windows, I supose they could hardly be using anything else.

Re:

[notlisted (645771)]

Since most of the money (and challenges) for security is on Windows, I supose they could hardly be using anything else.

Certainly.. they run it just like it's supposed to be, as a VMWare image sandboxed inside their *nix/BSD workstation. Again, anyone that's using a web browser running under the same account permissions as any sensitive data on that machine is _not_ a security "expert".

Re:

[MichaelSmith (789609)]

Certainly.. they run it just like it's supposed to be, as a VMWare image sandboxed inside their *nix/BSD workstation. Again, anyone that's using a web browser running under the same account permissions as any sensitive data on that machine is _not_ a security "expert".

Yes, I agree with you. But where I work if you are in any senior position you would be running windows on your desktop. Our "IT manager" has no IT experience at all, beyond knowing who has what contracts. Thats the guy in charge of security.

Re:Experts?

[value_added (719364)]

[T]hey run it just like it's supposed to be, as a VMWare image sandboxed inside their *nix/BSD workstation.

BSD isn't supported as a VMWare host OS.

Re:

[TodMinuit (1026042)]

A lot, kid.

Re:Experts?

[MillionthMonkey (240664)]

Seriously, how many "security experts" do you know running Windows?

Not me. *I* find my Windows XP SP2 vulnerabilities using a Commodore 64 and a Commodore 1541 disk drive with a VM in its controller.

Re:

[notlisted (645771)]

Not sure if you consider he as a security expert but Joanna Rutkowska uses Windows Vista. She was running Windows XP 64 bit before Vista was released IIRC.

And if you check out her "about" [invisiblethings.org] page on her personal site you'll see she runs Linux as her OS of choice. The Windows system she uses for testing.

"Soon after she switched to Linux world, got involved with some system and kernel programming, focusing on exploit development for both Linux and Windows x86 systems."

Afraid to click on links?

[Whiney Mac Fanboy (963289)]

A security researcher is quoted: 'The users really have very little ability to protect themselves against these attacks. It's very bad. Even the experts are afraid to click on each other's links anymore.'"

That's all those "security experts" out there who use Google Desktop (yeeesh).

Google Desktop pre-loaded on Dells

[PoconoPCDoctor (912001)]

I noticed a while ago that Google Desktop was preloaded on the Dells we buy. These Dells can wind up in areas that might access patient information. Since this is a major research hospital/medical school, I brought my concerns to the security group (HIPAA laws mandate privacy for patient information). Dell/Google assured us that this was a non-issue.

The end result was that not much happened.

My take? I still uninstall it whenever I see it.

Re:Google Desktop pre-loaded on Dells

[synx (29979)]

Any hospital that is using whatever Dell or HP or any vendor has pre-installed on a box is being irresponsible.

Those Dells should have been wiped and had a secure configuration reloaded. Yeeeesh

What hospital are you at, so I can avoid it?

Welcome to ubiquity, Google

[caywen (942955)]

I wonder how many more exploits would be found if Google Desktop ended up on 90% of desktop computers?

Why Google Desktop is too frustrating to be used

[Cato (8296)]

Google Desktop says that it automatically updates itself, but that doesn't work, and there's no 'force an update' feature as with Firefox.

More infuriatingly, Google Desktop also doesn't understand that emails that it indexes in my Outlook Inbox won't stay there forever due to restrictions on server mailbox size, and doesn't re-index them when they move to an offline .PST file. So I frequently find an email, then try to open it in Outlook, then find I can't and have to find it manually by date/time. Same issue with files that are renamed or moved. Many people have complained about this, but the Google Desktop team ignored this, and instead spent their time producing the incredibly useless widgets, rather than *making the search features really work well*.

Google Desktop still doesn't support the use of '-' to join two words, i.e. "foo bar" can be written as foo-bar. And the Google Desktop results within Outlook are still not a proper Outlook result list (as with Outlook Find), so you can't just drag items into a new email as attachments - no, you have to open up the email (if it can find it...), use Outlook to copy it to a temp folder, then drag from that folder into the new email.

Google Desktop is simply too annoying to use any more, even though I've used it from version 1, and is actually a very un-Google-like product. Unlike the core Google.com search, which has been quietly optimised over the years to add stemming, proximity, spelling correction, etc, Google Desktop is actually a rather mediocre and barely usable desktop search tool whose primary benefit is that it integrates well with Google Toolbar.

Re:Why Google Desktop is too frustrating to be use

[costas (38724)]

To add to your list: GDS doesn't index Outlook/email attachments even if they are in a format that it does know how to index. Like you mention, it doesn't deal well with documents moving from one location to another (not just within Outlook, anywhere in the filesystem). And the bug you mention about email is much worse than just not able to locate a moved email: it means that spam that gets moved by a client-filter to a folder you've told GDS not to index, will still be in the GDS index because it usually

The root cause and how I avoid it

[Wills (242929)]

This kind of security bug never affects me for a simple reason -- I permanently turn off Javascript. But the main issue for me is actually not a concern about security; afterall serious holes tend to be fixed quickly. The issue is that I use the web primarily to to find information, to study, to learn and when I do those things, what I am mostly doing is reading text . I don't need fancy "interactivity" features which would be a distraction from reading text. I don't need the additional "beauty" that CSS enables. All I need is a good font and then I read. In other words, I am completely and totally satisfied with how web was in 1995 based on web standards of that time -- so-called Web 1.0. For me, this is very productive. I don't use Google Desktop.

I realise there are many other people who see Web 1.0 as too limited for all the usual reasons, e.g. because they want interactivity features, or Flash movies, or proper CSS support for different display devices, etc, all of which are good reasons for them and do require the use of Javascript / AJAX. I don't need any of that, however, so I disable Javascript. I have yet to find a website with textual information that could not have been written or read by me based on good old HTML. Another reason I prefer websites that avoid relying heavily upon Javascript, even to make simple links between webpages, is that they can be properly indexed by search engines.

Re:

[marcello_dl (667940)]

I agree in keeping as much as possible info as textual. Youtube videos animations flash... all things that in the end make it more difficult to classify and search for acquired info. It seems strange you equate css with js though. I don't recall many holes in the css rendering, nor them having a different quality than html rendering holes.

I'd not consider the speed of patching security holes because that starts from the official discovering of a vulnerability, which can happen well after black hat hackers h

Re:

[Wills (242929)]

I wasn't equating CSS with Javascript. I was saying I don't need Javascript or CSS. I therefore disable both. This has the side-effect of reducing the attackable surface of my browser, although in practice it may not be much of an issue because security holes tend to be fixed quickly, and anyway, as I said, that's not the main issue for me. The issue is that I need and am completely satisfied with only text, a good font and simple, good old fashioned HTML for linking between webpages and for (sparingly) emb

Quick fix

[infonote (1065258)]

Vulnerabilities exist and will continue to exist. As long as it is fixed within a short period of time it is ok. Saying that, If I was a manager in a commercial organization, I would never allow Google Desktop on my employees computers as online security is still in its infancy.

People keep complaining bout my sig

[TheLink (130905)]

People keep complaining about my sig. But they should just learn.

Browsers suck. javascript is unsafe and most sites/webapps don't sign url/form parameters. So learn to think before you click.

And if you are thinking of clicking on some strange stuff, open a pristine VM, and use a clean browser there (you can even "sort of" put the VM on a different network from your computer - get two NICs).

Who uses this crap anyway?

[by Anonymous Coward]

I tried google desktop... consumed 10gb of disk space, had a process that ran 100% cpu eating nearly 700MB of ram, and kept indexing usb devices so you couldn't eject them. All this and it couldn't tell when you moved a file from one directory to another... or deleted it entirely! Hell the Windows XP "Search" can at least find a file if you know the name of it.

Doesn't affect all Google Desktop users

[fname (199759)]

This doesn't appear to affect all Google Desktop users. The article talks about data being intercepted as it is sent to Google. IOW, this is only applicable for users who are storing a complete index of their hard drive on Google's servers. As if that wasn't an obvious security threat!

Simple solution: make sure you disable the "feature" allowing you to index your hard drive on Google's servers. IMHO, a terrible feature that has caused Google far more harm than good. Many companies have banned Google Desktop because of this capability. It was even more inexcusable when it was enabled by default.

Moral of the story: even if they aim to "do no evil," Google's self-assuredness often leaves the user paying the price for Google's mistakes.

Snort signatures here:

[farker haiku (883529)]

I've said it before [slashdot.org] and I'll say it again. Snort signatures available here [bleedingsnort.com]