Google Inc. has made an “adjustment” to its Google Desktop application to protect users from an unpatched design flaw in Microsoft Corp.s Internet Explorer browser.
The bug, which was discovered and reported by Israeli hacker Matan Gillon, provides malicious attackers with an easy way to use Google Desktop or other Internet-facing applications to covertly hijack user information.
“We have made an adjustment to the product to help protect users,” said Google spokesperson Sonya Boralv.
She declined to provide details on the extent of the Google Desktop modifications.
Boralv said users arent required to take any action to get protected because the changes were made “on our end” to block the remote access attack vector.
According to Gillons public advisory, which included a proof-of-concept exploit, the flaw exists on fully patched IE browsers with default security and privacy settings.
Microsoft has confirmed the existence of the vulnerability and promised a fix would be included in a future IE update.
To exploit the flaw, an attacker simply needs to lure a target to visit a malicious Web page.
“Much like classic XSS [cross site scripting] holes, this design flaw in IE allows an attacker to retrieve private user data or execute operations on the users behalf on remote domains,” Gillon said.
Gillon described the issue as a design flaw that causes IE to allow a violation of the cross-domain security model.
He discovered that IE does not properly parse CSS (cascading style sheet) files and allows the importation of files that are not valid CSS files.
This opens the door for attackers to disclose HTML and script code from the remote site that was improperly imported as a CSS file.
This site may exist in another domain than the site that exploits the issue.
“Thousands of Web sites can be exploited, and there isnt a simple solution against this attack at least until IE is fixed,” Gillon said.