Google has closed a cross-site scripting vulnerability, through which Google Desktop could give attackers remote control of a victim's computer and its contents - but security experts warn there is more to come.
The flaw is caused by integration between the desktop search product Google Desktop and Google's site, as well as Google Desktop's failure to properly encode output containing malicious characters, said Web application security vendor Watchfire, who reported the vulnerability to Google on 4 January.
"I would definitely say by a large margin this is the most serious flaw we've discovered with Google or maybe any other Web application," said Mike Weider, CTO of Watchfire. The flaw is described in a White Paper and demo on Watchfire's site
To use the flaw, an attacker would first need to find a cross-site scripting vulnerability on a Web page within the Google.com comain, said Danny Allan, director of security services at Google. Cross-site scripting flaws are extremely common on the Web these days, and finding one to exploit is a relatively easy task, he said.
"The entire attack takes as long as it takes you to click on a link," he said. "But it is persistent, and right now, antivirus and firewall [products] can't pick up on it."
The vulnerability also would have allowed an attacker to compromise the "Search Across Computers" feature in Google Desktop that allows a user to search for information stored on his computer from any other Internet-connected system via his Google account.
The feature requires information from a personal desktop to be stored on Google's servers and can be compromised to allow attackers unfettered access to the information, Allan said.
Though the specific vulnerability identified by Watchfire has been fixed, the tight integration between Google Desktop and Google.com continues to pose a security problem, he said. For instance, when searching the Web for information via Google.com, desktop search results are also injected into the response by Google Desktop, the Watchfire white paper noted. The feature, while potentially useful, gives attackers a way to break into systems via the Google.com site, the paper noted.
Weider said the connection between Google's site and desktop application could make users vulnerable again when another cross-site scripting method of attack is identified. According to Weider, Google could prevent these vulnerabilities in the future by giving users the ability to disconnect the desktop application from the Google Web site.
"You have offline applications like a search tool that will search your index, and you have online sites like Google.com. What this application does is create a linkage between the two, where you could search on Google.com and get results from your desktop," Weider says.
When asked whether it plans to give users the option of disconnecting the Web site and desktop application, Google did not answer and instead referred to a statement that does not mention the issue.
The threat is mitigated somewhat in current Google Desktop versions because the integration of Google desktop results in a Web search is optional, the white paper noted. It can also be disabled on current Desktop versions.
However, a Desktop link that is associated with the search box on Google.com and that can't be disabled by users can also provide an entry point to a system, the white paper noted. "Since Google Desktop can access highly sensitive information, the possible impact of an external malicious access to Google Desktop's Web interface is far-reaching," the paper said.
In an e-mailed statement, a Google spokesman said that the company had been notified by Watchfire of a "potential vulnerability, which requires an attacker to first find and attack a vulnerability in Google.com. A fix was developed quickly, and users are being automatically updated with the patch. In addition, we have another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future," he said.
Watchfire disputes whether the update is as automatic as Google says: "Google claims it happens automatically. It didn't for me and other people at Watchfire when we tried it," Weider said. "It definitely seems as though there are cases where it doesn't automatically update."
Google said it has so far not received any reports of the flaw being exploited.
Reporting by Jon Brodkin, Network World and Jaikumar Vijayan, Computerworld