A Second Google Desktop Vulnerability

zakkie writes "According to InfoWorld, Google's Desktop indexing engine is vulnerable to an exploit (the second such flaw to be found) that could allow crackers to read files or execute code. By exploiting a cross-site scripting vulnerability on google.com, an attacker can grab all the data off a Google Desktop. Google is said to be investigating. A security researcher is quoted: 'The users really have very little ability to protect themselves against these attacks. It's very bad. Even the experts are afraid to click on each other's links anymore.'"

I'd RTFA but...

[Joebert]

What's all the fuss about ?
I'd RTFA but I'm afraid of what will happen if I do.

Hindsight...

[lordsid]

In hindsight I'm glad I never installed Google Desktop.

Re:

[jorgevillalobos]

Same here. Even when I used Windows I decided that it was kind of risky to install such an app on my desktop. Sure, it sounded tempting to have such a powerful indexing scheme and be able to find everything on your hard drive with relative ease and a very innovative UI for it, but I came to the conclusion that is was not worth it given that I don't search for files that often, and I don't want to trust Google with absolutely everything (I use gmail and Google calendar though).

It's a non-issue with Spotligh

I can't be the only one...

[Wilson_6500]

Even the experts are afraid to click on each other's links anymore.

Does anyone else think that was tremendously funny in a sixth-grade-humor sort of way? Maybe I just am up too early.

Misleading summary

[Potor]

TFA is clear that this does not refer to the Google Desktop vulnerability in specific, but rather to the general state of browser security. TFA:

"A lot of these new attack techniques are going to require the browsers to improve," Grossman said. "The users really have very little ability to protect themselves against these attacks" he said. "It's very bad. Even the experts are afraid to click on each other's links anymore."

Re:

[CCFreak2K]

You missed the point of the grandparent which, I'll give you a hint, has something to do with the word "phallic."

Re:

[1010110010]

Or too late.

Experts?

[notlisted]

"Even the experts are afraid to click on each other's links anymore."

Umm.. Google desktop runs on Windows.. Seriously, how many "security experts" do you know running Windows?

Re:Experts?

[MichaelSmith]

Seriously, how many "security experts" do you know running Windows?

Since most of the money (and challenges) for security is on Windows, I supose they could hardly be using anything else.

Re:

[notlisted]

Since most of the money (and challenges) for security is on Windows, I supose they could hardly be using anything else.

Certainly.. they run it just like it's supposed to be, as a VMWare image sandboxed inside their *nix/BSD workstation. Again, anyone that's using a web browser running under the same account permissions as any sensitive data on that machine is _not_ a security "expert".

Re:

[MichaelSmith]

Certainly.. they run it just like it's supposed to be, as a VMWare image sandboxed inside their *nix/BSD workstation. Again, anyone that's using a web browser running under the same account permissions as any sensitive data on that machine is _not_ a security "expert".

Yes, I agree with you. But where I work if you are in any senior position you would be running windows on your desktop. Our "IT manager" has no IT experience at all, beyond knowing who has what contracts. Thats the guy in charge of security.

Re:

[notlisted]

Our "IT manager" has no IT experience at all, beyond knowing who has what contracts. Thats the guy in charge of security.

..and as such, would definitely not be considered a "security expert". Anyone that doesn't understand the concept of privilege separation probably should be afraid to click on urls.

Re:

[ortholattice]

> Our "IT manager" has no IT experience at all, beyond knowing who has what contracts. Thats the guy in charge of security.

That's about as sensible as hiring blind paraplegics to deliver pizza. Your company deserves to have IT disaster after IT disaster; maybe eventually they'll wake up to the reality that computers aren't easy.

A manager doesn't deliver pizzas (in a big enough operation). A blind paraplegic, if competent, could probably manage it just fine.

I agree that it would be better for a

Re:

[OnlineAlias]

But what he will do is listen to every vendor that comes down the pike. Approve hair brained projects that do little or nothing for security. Be vulnerable to others in the organization who think that they know about security. I could go on and on.

The security manager who knows nothing about security is probably the most damaging and costly in all of IT.

Re:Experts?

[value_added]

[T]hey run it just like it's supposed to be, as a VMWare image sandboxed inside their *nix/BSD workstation.

BSD isn't supported as a VMWare host OS.

Re:

[daveschroeder]

VMWare Workstation officially supports [vmware.com] FreeBSD as a guest. Parallels Workstation for Windows and Linux and Parallels Desktop for Mac OS X officially supports [parallels.com] FreeBSD as a guest.

Of course, many other *BSDs will also work fine under VMWare and Parallels products as well, even if officially "unsupported".

Re:

[flosofl]

guest!=host

Try reading what he wrote, again.

Re:

[daveschroeder]

I utterly misread what he said. For some reason, I jumped to the conclusion that the post to which he was replying was saying that they ran UNIXes or BSDs as guests inside of VMware on a *Windows* host, but they were really making the opposite assertion, which he answered correctly. I glossed over the "host" thing completely, and when I saw "BSD" and "VMware", immediately assumed it was another person who didn't think any BSD was supported as a *guest* under VMWare.

So yes, my reply was totally not speaking

Re:

[okinawa_hdr]

Good point.

Re:

[TodMinuit]

A lot, kid.

Re:

[notlisted]

Not sure if you consider he as a security expert but Joanna Rutkowska uses Windows Vista. She was running Windows XP 64 bit before Vista was released IIRC.

And if you check out her "about" [invisiblethings.org] page on her personal site you'll see she runs Linux as her OS of choice. The Windows system she uses for testing.

"Soon after she switched to Linux world, got involved with some system and kernel programming, focusing on exploit development for both Linux and Windows x86 systems."

Re:Experts?

[MillionthMonkey]

Seriously, how many "security experts" do you know running Windows?

Not me. *I* find my Windows XP SP2 vulnerabilities using a Commodore 64 and a Commodore 1541 disk drive with a VM in its controller.

Re:

[notlisted]

Not me. *I* find my Windows XP SP2 vulnerabilities using a Commodore 64 and a Commodore 1541 disk drive with a VM in its controller.

Ah jeez.. Sorry I wasn't clear enough for Captain Sarcasm... Let me revise: Seriously, how many "security experts" do you know that store sensitive personal/business data on a Windows account under the same permissions as the process running the web browser?

No shit they still use Windows for testing.. Sorry I didn't dumb that down enough for you first time. My bad.

Re:

[enharmonix]

Seriously, how many "security experts" do you know running Windows?

That's like asking, "Seriously, how many 'cultural anthropologists' do you know working in Borneo?" or "how many 'astronauts' do you know working in space?" Where do you expect them to be, Boston? You go where the action is.

Afraid to click on links?

[Whiney Mac Fanboy]

A security researcher is quoted: 'The users really have very little ability to protect themselves against these attacks. It's very bad. Even the experts are afraid to click on each other's links anymore.'"

That's all those "security experts" out there who use Google Desktop (yeeesh).

Google Desktop pre-loaded on Dells

[PoconoPCDoctor]

I noticed a while ago that Google Desktop was preloaded on the Dells we buy. These Dells can wind up in areas that might access patient information. Since this is a major research hospital/medical school, I brought my concerns to the security group (HIPAA laws mandate privacy for patient information). Dell/Google assured us that this was a non-issue.

The end result was that not much happened.

My take? I still uninstall it whenever I see it.

Re:Google Desktop pre-loaded on Dells

[synx]

Any hospital that is using whatever Dell or HP or any vendor has pre-installed on a box is being irresponsible.

Those Dells should have been wiped and had a secure configuration reloaded. Yeeeesh

What hospital are you at, so I can avoid it?

Re:

[Anonymous Coward]

I'm just wondering why PCs with patient files on them are connected to the internet?

Re:

[zoftie]

i would think any large place would have their own pre-cleaned product image, that computers can be zapped with, to remove any possible fluff that might compromised the overall business process.
just a thought.
google is in business of search, and rich client software development. as such i don't see it as issue. People shouldn't use such internet warts. Service based ware always was pain...
Java script is pretty cool, but it has been bane for many people who develop reliable sites for wide market audience. Wh

Re:

[PoconoPCDoctor]

We do and we don't have an image. The hospital side does, the school side doesn't. Also, users are set up as admin, install Google Desktop and other junk.

This may be changing in the near future, but my point was that Dell didn't fix their image to fit our environment, even though thye sold a lot of systems. Guess Dell likes it when HP gains market share?

Welcome to ubiquity, Google

[caywen]

I wonder how many more exploits would be found if Google Desktop ended up on 90% of desktop computers?

Re:

[Naurgrim]

I wonder how many more exploits would be found if Google Desktop ended up on 90% of desktop computers?

What with bundling, I'm seeing Google Desktop preinstalled on almost every new PC I work on. Dell, Lenovo, HP all seem to do so now.

Why Google Desktop is too frustrating to be used

[Cato]

Google Desktop says that it automatically updates itself, but that doesn't work, and there's no 'force an update' feature as with Firefox.

More infuriatingly, Google Desktop also doesn't understand that emails that it indexes in my Outlook Inbox won't stay there forever due to restrictions on server mailbox size, and doesn't re-index them when they move to an offline .PST file. So I frequently find an email, then try to open it in Outlook, then find I can't and have to find it manually by date/time. Same issue with files that are renamed or moved. Many people have complained about this, but the Google Desktop team ignored this, and instead spent their time producing the incredibly useless widgets, rather than *making the search features really work well*.

Google Desktop still doesn't support the use of '-' to join two words, i.e. "foo bar" can be written as foo-bar. And the Google Desktop results within Outlook are still not a proper Outlook result list (as with Outlook Find), so you can't just drag items into a new email as attachments - no, you have to open up the email (if it can find it...), use Outlook to copy it to a temp folder, then drag from that folder into the new email.

Google Desktop is simply too annoying to use any more, even though I've used it from version 1, and is actually a very un-Google-like product. Unlike the core Google.com search, which has been quietly optimised over the years to add stemming, proximity, spelling correction, etc, Google Desktop is actually a rather mediocre and barely usable desktop search tool whose primary benefit is that it integrates well with Google Toolbar.

Re:Why Google Desktop is too frustrating to be use

[Mascot]

Google Desktop says that it automatically updates itself, but that doesn't work, and there's no 'force an update' feature as with Firefox.

They seem to be having some issues with auto updating in general. Google Talk on my home computer lags behind the one on my work computer, and no amount of manually clicking "Check for updates now" will update it.

I asked Google about it, and they told me to uninstall, download new version, install. Which I did. But that was a few versions ago and I'm now lagging behind ag

Re:

[SuperQ]

It's called a controlled roll-out. It saves bandwidth and if a bug is found that breaks users, you can roll back or fix it without causing everyone to be broken all at once. It's a much better way of doing things than having "Patch Tuesday"

Re:

[Mascot]

You work at Google and can vouch for that? Because the reply I got was quite clear that doing a "check for updates" should've done the trick.

Not to mention that I'm talking about weeks and weeks of lag here, not a few days. For example I was still at 1.0.0.100 when I wrote the original post, while 104 was released at the turn of the year.

Re:Why Google Desktop is too frustrating to be use

[costas]

To add to your list: GDS doesn't index Outlook/email attachments even if they are in a format that it does know how to index. Like you mention, it doesn't deal well with documents moving from one location to another (not just within Outlook, anywhere in the filesystem). And the bug you mention about email is much worse than just not able to locate a moved email: it means that spam that gets moved by a client-filter to a folder you've told GDS not to index, will still be in the GDS index because it usually

Re:

[timcrews]

GDS does have a "re-index" now option. Options...Indexing...Re-Index.

Re:Why Google Desktop is too frustrating to be use

[jagdish]

A good alternative to google desktop is AvaFind. It is shareware, but the features are just as good. And the best thing is that it indexes the whole disk in about half a minute.
Download link http://www.think-less-do-more.com/avafind/download / [think-less-do-more.com]

The root cause and how I avoid it

[Wills]

This kind of security bug never affects me for a simple reason -- I permanently turn off Javascript. But the main issue for me is actually not a concern about security; afterall serious holes tend to be fixed quickly. The issue is that I use the web primarily to to find information, to study, to learn and when I do those things, what I am mostly doing is reading text . I don't need fancy "interactivity" features which would be a distraction from reading text. I don't need the additional "beauty" that CSS enables. All I need is a good font and then I read. In other words, I am completely and totally satisfied with how web was in 1995 based on web standards of that time -- so-called Web 1.0. For me, this is very productive. I don't use Google Desktop.

I realise there are many other people who see Web 1.0 as too limited for all the usual reasons, e.g. because they want interactivity features, or Flash movies, or proper CSS support for different display devices, etc, all of which are good reasons for them and do require the use of Javascript / AJAX. I don't need any of that, however, so I disable Javascript. I have yet to find a website with textual information that could not have been written or read by me based on good old HTML. Another reason I prefer websites that avoid relying heavily upon Javascript, even to make simple links between webpages, is that they can be properly indexed by search engines.

Re:

[marcello_dl]

I agree in keeping as much as possible info as textual. Youtube videos animations flash... all things that in the end make it more difficult to classify and search for acquired info. It seems strange you equate css with js though. I don't recall many holes in the css rendering, nor them having a different quality than html rendering holes.

I'd not consider the speed of patching security holes because that starts from the official discovering of a vulnerability, which can happen well after black hat hackers h

Re:

[Wills]

I wasn't equating CSS with Javascript. I was saying I don't need Javascript or CSS. I therefore disable both. This has the side-effect of reducing the attackable surface of my browser, although in practice it may not be much of an issue because security holes tend to be fixed quickly, and anyway, as I said, that's not the main issue for me. The issue is that I need and am completely satisfied with only text, a good font and simple, good old fashioned HTML for linking between webpages and for (sparingly) emb

Re:

[Raenex]

I agree, up to a point. I do most of my browsing with Javascript disabled, cookies disabled, use my own font & colors, and turn off images that don't come from the original site. All this along with AdBlock leads to a suprisingly good web experience. However, when it comes to online shopping, banking, and stuff like Google Maps, I can't do without Javascript, so I use a separate browser with all the bells & whistles enabled just for that.

Quick fix

[infonote]

Vulnerabilities exist and will continue to exist. As long as it is fixed within a short period of time it is ok. Saying that, If I was a manager in a commercial organization, I would never allow Google Desktop on my employees computers as online security is still in its infancy.

People keep complaining bout my sig

[TheLink]

People keep complaining about my sig. But they should just learn.

Browsers suck. javascript is unsafe and most sites/webapps don't sign url/form parameters. So learn to think before you click.

And if you are thinking of clicking on some strange stuff, open a pristine VM, and use a clean browser there (you can even "sort of" put the VM on a different network from your computer - get two NICs).

Re:

[AlHunt]

>People keep complaining about my sig. But they should just learn.

Maybe. Doesn't mean you're not a dick, though.

Re:

[TheLink]

Yeah, but I'm a harmless dick. So hopefully people learn from that, and don't click on something that causes big problems.

There really is plenty that can be done nowadays, and the url shortening sites make it possible to do even more "interesting" stuff.

For example: some discussion boards only check the url endings to see if it ends with jpg or gif before allowing you to specify it as your avatar.

Most url shortening sites allow you to add /blah.jpg to the shortened url without grumbling, and they will just

Who uses this crap anyway?

[Anonymous Coward]

I tried google desktop... consumed 10gb of disk space, had a process that ran 100% cpu eating nearly 700MB of ram, and kept indexing usb devices so you couldn't eject them. All this and it couldn't tell when you moved a file from one directory to another... or deleted it entirely! Hell the Windows XP "Search" can at least find a file if you know the name of it.

Re:

[Nasarius]

Yeah, that was my impression too. The index file gets ridiculously large, and apparently it has no mechanism for detecting when a file has been deleted. Garbage. Vista's built-in search is probably superior for most users, even though it doesn't index the contents of files. KDE 4 will have some nifty search technology (Tenor), but time will tell if it's done right.

Overconfidence?

[gweihir]

It seems to me Google urgently needs to hire some people that really understand software security and give them real influence on design decision. Making it work only does not cut it today, not if you are a high-profile target....

Doesn't affect all Google Desktop users

[fname]

This doesn't appear to affect all Google Desktop users. The article talks about data being intercepted as it is sent to Google. IOW, this is only applicable for users who are storing a complete index of their hard drive on Google's servers. As if that wasn't an obvious security threat!

Simple solution: make sure you disable the "feature" allowing you to index your hard drive on Google's servers. IMHO, a terrible feature that has caused Google far more harm than good. Many companies have banned Google Desktop because of this capability. It was even more inexcusable when it was enabled by default.

Moral of the story: even if they aim to "do no evil," Google's self-assuredness often leaves the user paying the price for Google's mistakes.

Re:

[blchrist]

If you read the whole whitepaper [watchfire.com], the authors say (p15) that an attacker could use the vulnerability to turn on the "search across computers" feature.
The whitepaper is well written and worth the read. It's a pretty scary vulnerability.

Mod parent up

[fname]

Wow. I just read the white paper, and it appears that one way to exploit this security flaw is to enable "Search across computers," but it's not necessary for the attack. This is a giant hole. I use Google Desktop every day, and I have no choice except to disable it. I was a big Google Desktop booster, but there's no way I can use it now.

Any recommendations on a good, safe desktop search application?

Snort signatures here:

[farker haiku]

I've said it before [slashdot.org] and I'll say it again. Snort signatures available here [bleedingsnort.com]