The Future of Search: Reaching for a Piece of Google's Pie
02-26-2007, 02:27 PM
Google Plugs Desktop Hole but Risks Remain
Google patched a security hole in Google Desktop, but security software vendor Watchfire claims that the popular application's mix of Web and private hard drive searches might still be risky. A savvy hacker could surreptitiously achieve "not only remote, persistent access to sensitive data, but full system control as well," warned Watchfire.
A security flaw found late last year in Google (Nasdaq: GOOG) Desktop was quickly patched, but the company that discovered it says the popular application's mix of Web and private hard drive searches might still be risky.
Google Desktop, which uses Google search technology to scan PC hard drives as well as the Web, could be hacked by someone using a cross-scripting attack, according to a report issued by Watchfire, which discovered the hole last autumn.
A savvy hacker could surreptitiously achieve "not only remote, persistent access to sensitive data , but full system control as well," warned Watchfire.
Given Time to Fix the Flaw
Watchfire found the problem in October 2006 and alerted Google in January, Watchfire Chief Technology Officer Mike Weider told TechNewsWorld.
"They then fixed it in February and now here we are publishing this to the public," said Weider. Watchfire purposely delayed announcing its discovery, and coordinated the announcement to coincide with Google's report of a fix for the problem, because it would be "irresponsible to announce a major hole in Google Desktop" without first allowing Google to create a solution, he added.
However, while Google has plugged the gap through which thieves could steal private information using the increasingly popular hacker method of cross-site scripting, Weider remains concerned that Google Desktop does not offer users a way to prevent simultaneous searching of their own computers and the Web.
Mixing Public With Private
"It does a query to Google Desktop and adds those results to ones from Google.com," he explained. "It's that interaction that creates a vulnerability." Google should give users the option to prevent Desktop from simultaneously searching the Web, Weider suggested, but he understands why it hasn't.
"I think it has functional benefits to the product," said Weider, who acknowledged the feature is "nice" to use. The matter appears to be a "classic compromise" between good security and popular functionality, he noted.
"Watchfire notified us of this potential vulnerability, which requires an attacker to first find and attack a vulnerability in Google.com," Google spokesperson Barry Schnitt told TechNewsWorld. " A fix was developed quickly and users are being automatically updated with the patch. In addition, we have another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future.
"We have received no reports that this vulnerability was exploited," Schnitt continued. "However, users should make sure they are running the latest version of Google Desktop by going to desktop.google.com and downloading the latest version and installing it."
The Wave of the Future?
The situation "clearly emphasizes the danger of integration between desktop applications and Web-based applications as an aperture for a malicious attacker to escalate his/her privileges by crossing from the Web environment to the desktop application environment," according to Watchfire.
Google Desktop "in and of itself is an interesting proposition" from a security standpoint, Craig Schmugar, threat research manager for McAfee Avert Labs, told TechNewsWorld. "There certainly are security concerns" with Google Desktop "even beyond this particular vulnerability," he added. "Just the notion of data integrity and data loss ... there are certainly additional concerns about what you should be running on your machine and how that application needs be secured."
Even though using Google Desktop might be somewhat risky, Weider said he likes it. "Google, to its credit, has built a great product and I'm going to continue using it," he declared.
In general, as people and companies embrace Web 2.0's interactivity, more of these types of problems are likely to surface. "We are likely to hear more of this especially around Web 2.0 as end user ability to create content for Web sites opens up this whole world," Schmugar predicted.
|Messages In This Thread|
The Future of Search: Reaching for a Piece of Google's Pie - smitharose - 02-26-2007, 08:54 AM
Google Plugs Desktop Hole but Risks Remain - smitharose - 02-26-2007 02:27 PM
Google to Tighten Defense Against Click Fraudsters - smitharose - 03-02-2007, 02:42 PM
User(s) browsing this thread: 1 Guest(s)