IE flaw lets intruders into Google Desktop

A security researcher in Israel has found a way to steal information from unwitting users of Google's desktop search tool by exploiting an unpatched flaw in Microsoft's ubiquitous Internet Explorer.

There is a bug in the way the Web browser processes CSS rules, Matan Gillon wrote in a description of his hack posted on Wednesday. CSS, or Cascading Style Sheets, is a method for setting common styles across multiple Web pages. The Web design technique is widely used on many sites across the Internet.

The proof-of-concept method is an example of how security flaws in software can offer all kinds of access to programs on vulnerable PCs, including to Google Desktop.

"This design flaw in IE allows an attacker to retrieve private user data or execute operations on the user's behalf on remote domains," Gillon wrote in his description of the attack method. He crafted a Web page that--when viewed in IE on a computer with Google Desktop installed--uses the search tool and returns results for the query "password."

To exploit the flaw, an attacker has to lure a victim to a malicious Web page. "Thousands of Web sites can be exploited, and there isn't a simple solution against this attack, at least until IE is fixed," Gillon wrote.

Microsoft is investigating the issue, which it described in a statement as a problem affecting the cross-domain protections in Internet Explorer. "This issue could potentially allow an attacker to access content in a separate Web site, if that Web site is in a specific configuration," Microsoft said in the statement.

Microsoft is not currently aware of malicious code that takes advantage of the flaw, but is monitoring the situation, the company said. A security update or an advisory on the problem may be coming, it said.

Google is also investigating Gillon's findings. "We just learned of this issue and are looking into it," Sonya Boralv, a spokeswoman for the search giant, wrote in an e-mailed statement.

While Gillon in his example uses the IE flaw as a means to get to Google Desktop, this flaw and other software bugs could be used to covertly access virtually any application on a compromised computer.

"It is like any other flaw within IE, but he got creative and used it to launch Google Desktop to retrieve data," security researcher Tom Ferris said. "You can bet we will see this one being used to steal users' Quicken data, database files, etc."

Steve Manzuik, a security product manager at eEye Digital Security, agreed. "This definitely looks like a flaw in IE and not a Google bug. He is using Google Desktop as to retrieve data, but it is IE that makes it possible," he said.

While IE is vulnerable, Gillon found that Firefox and Opera are not. For protection, Internet users could use one of those browsers or disable JavaScript in IE, Gillon suggested.

It has been a busy week on the Microsoft security front. Four examples of attack code were released for flaws in the Windows operating system, and a Trojan horse is finding its way onto PCs through another yet-unpatched flaw in IE.

[BMR777]

A matter of time

It was only a matter of time before someone figured how to do this with Google Desktop Search. That is one of the reasons I never downloaded that program. Having all of your data on your PC and then trusting it to an outsider like Google isn't necessairly a good thing.

BMR777
http://www.rusnakweb.com

[zaznet]

Too Late...

Microsoft already has search capabilities included in your Operating System and plans for better features in Vista. Just because Google Desktop was demonstrated doesn't limit your potential to be exploited by another product.

[jerseyrich]

I'm glad I use Firefox...

I'm glad I use Firefox. It's like wearing a condom when exploring cyberspace. But it's probably just a matter of time until Firefox gets so popular that its own vulnerabilities are exploited.

[yrrahxob]

What else is new?

MS IE has been flawed since day one and will continue to be because the powers that be at Microsoft apparently don't know how to code a good browser. I gave up on IE after getting tired of receiving security update notifications. I do feel comfortable using Firefox.

[n3td3v]

Joris

Read my blog. You know where to find it (probably). You don't have permission to write a story about it or link to my blog in public. Theres a Google incident I published today.

[n3td3v]

Ignore me

I MADE A MISTAKE. THERES NO BUG ANYMORE. IF YOU GOTO MY BLOG AND DONT SEE A NEW BUG FOR GOOGLE FOR DECEMBER 2ND, ITS BECAUSE I JUST PULLED IT MINUTES AFTER POSTING THIS MESSAGE. SORRY FOR ANY UPSET THIS HAS CAUSED GOOGLE. I HAVE SENT AN E-MAIL TO GOOGLE'S SECURITY PEOPLE TO TELL THEM I MADE A MISTAKE.

[n3td3v]

Ignore me

I MADE A MISTAKE. THERES NO BUG ANYMORE. IF YOU GOTO MY BLOG AND DONT SEE A NEW BUG FOR GOOGLE FOR DECEMBER 2ND, ITS BECAUSE I JUST PULLED IT MINUTES AFTER POSTING THIS MESSAGE. SORRY FOR ANY UPSET THIS HAS CAUSED GOOGLE. I HAVE SENT AN E-MAIL TO GOOGLE'S SECURITY PEOPLE TO TELL THEM I MADE A MISTAKE.

[zaznet]

Not a Google Desktop problem...

This isn't something limited to Google Desktop. Anything on the computer could be compromised. They simply launch any executable on the computer, Google Desktop being one of them. Had this been a few years earlier they would have demonstrated using Microsoft Office.

It would be useful

- when these security stories are posted - to know how it affects machines that have properly installed, properly used internet security software.

When I hear about people browsing the web with no specific security software & expecting to "stay safe" - well, they do bring it on themselves, sometimes. Whilst it is preferable, a well written browser is NOT an internet security package.

If there is a flaw, that can still be exploited, despite having correctly instealled & used security software (and browser settings) I want to know. There's only a small number of security software makers - how hard is it, to tell us if a flaw can get past Symantec, Mcafee, Zone-Alarm or Black-Ice software ?

[jerseyrich]

Excellent Point

I agree. To go online with just your browser for "protection" is like wetting your ***** before sex to keep from getting an STD: it ain't gonna work! In fact, your browser is what actually allows attackers access, oftentimes.

I run 3 different programs that protect my machines in one way or another: an anti-virus, anti-spyware, and Windows firewall. I do use my computers over a wireless network, so there is some risk there, but so far I have had no problems.

As far as the anti-virus, I use a different brand on each of my 3 computers (work, laptop, home). It's kind of like a little test to see which brand ever lets me down ;-).