Thursday, February 22, 2007

Google Desktop Vulnerability

I must say, the exploits using Web has just become overwhelming, really. Now you've got applications that interact websites, webapps and local desktops, it brings a whole new possibility in exploitation.

I am pretty fond of the conventional 32bit chunky software at least, you can't inject to XSS the bugger!.

Here's an excerpt from Eweek (http://www.eweek.com/article2/0,1895,1744115,00.asp) and please update your Google Desktop at http://desktop.google.com

Web search powerhouse Google has acknowledged—and patched—a security vulnerability in its desktop search utility that opens the doors for man-in-the-middle data leak attacks.

The Google fix was issued after a pair of Rice University graduate students discovered that two different attack scenarios could be used to exploit the Google Desktop vulnerability.

The students, Seth J. Fogarty and Seth Nielson, made the discoveries during a security audit of the search tool. The audit was part of a final project in the students' Computer Systems Security course.

Google, through a spokesman, confirmed the students' findings. "We were made aware of this vulnerability with the Google Desktop Search software and have since fixed the problem so that all current and future users are secure," the spokesman said.

Google is pushing out the fix with the tool's auto-update mechanism.

Fogarty and Nielson worked closely with Google since November to patch the hole before releasing details (PDF file) on the Internet.

No comments: