Google Patches Desktop Security Flaw
Google has patched a security flaw in its Desktop Search product that would have allowed an attacker to search the contents of a user's system.

The flaw was discovered by two Rice University graduate students, who figured out two different attack scenarios that could be used to exploit the vulnerability. The two students were, as part of their final project for their Computer Systems Security class, conducting a security audit of the search tool. You can read their report as a PDF on the Rice university website (they only released their paper after Google fixed the flaw). The flaw was related to the way Google integrates Desktop Search results into regular searches. Apparently, the flaw even allowed attackers to use wi-fi connections to attack the user's computer without even tricking the user into visiting the attacker's website.

I bet they got an A.

Some new details learned about how GDS integrates with Google Search. Apparently, when Google said it didn't access any of your local data, it wasn't kidding. There's no code in Google Search that calls for GDS to see if its there. Instead, GDS intercepts web requests to google.com and runs it through the program instead of the website. Basically, you send a request to Google, GDS intercepts it and sends it out, then, when Google returns the request, GDS intercepts it again and inserts the local results. This works well enough that you can trick Google into returning different local results than web results. There's lots of interesting data about the infrastructure of GDS in the paper.

All versions of GDS 121004 and above are protected against the flaw. Mine hasn't been updated yet. Has yours? Check the GDS "About" page.
(via eWeek, New York Times)

UPDATE: The Google blog comments, and a version history page is now up.
- posted by Nathan Weinberg @ 12/20/2004 04:43:00 PM