Google patches serious Desktop flaw

Hole could give outsiders access to end-users' machines, potentially exposing businesses to data theft

Google quickly patched what security researchers identified Wednesday was a potentially serious cross-site scripting flaw in its popular desktop search and widget application that could leave users vulnerable to outside attack.

In a report, researchers at application security software maker Watchfire, based in Waltham, Mass., detailed an existing attack designed to exploit the Google Desktop flaw.

Watchfire said the cross-site scripting threat -- which it described as a parasitic virus -- could allow attackers to steal information from affected PCs and track end users' Web browsing habits.

Cross-site scripting (XSS) threats typically take advantage of security vulnerabilities in legitimate Web pages to inject malicious content into the browsers of people visiting the URLs or to redirect them to fraudulent sites used in phishing attacks.

Like many other XSS threats, the attack currently leveled at Google Desktop uses JavaScript code to deliver its payload.

Watchfire experts said the Google Desktop XSS problem was very dangerous for a number of reasons. Among the more serious characteristics is the malicious program's ability to affect clusters of computers connected by Google Desktop's information sharing capabilities.

This could allow attackers to spread the attack to new machines or simply steal data from multiple PCs linked by the application.

Most enterprises have invested significant amounts of time and money installing security applications to protect against the loss of sensitive data over the last several years, but a Google Desktop attack would circumvent many of those systems, leaving information on corporate desktops running the program open for potential theft.

"This attack is almost undetectable, it won't get picked up by any anti-virus system or firewall, and it can be used in a lot of different ways to harm end users," said the director of security research at Watchfire, Danny Allen.

"It allows someone using the attack to control all the applications on a computer or access the network to which an affected machine is attached, and it is almost impossible to get rid of."

As part of a demonstration of the exploit, Allen showed off how the program could be used to change the version number in the Google Desktop application itself. Doing so could allow attackers to fool users of the desktop search program into believing they have a version of the software that has been fixed for security reasons, when in fact they are still potentially vulnerable.

"Some IT security people have dismissed the impact of [cross-site scripting] attacks to a certain extent, but we wanted to highlight the potential damage that something like this could deliver," Allen said.

Media representatives at Google said that after Watchfire informed the company of the attack, engineers at the search giant created a patch for the issue that was automatically distributed to Google Desktop users. Google said it has also added a new set of security features to the latest iteration of the product to prevent similar attacks in the future. On Feb. 9, Google launched its newest version of the desktop search program, labeled Desktop 3 Beta.

Company representatives said that they have not received any reports of the vulnerability being exploited on end-users' machines.

Watchfire researchers said the new security patch appears to fix the flaw and prevent XSS attacks on users of Google Desktop whose systems have been updated.

Security analysts considering the problem said it highlighted the need for businesses to look carefully at programs such as Google Desktop that straddle the line between personal and professional PC usage.

Although the application may be very useful, and most often gets pulled into the corporate environment by people who use it at home, Google is not a maker of business-grade software and doesn't follow the same security processes as large manufacturers of such products, said John Pescatore, analyst at Gartner.

Unlike Microsoft, Oracle, or Sun Microsystems, Google does not publish regular security bulletins or even offer specific details of issues it has already fixed, Pescatore said.

This reason, along with the data security issues that can be introduced when Google Desktop isn't configured to bar users from inadvertently sharing search information with outsiders, poses serious questions for corporate IT administrators who must decide whether to allow people to use it in the office, according to the analyst.

"The major concern is that while Google isn't an enterprise software vendor, programs it makes, including Google Desktop, are ending up on a lot of enterprise desktops," Pescatore said. "Google doesn't expose how it does patches like Microsoft, so how does an enterprise even know if their users are working with the version that has been fixed?"

As malware writers and phishing scheme operators continue to hone their attacks to steal smaller amounts of valuable data from pools of targeted users, and move further away from the massive worm viruses of years past, the IT world will see more XSS threats.

"There will be more funded cyber-crime attacks aimed at specific companies and groups of users, and the size of the threats is such, by design, that they won't land on the six o'clock news," Pescatore said. "The perpetrators will continue to increase the volume of these types of threats, and cross-site scripting and targeted phishing will likely be among their favorite formats for doing so."

The bug, which was made public Wednesday by Watchfire, has now been fixed. While Google is automatically delivering a patch, Google Desktop users who want to be sure they are running the latest version of the software can download it here. Users should be running version 5.0.701.30540 or later, said Google Spokesman Barry Schnitt.

Google was first notified of the problem on Jan. 4 and produced its fix on Feb. 1, a Watchfire spokesman said Wednesday.

In addition to its bug fix, Google has added, "another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future," Schnitt said. "We have received no reports that this vulnerability was exploited.”

Robert McMillan of IDG News Service contributed to this report.