Watchfire researchers said the new security patch appears to fix the flaw and prevent XSS attacks on users of Google Desktop whose systems have been updated.
Security analysts considering the problem said it highlighted the need for businesses to look carefully at programs such as Google Desktop that straddle the line between personal and professional PC usage.
Although the application may be very useful, and most often gets pulled into the corporate environment by people who use it at home, Google is not a maker of business-grade software and doesn't follow the same security processes as large manufacturers of such products, said John Pescatore, analyst at Gartner.
Unlike Microsoft, Oracle, or Sun Microsystems, Google does not publish regular security bulletins or even offer specific details of issues it has already fixed, Pescatore said.
This reason, along with the data security issues that can be introduced when Google Desktop isn't configured to bar users from inadvertently sharing search information with outsiders, poses serious questions for corporate IT administrators who must decide whether to allow people to use it in the office, according to the analyst.
"The major concern is that while Google isn't an enterprise software vendor, programs it makes, including Google Desktop, are ending up on a lot of enterprise desktops," Pescatore said. "Google doesn't expose how it does patches like Microsoft, so how does an enterprise even know if their users are working with the version that has been fixed?"
As malware writers and phishing scheme operators continue to hone their attacks to steal smaller amounts of valuable data from pools of targeted users, and move further away from the massive worm viruses of years past, the IT world will see more XSS threats.
"There will be more funded cyber-crime attacks aimed at specific companies and groups of users, and the size of the threats is such, by design, that they won't land on the six o'clock news," Pescatore said. "The perpetrators will continue to increase the volume of these types of threats, and cross-site scripting and targeted phishing will likely be among their favorite formats for doing so."
The bug, which was made public Wednesday by Watchfire, has now been fixed. While Google is automatically delivering a patch, Google Desktop users who want to be sure they are running the latest version of the software can download it here. Users should be running version 5.0.701.30540 or later, said Google Spokesman Barry Schnitt.
Google was first notified of the problem on Jan. 4 and produced its fix on Feb. 1, a Watchfire spokesman said Wednesday.
In addition to its bug fix, Google has added, "another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future," Schnitt said. "We have received no reports that this vulnerability was exploited.”
Robert McMillan of IDG News Service contributed to this report.