Google Desktop Tweaked to Avoid IE Flaw

By Ryan Naraine  |  Posted 2005-12-06 Print this article Print

Google has made an adjustment to its Google Desktop application to protect users from a design flaw in Internet Explorer that remains unpatched.

Google Inc. has made an "adjustment" to its Google Desktop application to protect users from an unpatched design flaw in Microsoft Corp.s Internet Explorer browser.

The bug, which was discovered and reported by Israeli hacker Matan Gillon, provides malicious attackers with an easy way to use Google Desktop or other Internet-facing applications to covertly hijack user information.

"We have made an adjustment to the product to help protect users," said Google spokesperson Sonya Boralv.
She declined to provide details on the extent of the Google Desktop modifications. Boralv said users arent required to take any action to get protected because the changes were made "on our end" to block the remote access attack vector.

According to Gillons public advisory, which included a proof-of-concept exploit, the flaw exists on fully patched IE browsers with default security and privacy settings.

Microsoft has confirmed the existence of the vulnerability and promised a fix would be included in a future IE update.

To exploit the flaw, an attacker simply needs to lure a target to visit a malicious Web page. "Much like classic XSS [cross site scripting] holes, this design flaw in IE allows an attacker to retrieve private user data or execute operations on the users behalf on remote domains," Gillon said.

Click here to read more about another unpatched IE vulnerability.

Gillon described the issue as a design flaw that causes IE to allow a violation of the cross-domain security model. He discovered that IE does not properly parse CSS (cascading style sheet) files and allows the importation of files that are not valid CSS files.

This opens the door for attackers to disclose HTML and script code from the remote site that was improperly imported as a CSS file. For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub. This site may exist in another domain than the site that exploits the issue.

"Thousands of Web sites can be exploited, and there isnt a simple solution against this attack at least until IE is fixed," Gillon said. As a temporary solution, he recommends that IE users disable JavaScript or use a different browser.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel