News

Google Shuts Hole in Desktop Product

A potentially devastating hole in Google Inc.'s prevalent desktop search product could have exposed personal files on users' computers to data thieves.

(Boston) A potentially devastating hole in Google Inc.'s prevalent desktop search product could have exposed personal files on users' computers to data thieves. Google fixed the defect within weeks of being informed about it and says it has no evidence the vulnerability was exploited.

The flaw was uncovered late last year by Watchfire Corp., a security-analysis provider. While the vulnerability exists in roughly 80 percent of Web applications, this problem appeared far more extreme "given the sensitive nature of what Google Desktop is doing," said Danny Allan, a researcher at Waltham, Mass.-based Watchfire.

Google's free desktop product, first released in 2004, has millions of users and remains popular. Internet tracker Hitwise says visits to http://desktop.google.com tripled in January.

The system lets users set Google's indexing and searching capabilities loose on their own computers in addition to the Web. The service offers a fast, easy way to find documents, e-mails, instant-messaging transcripts, archived Web pages and other tidbits socked away on PCs. A Google executive once described it as "the photographic memory of your computer."

The Watchfire researchers discovered, however, that the setup was open to something known as a cross-site scripting attack, which lets an attacker place malicious code on a Google Desktop user's computer. The PC could be infected a number of ways, including an infected e-mail attachment.

From that instant, a hacker would have had free reign to use Google Desktop to search the victim's machine -- or multiple compromised machines at once -- and possibly to take full control of the computer, according to Watchfire. Watchfire's founder and chief technical officer, Mike Weider, said the attack would have gone undetected by firewalls or antivirus software.

Watchfire said it reported the security hole to Google on Jan. 4 and was assured Feb. 1 that the flaw had been fixed. Google spokesman Barry Schnitt said the desktop search software gets automatically updated, so users do not need to take any steps to protect themselves.

While this particular avenue for data theft has been shut down, Watchfire contends that another one could emerge because Google maintains a link between desktop and Web data -- a query on a computer with Google Desktop can show search results from both realms.

"There's a high potential for this to happen again," Weider said.

However, Schnitt responded in an e-mail that Google has "taken many steps to protect our users and mitigate such attacks."

"We've added an additional layer of security checks to prevent the types of attacks pointed out by Watchfire and future possible attacks through this vector as well," he wrote.

No matter whether such a threat re-emerges through Google, Allan expects to see similar vulnerabilities increase overall, "as desktop software and the Internet get more connected." As a result, he said, antivirus vendors should develop techniques for detecting and blocking such attacks.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.