Forgot your password?
typodupeerror
Google Businesses Internet Explorer The Internet IT

Google Fixes IE Bug 225

Posted by Zonk
from the quik-fix dept.
aussie_a writes "Without accepting blame Google has quickly patched the vulnerability, without requiring users to download a patch. Previously covered by Slashdot, the flaw allowed people to access files and passwords on a computer via any website when viewed with IE while running Google Desktop." From the article: "'Google was able to address the problem quickly because it didn't require changing any code at the user's desktop,' MacDonald said. 'Google applied more stringent security controls on its main site, which shut down the exploit.' The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald. "
This discussion has been archived. No new comments can be posted.

Google Fixes IE Bug

Comments Filter:
  • by teiresias (101481) on Tuesday December 06, 2005 @10:24AM (#14193052)
    Well I'm just glad Google fixed the issue whether it's their fault or not.

    I don't care who's fault it is. Just fix the problem. //not that I use IE but you know still.
    • by bigman2003 (671309) on Tuesday December 06, 2005 @10:44AM (#14193221) Homepage
      I create web apps for a very widely distributed organization. We have dozens of different offices, all using their own type of Internet connection.

      2 of our ISPs (which are actually government agencies) have blocked IE usage completely. They simply can't get on the network using IE.

      This was in response to last week's security issues.

      One of the apps we run uses IE specific (Active X) controls. They are not required but they just make it much easier for the users. Now those have been blocked in two locations- causing me a lot of headaches. Of course, the standard answer would be, "why did you use IE specific code?" It was an option for users...but they began to rely upon it.

      So I for one, wish that Microsoft would either:

      A- fix the security problems
      B- release an 'IE Secure' browser, that is stripped down but secure
      or
      C- Umm...short of fixing the problems I don't have many other needs.

      I really wouldn't mind if they had a totally secure version of their browser. Just stripped down functionality (cookies, javascript, etc) and pull out the other junk. Yes...we used some of the other junk, but at the time it seemed like a good idea.

      By the way, I am now on the market for a good cross-browser in-line WYSIWYG HTML editor. A flash version would be great too.
      • by Anonymous Coward on Tuesday December 06, 2005 @11:02AM (#14193338)
      • Flash is a vector for trouble too.

        You should really consider the second source approach.

        Make sure the web app your company runs on works in at least 2 browsers, on 2 OSes.
        Make sure the server side can run on disparate hardware using disparate OSes.

        Ideally it should run on which install CD you find in the box first.

      • by Chi-RAV (541181) on Tuesday December 06, 2005 @11:22AM (#14193471)
        One of the apps we run uses IE specific (Active X) controls.
        release an 'IE Secure' browser, that is stripped down but secure
        Sure, we'll just take ActiveX out of IE and call it a "secure" version.
      • The problem is that a browser with ActiveX activated can NEVER be secure. An ActiveX control is simply a Windows executable, which can do anything on the user's machine that Windows can do. And since the app you mention relies on ActiveX, Microsoft will never able to solve your problem.
        • by zootm (850416) on Tuesday December 06, 2005 @12:04PM (#14193834)

          Well, to be fair, it is extremely comparable to a Firefox extension or plugin, which have similar rights. I don't think there's really a browser which is safe from this.

          I'm not sure what the particular problem with ActiveX is other than the fact that its security model, particularly in old versions, was just pitifully weak (there just wasn't enough forcing people to check a component before installing it). If there's more specific problems, though, I'd like to hear them (always interested).

      • by Kadin2048 (468275) <[slashdot.kadin] [at] [xoxy.net]> on Tuesday December 06, 2005 @12:49PM (#14194218) Homepage Journal
        I'm sorry, but I can't come up with much sympathy for you or your users, because you used those IE-only, ActiveX controls. It's not as if IE being insecure is exactly news; sure the last few weeks have been particularly bad, but a whole lot of people have been saying this is coming for a while. Years, really.

        Your attitude shows concern for your users, which is good -- it sounds like you put in this feature to make life easier for them, and I think that's great. However the way you implemented it was evidently a bad choice, exchanging ease of use for security, and now your clients have showed where their priorities are: security over ease-of-use.

        Now would probably be a good time to either go back to the drawing board and see how you can reimplement those ease of use features, without tying yourselves down to one browser (particularly one that's developing an ever-growing reputation for being insecure and slowly patched). The alternative seems to be dumping the functionality completely, if you can't figure out a way to do it without IE ActiveX. Just waiting or hoping for Microsoft to release a "Secure IE" (how do you know it's secure?) seems foolish, and just begging to be put in the same position again down the road.

        I admit I don't like Microsoft much, but I would be saying the same thing if you had written a Firefox-only interface and then some massive security hole was found with it.
        • Yes, at this point it seems like it was a really bad idea- but I have gone 4+ years of using the feature successfully. If it takes me a few weeks to replace it, I don't consider it a failure at all. Just something that had run the end of its course. (Not a few weeks of work, but a few weeks until it is implemented...probably 5 or 6 hours of actual work)

          In fact, what I am currently using is HTMLArea 1.x. (And a few editors prior to that) Someone up above had provided a link to the new HTMLArea 2.x, whic
          • HTMLArea is, afaik, no longer under any real development (at least, Interactive Tools no longer develops it, mishoo does bits and pieces on it every now and then I think but not with any viguer last time I looked).

            Xinha [xinha.org] was forked from HTMLArea about a year ago, and is under active development by a small group of developers. You'll find it much more stable and usable than HTMLArea, as well as having a large number of plugins that HTMLArea lacks.
      • 2 of our ISPs (which are actually government agencies) have blocked IE usage completely. They simply can't get on the network using IE.

        This is news. Is there a public media outlet where we could learn about these agencies' decisions? (don't want to get you in trouble...)
    • From an end user standpoint, it's good they fixed it even though it definatly wasn't their fault in the least bit.

      However by fixing it, it would seem to the average Joe an admittance that it was a bug in their software. This isn't the case in the least bit. I remember the old slashdot story and the trolls were out that day. Google desktop was given as an example of one of the dozens, if not thousands of various web based programs affected by this IE bug. Make no mistakes about it, this was an IE bug.

      T
      • I don't think it's a HUGE deal if it IS a bug in their software. Name a single company - MS, Apple, Oracle - any one - that has released bug free code to the customer.

        The thing that needs to really be studied is the openness with which a vendor accpets that there is a flaw, and how quickly they solve said flaw.

        Here, Google, whether partially, fully, or not at all at fault, has with expedience solved an issue that had the potential to affect their customers. Code is rarely free from bugs. An active de
        • It might not be a HUGE deal to techies, but it's a HUGE perception deal to a lot of other folks. If the company begins to be seen has having bugs and security flaws, then the general public may begin to perceive the company as offering buggy products. Although that hasn't stopped people from using IE (but that's another story).
      • This really goes to show really how much of an ethical company google really is.

        I've been as much a Google fanboy as anyone--Gmail, Google search on my Web sites and built in to my Web browser, AdSense, Blogger. Except that Blogger, owned by Google, has deleted my account [slashdot.org] with no discussion and no appeal.

        I think the "not evil" ethical standards may be slipping just a bit.

  • by byolinux (535260) * on Tuesday December 06, 2005 @10:24AM (#14193055) Journal
    As more and more desktop apps serve as an interface to a website, it'll become a lot easier to fix and deploy new functionality. This is a good thing.
  • by connah0047 (850585) on Tuesday December 06, 2005 @10:25AM (#14193064)
    The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald.

    I question Mr. MacDonald's credibility. If this is the same gentleman I'm thinking of, he's an older man who has a farm...or at least had one.
  • Misleading title (Score:4, Informative)

    by HishamMuhammad (553916) on Tuesday December 06, 2005 @10:25AM (#14193065) Homepage Journal
    The title sounds as if Google had fixed a bug in Internet Explorer's code. Shouldn't it be "Google fixes Google Desktop bug"?

    Granted, it does make it sound less like news... but I suppose it's because it isn't, really. You don't see stories like "Adobe fixes Photoshop bug", "KDE team fixes Konqueror bug", etc... since of course that's just part of the daily life in development.
    • Responsibilty. (Score:5, Insightful)

      by headkase (533448) on Tuesday December 06, 2005 @10:40AM (#14193180)
      ...Shouldn't it be "Google fixes Google Desktop bug"?...

      Nope. Object-orientated programming. If the api documentation says that something should operate in a certain way and it does not then by fixing the problem on your side of things it weakens encapsulation of the function and makes it easier for future bugs to accumulate as the totality of code slowly turns to spaghetti.
    • Re:Misleading title (Score:5, Informative)

      by skyhawker (234308) on Tuesday December 06, 2005 @10:46AM (#14193234) Homepage
      The title sounds as if Google had fixed a bug in Internet Explorer's code. Shouldn't it be "Google fixes Google Desktop bug"?

      Not really. The flaw is in IE and Google's use of CSS exposed it to their users. They were able to change their use of CSS to work around the exploit, but the exploit still remains in IE. Even Microsoft admits that.
      • Not really. The flaw is in IE and Google's use of CSS exposed it to their users. They were able to change their use of CSS to work around the exploit, but the exploit still remains in IE. Even Microsoft admits that.

        I see. In that case, that's working around the bug, not fixing it. If I said "yesterday I was coding when I stumbled in a Glibc bug -- it took me a while but I fixed it" you'd probably infer that I actually went into Glibc's code and corrected the problem. I understand now how calling it a "Googl
        • I was responding to your notion that Google fixed a "Google Desktop bug," which you agree is also wrong. A more accurate title might be, "Google works around IE Bug." You inferred a more than I implied.
    • Re:Misleading title (Score:3, Informative)

      by masklinn (823351)
      Shouldn't it be "Google fixes Google Desktop bug"?

      No, because it was not a bug in Google Desktop but a bug in IE that allowed the abuse of the Google Desktop software (and others, BTW).

      Google changed part of their server software to remove the ability to use GDesktop the way it was used, but the flaw in MSIE is still there...

  • by argent (18001) <peterNO@SPAMslashdot.2006.taronga.com> on Tuesday December 06, 2005 @10:25AM (#14193066) Homepage Journal
    Well, I guess.. like "why would you go with Microsoft who sit on a vulnerability for months, instead of someone who actually fixes security holes?"
  • by sgent (874402) on Tuesday December 06, 2005 @10:26AM (#14193076)
    Its my understanding that this flaw has nothing to do with Google Desktop per se -- but rather was just discovered on Google. Although I'm glad they shut down the flaw where Google is concerned, it seems that it still exists for other programs -- since the security breach itself is not specific to Google.
    • This is important to understand. This wasn't a google desktop bug. They just created a workaround to mitigate IE's bug MS won't fix. And because this is still an IE bug, MANY other programs are still affected.
  • by thechao (466986)
    "Since Google is providing end-user software, it must be held to the same standards that you would hold other desktop software vendors to," he said.

    That's when I realized this was an article by 'The Onion'.
  • by kclittle (625128) on Tuesday December 06, 2005 @10:31AM (#14193114)
    If I RTFA correctly, they just avoided using it. The vulnerability (in IE, which only MS can patch) is still there...

  • Ok everyone.... (Score:5, Informative)

    by brunes69 (86786) <`slashdot' `at' `keirstead.org'> on Tuesday December 06, 2005 @10:32AM (#14193120) Homepage
    This article summary, and also most comments posted so far, are total misinformed garbage.

    First of all, Google did not fix an IE bug. All they did is make their own software a bit more tight in security, so that *they* are not suceptible to the IE bug. It does not *fix* it.

    Second of all, the bug was *not* in Google Desktop, it *is* an IE bug, it just happens that people who use Google Desktop are vulnerable to it since it embeds IE.

    But *ANY* app that embeds IE is (and remains) vulnerable, including many other pieces of software. For example, for all you poker players, if you have an account a UltimateBet [ultimatebet.com], you *are* vulnerable to ths bug, and in theory someone could use it to steal your account information, which is very dangerous, since they may be able th initate withdraws from your account as well.

    This is just the tip of the iceburgm there are literally hundreds of apps that embed the IE engine for rendering. All are at risk.

    • Re:Ok everyone.... (Score:3, Insightful)

      by meringuoid (568297)
      Second of all, the bug was *not* in Google Desktop, it *is* an IE bug, it just happens that people who use Google Desktop are vulnerable to it since it embeds IE.

      Google, of all organisations, should know better than to trust IE for anything.

      Would it be so hard for them to include a safer rendering engine? Gecko's good. KHTML's good. Both are free. Couldn't they have used those instead? Then if there were any bugs discovered, Google (having the source code) could fix 'em, rather than having to implement

      • Re:Ok everyone.... (Score:3, Insightful)

        by rbarreira (836272)
        They probably did it for compactness, since IE is already included in windows...
      • Re:Ok everyone.... (Score:3, Informative)

        by masklinn (823351)

        Google, of all organisations, should know better than to trust IE for anything.

        Would it be so hard for them to include a safer rendering engine? Gecko's good. KHTML's good. Both are free. Couldn't they have used those instead? Then if there were any bugs discovered, Google (having the source code) could fix 'em, rather than having to implement some workaround because Microsoft won't.

        Embedding the MSHTML engine in a Win32 application (or using a framework that wraps the controls) takes a few seconds and

      • "Would it be so hard for them to include a safer rendering engine?"

        Google Desktop does not embed or include any browser or rendering engine, it is a local http-server that can be accessed using any browser, and it launches your default browser.

        p.

  • As long as we are fixing things, why not just go all the way? Oh well, I guess we all can dream.

    I will be surfing over to http://labs.google.com/ [google.com] just in case.
  • by erroneus (253617) on Tuesday December 06, 2005 @10:37AM (#14193156) Homepage
    If I recall previous discussions correctly, the flaw was in MSIE. If that's the case, what's to prevent an attacker from exploiting the flaw with his own code?
  • by Billosaur (927319) * <wgrother@@@optonline...net> on Tuesday December 06, 2005 @10:39AM (#14193170) Journal

    From CIO Today: The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald.

    "Since Google is providing end-user software, it must be held to the same standards that you would hold other desktop software vendors to," he said.

    Standards? What standards would those be? Last I checked, most software manufacturers are sending out buggy copies of their code hoping you won't notice, patching it up continuously, then going ahead and doing it repeatedly. And let's not forget that Microsoft is the king of them all!

    And exactly how are we to hold them to these "standards"? So many people use Microsoft routinely that they have the lion's share of the market, and their competitors are left with the spoils. And while you may not like MS, many of their programs work just well enough that you believe you've got a decent, everday product. Of course they break down, and people scream and rant, but in the end what do they do? Do they immediately switch to something else? No! They patch up their flawed software and keep the status quo.

    It's a classic case of addiction, a lot like gambling but in reverse. You use the software every day and most days it works. The one time it doesn't, you fret, but because you restart it or patch it and it works, you go right back to it, rather than exploring alternatives. And Microsoft counts on this. That's why they dominate - they have everybody "addicted" to their software.

    • Last I checked, most software manufacturers are sending out buggy copies of their code hoping you won't notice, patching it up continuously, then going ahead and doing it repeatedly

      Of course, some of them dodge the issue by labelling everything "BETA".
    • "The one time it doesn't, you fret, but because you restart it or patch it and it works, you go right back to it, rather than exploring alternatives."

      That's not like addiction. That's like every other human experience involving things that break, which would be, basically, everything.
  • by Suidae (162977)
    In other news, a large company covers its ass.

    This is news, but it's not particularly unusual. When you are vulnerable to an attack, you take steps to remove the vulnerability using resources under your control.

    Nothing to see here folks, move along.
  • by Gruneun (261463) on Tuesday December 06, 2005 @10:51AM (#14193267)
    Dick drives Jane's car.
    Jane's car has a faulty parking brake.
    Dick parks, engages the brake, but the car rolls away.
    Dick stops parking on hills.

    Important Points
    Jane did not fix the parking brake
    Dick did not fix the parking brake, but he no longer uses it.
    Other drivers may or may not be aware of the broken parking brake.
    The potential is still there for the car to roll away.
  • Irony (Score:2, Interesting)

    by jeffvoigt (866600)
    Microsoft is kicking themselves for this one. They are finally given a juicy exploit that they could use to knock Google down a notch or two, but the exploit occurs because of IE's code. Microsoft's entire PR department is going, "Arrgh!" If the fault had lain anywhere else, Google would have had Microsoft-funded bad press everywhere. (And I think Slashdot would have toned down the Google love.)

    Don't get me wrong. Google issued a quick (and relatively quiet) fix to cover their butts and should be gi
  • Given the fact that most microsoft employees are now working for google, it's no wonder they patched it ;)

    I wouldn't be surprised if google has a "Let's Patch our former employer tuesday!" party each week.
  • Misleading Title (Score:4, Insightful)

    by mkraft (200694) on Tuesday December 06, 2005 @11:49AM (#14193691)
    Google didn't fix the IE bug. The IE bug still exists. Only Microsoft can fix the IE bug. What Google did was put in a work around so that exploiting the IE bug won't cause a security risk in Google Desktop.

    The IE bug can still affect other software.
  • The article notes that Google fixed it because they didn't have to update any client code (implying that if an update would be required, they wouldn't have done it). Ignoring the fact that that's not necessarily a good reason, my question is how is this possible at all? The article mentions that they simply "tightend" some setting on the main Google site. This is surprising. Google Desktop is an offline application -- you can use it when you are not on the Internet. Of course, the main way that the bug wi
  • by matangillon (936587) on Tuesday December 06, 2005 @12:24PM (#14194006) Homepage
    I'd like to clear up some of the confusion the mainstream media has caused.

    The bug I found is in Microsoft Internet Explorer and not in Google Desktop. This bug remains in the browser and it is in no way fixed. This bug by itself is a pretty serious one and allows for exploitation of many sites that are not Google related.

    My proof of concept code exploited Google Desktop to retrieve private information from a local machine. In order to do that I used the IE bug twice. First I used it on one of Google's sites in order to get a valid key so I can access the local web server that is Google Desktop's interface. The second time was to execute a query on the GDS server and retrieve the results.

    Google basically found a quick hack that nullifies the first portion of the exploit, getting the valid key. They added the following piece of HTML code to their sites, right before the "Desktop" link is revealed: "<!--"/*"/*-->". This makes the IE CSS parser think the rest of the page is a comment so the link won't be visible while trying to read the CSS text.

    The bug in IE remains at large. And GDS itself is still exploitable. If somebody found an XSS hole in one of Google's sites, he would be able to retrive the GDS key and then use the second portion of the exploit to retrieve local results.

    As I said in my original article, this is a serious bug and there's no simple solution for it, at least until IE is fixed.

    Matan
  • by Omnifarious (11933) * <eric-slash@omERD ... g minus math_god> on Tuesday December 06, 2005 @01:51PM (#14194802) Homepage Journal

    This article appears to be quite confused. In some way, it appears to point at google and claim somehow that the vulnerability was google's fault. Phrases like "Google Fixes Desktop Search Loophole" and "Since Google is providing end-user software, it must be held to the same standards that you would hold other desktop software vendors to" strongly imply this. In other parts the article is very explicit that the problem is an IE vulnerability that Microsoft hasn't patched.

    So, which is it? Is google doing Microsoft a favor by avoiding the use of a feature that Microsoft flubbed? Or did google do something wrong in the first place? And precisely what standards are other makers of desktop software held to? The industry seems to almost gleefully accept an endless parade of the most egregious bugs from these vendors (Microsoft in particular). So, it seems that it would be meaningless to hold google to the same standard unless the complaint is that they have too few bugs.

    Note that I have never worked for google or Microsoft.

    Another annoyance is this sentence: "Does the researcher think he has really contributed to the security of Internet users worldwide by going public with details of the problem when no fix is available?" In the absence of any other data, that question can't be answered. If a vulnerability goes for longer than a month without the vendor fixing it, then I think a responsible security researcher has a duty to disclose the vulnerability so that people can protect themselves from it.

    There is a fine balance to be struck. And as a rule, it is always a courtesy for a security research to disclose a vulnerability first to a vendor, and secondly to the net at large. It is never a requirement. If a vendor abuses the courtesy by not bothering to fix the bug, the researcher has every right (and indeed, a duty) to present the information to the public. You can be sure that people who are much more shadowy than the security researcher looking for a bit of acclaim have a good chance of already knowing about the bug, and are quietly exploiting it for themselves.

    All in all, I find your article to be both too simplistic in its treatment of various issues, and confused and muddled about exactly where responsibility lies for various problems. You should be able to do better. You call yourselves 'CIO Today', and the average IT worker's biggest complaint about their bosses is how ill-informed their bosses are about technology while being absolutely certain that they know better than their employees. Perhaps this article points to the reason why.

    Note that I have never worked for either Microsoft or google.

  • More Google whining from the submitter. You know what? All you Google nay sayers can go fuck yourselves.

I'd rather just believe that it's done by little elves running around.

Working...