Latest InsideMicrosoft Posts: InsideGoogle: Google Patches Desktop Security Flaw .comment-link {margin-left:.6em;}
InsideGoogle
Monday, December 20, 2004
 
Google Patches Desktop Security Flaw
Google has patched a security flaw in its Desktop Search product that would have allowed an attacker to search the contents of a user's system.

The flaw was discovered by two Rice University graduate students, who figured out two different attack scenarios that could be used to exploit the vulnerability. The two students were, as part of their final project for their Computer Systems Security class, conducting a security audit of the search tool. You can read their report as a PDF on the Rice university website (they only released their paper after Google fixed the flaw). The flaw was related to the way Google integrates Desktop Search results into regular searches. Apparently, the flaw even allowed attackers to use wi-fi connections to attack the user's computer without even tricking the user into visiting the attacker's website.

I bet they got an A.

Some new details learned about how GDS integrates with Google Search. Apparently, when Google said it didn't access any of your local data, it wasn't kidding. There's no code in Google Search that calls for GDS to see if its there. Instead, GDS intercepts web requests to google.com and runs it through the program instead of the website. Basically, you send a request to Google, GDS intercepts it and sends it out, then, when Google returns the request, GDS intercepts it again and inserts the local results. This works well enough that you can trick Google into returning different local results than web results. There's lots of interesting data about the infrastructure of GDS in the paper.

All versions of GDS 121004 and above are protected against the flaw. Mine hasn't been updated yet. Has yours? Check the GDS "About" page.
(via eWeek, New York Times)

UPDATE: The Google blog comments, and a version history page is now up.

Comments:
Yeah, mine did. But I hacked it because I didn't want to wait. I believe there to be a registry key that keeps it from hammering their servers so it sets a time to check.
 
Post a Comment

Links to this post:

Create a Link



<< Home

Powered by Blogger

Who Reads InsideGoogle?
Cnet

The Seattle Times

Evan Williams

Most Popular Posts
A Look At Google's Secret Instant Messaging Product: Hello

New Gmail Features Include An Atom Feed

An Interview With Google's Marissa Mayer at Digital Life

Google And Microsoft: Neighbors