A Second Google Desktop Vulnerability

zakkie writes "According to InfoWorld, Google's Desktop indexing engine is vulnerable to an exploit (the second such flaw to be found) that could allow crackers to read files or execute code. By exploiting a cross-site scripting vulnerability on google.com, an attacker can grab all the data off a Google Desktop. Google is said to be investigating. A security researcher is quoted: 'The users really have very little ability to protect themselves against these attacks. It's very bad. Even the experts are afraid to click on each other's links anymore.'"

Experts?

[notlisted]

"Even the experts are afraid to click on each other's links anymore."

Umm.. Google desktop runs on Windows.. Seriously, how many "security experts" do you know running Windows?

Re:Experts?

[MichaelSmith]

Seriously, how many "security experts" do you know running Windows?

Since most of the money (and challenges) for security is on Windows, I supose they could hardly be using anything else.

Re:Experts?

[notlisted]

Since most of the money (and challenges) for security is on Windows, I supose they could hardly be using anything else.

Certainly.. they run it just like it's supposed to be, as a VMWare image sandboxed inside their *nix/BSD workstation. Again, anyone that's using a web browser running under the same account permissions as any sensitive data on that machine is _not_ a security "expert".

Why Google Desktop is too frustrating to be used

[Cato]

Google Desktop says that it automatically updates itself, but that doesn't work, and there's no 'force an update' feature as with Firefox.

More infuriatingly, Google Desktop also doesn't understand that emails that it indexes in my Outlook Inbox won't stay there forever due to restrictions on server mailbox size, and doesn't re-index them when they move to an offline .PST file. So I frequently find an email, then try to open it in Outlook, then find I can't and have to find it manually by date/time. Same issue with files that are renamed or moved. Many people have complained about this, but the Google Desktop team ignored this, and instead spent their time producing the incredibly useless widgets, rather than *making the search features really work well*.

Google Desktop still doesn't support the use of '-' to join two words, i.e. "foo bar" can be written as foo-bar. And the Google Desktop results within Outlook are still not a proper Outlook result list (as with Outlook Find), so you can't just drag items into a new email as attachments - no, you have to open up the email (if it can find it...), use Outlook to copy it to a temp folder, then drag from that folder into the new email.

Google Desktop is simply too annoying to use any more, even though I've used it from version 1, and is actually a very un-Google-like product. Unlike the core Google.com search, which has been quietly optimised over the years to add stemming, proximity, spelling correction, etc, Google Desktop is actually a rather mediocre and barely usable desktop search tool whose primary benefit is that it integrates well with Google Toolbar.

The root cause and how I avoid it

[Wills]

This kind of security bug never affects me for a simple reason -- I permanently turn off Javascript. But the main issue for me is actually not a concern about security; afterall serious holes tend to be fixed quickly. The issue is that I use the web primarily to to find information, to study, to learn and when I do those things, what I am mostly doing is reading text . I don't need fancy "interactivity" features which would be a distraction from reading text. I don't need the additional "beauty" that CSS enables. All I need is a good font and then I read. In other words, I am completely and totally satisfied with how web was in 1995 based on web standards of that time -- so-called Web 1.0. For me, this is very productive. I don't use Google Desktop.

I realise there are many other people who see Web 1.0 as too limited for all the usual reasons, e.g. because they want interactivity features, or Flash movies, or proper CSS support for different display devices, etc, all of which are good reasons for them and do require the use of Javascript / AJAX. I don't need any of that, however, so I disable Javascript. I have yet to find a website with textual information that could not have been written or read by me based on good old HTML. Another reason I prefer websites that avoid relying heavily upon Javascript, even to make simple links between webpages, is that they can be properly indexed by search engines.

Quick fix

[infonote]

Vulnerabilities exist and will continue to exist. As long as it is fixed within a short period of time it is ok. Saying that, If I was a manager in a commercial organization, I would never allow Google Desktop on my employees computers as online security is still in its infancy.

Re:Google Desktop pre-loaded on Dells

[synx]

Any hospital that is using whatever Dell or HP or any vendor has pre-installed on a box is being irresponsible.

Those Dells should have been wiped and had a secure configuration reloaded. Yeeeesh

What hospital are you at, so I can avoid it?

Re:Why Google Desktop is too frustrating to be use

[costas]

To add to your list: GDS doesn't index Outlook/email attachments even if they are in a format that it does know how to index. Like you mention, it doesn't deal well with documents moving from one location to another (not just within Outlook, anywhere in the filesystem). And the bug you mention about email is much worse than just not able to locate a moved email: it means that spam that gets moved by a client-filter to a folder you've told GDS not to index, will still be in the GDS index because it usually indexes it before the spam filter gets to move it. So, your index eventually gets clogged up with spam too.

It gets worse: GDS actually "forgets" about documents it has previously indexed (so results get *worse* over time, not better). And its index keeps growing (yes, even though its results are getting worse). And as the parent mentions, it doesn't have a "re-index now" option, so you are forced to uninstall and re-install.

The only good thing about GDS is its integration with google.com (who's embracing and extending now?). I am no MS apologist and I put up with GDS for over 1.5 years, but I switched to Windows Desktop Search and never looked back: WDS is head-and-shoulders above GDS (BTW, it can be downloaded into XP and is pretty much the same as the WDS in Vista): better results, better UI, way better integration with Windows, smaller index, ability to re-set the index whenever and faster to index the drive than GDS to begin with. WDS started life as Lookout, a third-party freeware app that was bought by MS, and it was better than GDS back then (oh what 4 years ago?).

If only developers would embrace WDS to fix some obvious shortcomings (no Firefox/Thunderbird indexing, no hotkeys like GDS). I doubt Microsoft has anything to fear from Google competing for the desktop if GDS is any indication...