Google patches serious Desktop flaw

Google quickly patched what security researchers identified Wednesday was a potentially serious cross-site scripting flaw in its popular desktop search and widget application that could leave users vulnerable to outside attack.

In a report, researchers at application security software maker Watchfire, based in Waltham, Mass., detailed an existing attack designed to exploit the Google Desktop flaw.

Watchfire said the cross-site scripting threat -- which it described as a parasitic virus -- could allow attackers to steal information from affected PCs and track end users' Web browsing habits.

Cross-site scripting (XSS) threats typically take advantage of security vulnerabilities in legitimate Web pages to inject malicious content into the browsers of people visiting the URLs or to redirect them to fraudulent sites used in phishing attacks.

Like many other XSS threats, the attack currently leveled at Google Desktop uses JavaScript code to deliver its payload.

Watchfire experts said the Google Desktop XSS problem was very dangerous for a number of reasons. Among the more serious characteristics is the malicious program's ability to affect clusters of computers connected by Google Desktop's information sharing capabilities.

This could allow attackers to spread the attack to new machines or simply steal data from multiple PCs linked by the application.

Most enterprises have invested significant amounts of time and money installing security applications to protect against the loss of sensitive data over the last several years, but a Google Desktop attack would circumvent many of those systems, leaving information on corporate desktops running the program open for potential theft.

"This attack is almost undetectable, it won't get picked up by any anti-virus system or firewall, and it can be used in a lot of different ways to harm end users," said the director of security research at Watchfire, Danny Allen.

"It allows someone using the attack to control all the applications on a computer or access the network to which an affected machine is attached, and it is almost impossible to get rid of."

As part of a demonstration of the exploit, Allen showed off how the program could be used to change the version number in the Google Desktop application itself. Doing so could allow attackers to fool users of the desktop search program into believing they have a version of the software that has been fixed for security reasons, when in fact they are still potentially vulnerable.

"Some IT security people have dismissed the impact of [cross-site scripting] attacks to a certain extent, but we wanted to highlight the potential damage that something like this could deliver," Allen said.

Media representatives at Google said that after Watchfire informed the company of the attack, engineers at the search giant created a patch for the issue that was automatically distributed to Google Desktop users. Google said it has also added a new set of security features to the latest iteration of the product to prevent similar attacks in the future. On Feb. 9, Google launched its newest version of the desktop search program, labeled Desktop 3 Beta.

Company representatives said that they have not received any reports of the vulnerability being exploited on end-users' machines.