Google Fixes IE Bug 225
aussie_a writes "Without accepting blame Google has quickly patched the vulnerability, without requiring users to download a patch. Previously covered by Slashdot, the flaw allowed people to access files and passwords on a computer via any website when viewed with IE while running Google Desktop." From the article: "'Google was able to address the problem quickly because it didn't require changing any code at the user's desktop,' MacDonald said. 'Google applied more stringent security controls on its main site, which shut down the exploit.' The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald. "
Misleading title (Score:4, Informative)
Granted, it does make it sound less like news... but I suppose it's because it isn't, really. You don't see stories like "Adobe fixes Photoshop bug", "KDE team fixes Konqueror bug", etc... since of course that's just part of the daily life in development.
Re:The bug was Google's... (Score:4, Informative)
I don't think Google 'patched' the vulnerability (Score:3, Informative)
Ok everyone.... (Score:5, Informative)
First of all, Google did not fix an IE bug. All they did is make their own software a bit more tight in security, so that *they* are not suceptible to the IE bug. It does not *fix* it.
Second of all, the bug was *not* in Google Desktop, it *is* an IE bug, it just happens that people who use Google Desktop are vulnerable to it since it embeds IE.
But *ANY* app that embeds IE is (and remains) vulnerable, including many other pieces of software. For example, for all you poker players, if you have an account a UltimateBet [ultimatebet.com], you *are* vulnerable to ths bug, and in theory someone could use it to steal your account information, which is very dangerous, since they may be able th initate withdraws from your account as well.
This is just the tip of the iceburgm there are literally hundreds of apps that embed the IE engine for rendering. All are at risk.
Re:The bug was Google's... (Score:5, Informative)
Re:The bug was Google's... (Score:3, Informative)
Re:Misleading title (Score:5, Informative)
Not really. The flaw is in IE and Google's use of CSS exposed it to their users. They were able to change their use of CSS to work around the exploit, but the exploit still remains in IE. Even Microsoft admits that.
Re:Ok everyone.... (Score:1, Informative)
It does not embed any html renderer - it doesn't render html at all. It is an application that uses html and javascript to present a GUI, and then the browser does the rendering just like it does for any other page. Google Desktop is just another website to the browser.
Get rid of embedded IE (Score:3, Informative)
Re:Thanks for Fixing the Problem (Score:5, Informative)
http://dynarch.com/projects/htmlarea/ [dynarch.com]
http://fckeditor.net/ [fckeditor.net]
http://bnl.gov/itd/htmleditor/ [bnl.gov]
Re:Misleading title (Score:3, Informative)
No, because it was not a bug in Google Desktop but a bug in IE that allowed the abuse of the Google Desktop software (and others, BTW).
Google changed part of their server software to remove the ability to use GDesktop the way it was used, but the flaw in MSIE is still there...
Re:Ok everyone.... (Score:3, Informative)
You're 1/2 right (Score:4, Informative)
But parts of the Sidebar component are rendered using an IE rendering engine. It is simple to verify if you check the references in the EXE and DLLs.
Re:Thanks for Fixing the Problem (Score:3, Informative)
Re:Ok everyone.... (Score:3, Informative)
Re:Thanks for Fixing the Problem (Score:4, Informative)
Well, to be fair, it is extremely comparable to a Firefox extension or plugin, which have similar rights. I don't think there's really a browser which is safe from this.
I'm not sure what the particular problem with ActiveX is other than the fact that its security model, particularly in old versions, was just pitifully weak (there just wasn't enough forcing people to check a component before installing it). If there's more specific problems, though, I'd like to hear them (always interested).
Re:Excuse me, but It's really Google's Fault (Score:3, Informative)
What would you to if your program used libfoo, and libfoo turns out to have a security vulnerability in one of the functions you use? You either update to a new version of libfoo, or you try to restructure your code to avoid using the problematic function.
In this case, it would seem that Google made use of IE as it was supposed to (by API specification), but IE was not secure as it should have been, so Google decided to do it a different way. I do not see how the fault lies with Google, nor why they deserve particular praise. They found out that one of their underlying programs had a security vulnerability with no known fix, so they used a workaround to secure their application.
Microsoft on the other hand just gets a "stupid!" from me for allowing something so easily fixed to blow up in their faces like this. Way too much bad press for such a little thing.
Clearing up some of the confusion (Score:5, Informative)
The bug I found is in Microsoft Internet Explorer and not in Google Desktop. This bug remains in the browser and it is in no way fixed. This bug by itself is a pretty serious one and allows for exploitation of many sites that are not Google related.
My proof of concept code exploited Google Desktop to retrieve private information from a local machine. In order to do that I used the IE bug twice. First I used it on one of Google's sites in order to get a valid key so I can access the local web server that is Google Desktop's interface. The second time was to execute a query on the GDS server and retrieve the results.
Google basically found a quick hack that nullifies the first portion of the exploit, getting the valid key. They added the following piece of HTML code to their sites, right before the "Desktop" link is revealed: "<!--"/*"/*-->". This makes the IE CSS parser think the rest of the page is a comment so the link won't be visible while trying to read the CSS text.
The bug in IE remains at large. And GDS itself is still exploitable. If somebody found an XSS hole in one of Google's sites, he would be able to retrive the GDS key and then use the second portion of the exploit to retrieve local results.
As I said in my original article, this is a serious bug and there's no simple solution for it, at least until IE is fixed.
Matan
Re:How did they fix it w/out updating Google Deskt (Score:3, Informative)
--
Q
No, *you* RTFA (Score:3, Informative)
All the stuff you are describing is just details around how to use this exploit to get information from Google Desktop. But you can easily do the same thing to exploit any service who uses an embedded IE component to render data from a server, be it internal or external.
Take my Ultimate Bet example for instance. All you would need to do is have a webpage with the rogue code in it visited by the user at the same time they are logged into Ultimate Bet. You can then use the exploit to load up the user's account page (which will load fine, since they are already logged in), and get whatever the hell data you want, including withdrawing money from their account.
It's a very dangerous scenario. Someone could write a whole bunch of rogue scripts that looked for various exploitable applications to steal data, that all execute from one page. If the user happened to be running the app at that time they would be instantly screwed by visiting that page. The only reason Google Desktop is a particularly interesting target is that it is *always* running. But that is not a prerequisite for the exploit.