Critical vulnerability in Google Desktop fixed

Google has fixed a security vulnerability in its Desktop application Google Desktop, which could be used by an attacker to spy on hard drive data. It was apparently even feasible to gain complete remote control of a computer. Google Desktop combines internet searches on the Google search engine with searches for locally saved files. To do so Google Desktop reads the search term and automatically includes the local search results in the results returned by Google - for the user the results look almost like a normal Google search.

According to Watchfire, the vulnerability is based on a cross-site scripting vulnerability in the evaluation of a parameter in the Desktop Search, with which it is possible to infiltrate JavaScript into the browser. This required, however, prior exploitation of an additional XSS vulnerability in the Google search engine or another application on the google.com domain. This enabled an attacker to send background search requests to Google using XMLHttpRequest, in the results of which Google Desktop included the local results. Further steps then led to access being gained to the data on the hard disk. The document "Overtaking Google Desktop" (PDF), from security specialists Watchfire, not only describes step by step how the bug can be exploited, but also what an attacker might be able to get up to once he had succeeded in placing a malicious JavaScript onto a PC. This even includes launching applications.

According to media reports, Google has built additional checks into the Desktop Search to prevent such attacks in future.

Back in December 2004 it was possible to search a victim's hard drive and view parts of files via a vulnerability in Google desktop.

Reference:

• Overtaking Google Desktop, bug report from Watchfire

(ju)