Hello Fellow Computer Users,

Just a tidbit of interest if you use the Google desktop program that
puts their search capability onto your computer.

Security/Saftey issue!

http://www.securityfocus.com/news/11443

Verb

Don't use but read the the info thanks for the considered posting

there copied ...


Security firm Watchfire warned Google Desktop users on Wednesday to
update the program to make certain that they are protected from a
vulnerability that could allow an attacker to use JavaScript to search
for and steal specific data on a user's system.



“ The lines are blurring between offline applications and Web
applications and as that blurring continues to grow, we will only be at
greater risk. ”

Danny Allan, director of security research, Watchfire The attack,
outlined in a paper (PDF) released by the firm, uses a cross-site
scripting (XSS) flaw in the Google Desktop application in conjunction
with any other XSS flaw in the Google.com domain to install malicious
JavaScript on the user's computer. Using the technique, an attacker
could create a JavaScript program that Google Desktop repeatedly runs,
allowing the attacker to search a victim's computer using terms most
likely to dredge up interesting data.

Google released an updated version of Google Desktop that fixes the
local cross-site scripting flaw earlier this month, but many users may
not have gotten the patch, said Danny Allan, director of security
research for Watchfire. Because of the popularity of Google Desktop,
there could be a large number of users with vulnerable systems.

"Undoubtedly, there are millions of people at risk today," Allan said.

A Watchfire researcher, Yair Amit, found indications of the
vulnerability last October. the firm researched the issue in December
and reported it to Google on January 4. The search giant released the
updated Google Desktop client on February 1.

The Google Desktop software has the capability to automatically update
itself with a more recent version, Google spokesman Barry Schnitt said
in an e-mail interview with SecurityFocus. While he did not directly
address the Watchfire's claims that millions of systems may still be
vulnerable, Schnitt did stress that very few users should have to
manually update.

"Almost all users will be automatically updated," Schnitt said.
"However, there are some rare scenarios where users have turned off
auto-update or the software fails to update. Thus, users should just
verify that they have been auto-updated."

Schnitt said users should go the Google Desktop site and make sure they
have the latest version, 5.0.701.30540.

JavaScript paired with one or more cross-site scripting flaws has
increasingly become a significant vector for attacking PC users as they
browse the Web. Researchers have warned that Web worms using JavaScript,
cross-site scripting flaws and technologies such as AJAX will likely
become more prevalent in the future. In 2005, a worm--dubbed
Samy--spread among MySpace users, adding a user named "Samy" to the
victim's friends list. Earlier this year, Adobe acknowledged that its
Acrobat document reader also suffered from a cross-site scripting flaw
that could be triggered by JavaScript.

As applications and Web sites increasingly incorporate online data
services into their architecture--an evolving relationship often
referred to as Web 2.0, securing the interrelated infrastructure becomes
more difficult.

"Cross-site scripting (attacks) have become more popular in the last two
years as more researchers understand their power," Yuval Ben-Itzhak,
chief technology officer of Web security firm Finjan, said in an e-mail
interview with SecurityFocus. "Web 2.0 is a good platform (in which) to
use XSS, but many, many Websites are vulnerable (today) to XSS."

Google Desktop has a number of defenses, including filtering out any
connections that do not originate from the user's computer and using
pseudo-random 512-bit signatures to obfuscate the names of specific
pages and prevent guessing.

To get around these defenses, the attack vector found by Watchfire
requires the use of a cross-site scripting flaw affecting the Google.com
domain. The company used a flaw it had found to demonstrate the issue to
Google, and the search firm subsequently fixed the vulnerability. Using
such a flaw, an attacker can run a Javascript program that garner the
signature assigned to the user's PC. With that signature, the attacker
can create valid URLs and switch the context from Google.com and take
control over Google Desktop.

With the preliminaries over, an attacker can now focus on using a
feature that allows searching in specific directories on the PC--the
under parameter--to execute JavaScript in the context of Google Desktop
and make it persistent, Watchfire said in the report. Using a cross-site
scripting proxy, an attacker can maintain continued bi-directional
communication with the compromised system.

The issues underscore that local programs, such as Google Desktop, that
run on a user's PC but integrate closely with the Web or other servers
on the Internet raise additional security issues, said Watchfire’s
Allan. Developers of sites using such technologies need to be much more
careful, he added.

"It underscores the bigger risks that we are seeing today in the more
complex client-side execution of online applications," Allan said. "The
lines are blurring between offline applications and Web applications and
as that blurring continues to grow, we will only be at greater risk."

Google recommends that Google Desktop users download the latest version,
which contains a patch for the cross-site scripting issue. The latest
version also contains additional defenses against cross-site scripting
attacks, Google's Schnitt said.

"In addition, we have (added) another layer of security checks to the
latest version of Google Desktop to protect users from similar
vulnerabilities in the future," Schnitt said.

However, the search giant did not further describe what additional
defenses have been added to the program.

UPDATED: The article was updated with a disclosure timeline for the
cross-site scripting flaw in Google Desktop and additional comments from
Google stressing that a manual update of the software is likely
unnecessary. In addition, several paragraphs were edited for clarity.

i have it...but i only use it when i need to search for something that i
have no clue where is.

I had it last year for a short time, only a day or two. TSR's tend to
slow my system down so got rid of it. I don't know why I intalled it in
the first place! lol.

I work online a lot so am here more than the usual online person. Lots
of research and such. I decided to get rid of it for the very reasons
it was discovered to have a vulnerability. I wish the new ie did not
have that little box in my tray too. Have been trying to figure out how
to get rid of the search box.

Anyone have a clue on that one? When I am designing I usually turn off
ie and make it inaccessable to outside communication but it is starting
to be a hassle to do that everyday or two. lol.


Verb