Google Fixes IE Bug

aussie_a writes "Without accepting blame Google has quickly patched the vulnerability, without requiring users to download a patch. Previously covered by Slashdot, the flaw allowed people to access files and passwords on a computer via any website when viewed with IE while running Google Desktop." From the article: "'Google was able to address the problem quickly because it didn't require changing any code at the user's desktop,' MacDonald said. 'Google applied more stringent security controls on its main site, which shut down the exploit.' The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald. "

Thanks for Fixing the Problem

[teiresias]

Well I'm just glad Google fixed the issue whether it's their fault or not.

I don't care who's fault it is. Just fix the problem. //not that I use IE but you know still.

If they can fix stuff at their end... that's cool!

[byolinux]

As more and more desktop apps serve as an interface to a website, it'll become a lot easier to fix and deploy new functionality. This is a good thing.

"Raises questions"?

[argent]

Well, I guess.. like "why would you go with Microsoft who sit on a vulnerability for months, instead of someone who actually fixes security holes?"

Yay!

[Donniedarkness]

Props to Google for taking responsability and fixing this so quickly. They could have spent a few weeks blaming Microsoft (their competition), as I thought they would, but they didn't.

Without Accepting Blame?

[Anonymous Coward]

wth does that mean?

The root problem is in IE. They made a work-around for their software. Why should they accept blame?

Re:The bug was Google's...

[Big Nothing]

"The bug was Google's... ...so why is it headlined "IE Bug"? It's not a bug in IE..."

Actually, the bug IS originally in the IE code. But Google's Desktop implementation of that code failed to address the security hole. In other words: Microsoft created the security hole and Google Desktop made it dangerous. Who's to blame? MS? Google? Both? None? You decide.

Re:The bug was Google's...

[FunkyELF]

The bug was an IE bug. Lets say there is a windows exploit out there and it has the potential to let people run arbitrary code on the victim's computer. If that code accesses e-mail files stored on the computer that have usernames / passwords / credit card information....it is not the fault of Thunderbird, Eudora, Netscape, or whatever e-mail client is running there. That isn't how they got in, they got in through the windows exploit. I'm sure google didn't fix the IE bug, they prevented people using that exploit from getting personal information from Google Desktop Search. The IE bug is still there. This will just put less pressure on Microsoft to fix their POS browser.

What standards would those be?

[Billosaur]

From CIO Today: The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald.

"Since Google is providing end-user software, it must be held to the same standards that you would hold other desktop software vendors to," he said.

Standards? What standards would those be? Last I checked, most software manufacturers are sending out buggy copies of their code hoping you won't notice, patching it up continuously, then going ahead and doing it repeatedly. And let's not forget that Microsoft is the king of them all!

And exactly how are we to hold them to these "standards"? So many people use Microsoft routinely that they have the lion's share of the market, and their competitors are left with the spoils. And while you may not like MS, many of their programs work just well enough that you believe you've got a decent, everday product. Of course they break down, and people scream and rant, but in the end what do they do? Do they immediately switch to something else? No! They patch up their flawed software and keep the status quo.

It's a classic case of addiction, a lot like gambling but in reverse. You use the software every day and most days it works. The one time it doesn't, you fret, but because you restart it or patch it and it works, you go right back to it, rather than exploring alternatives. And Microsoft counts on this. That's why they dominate - they have everybody "addicted" to their software.

Responsibilty.

[headkase]

...Shouldn't it be "Google fixes Google Desktop bug"?...

Nope. Object-orientated programming. If the api documentation says that something should operate in a certain way and it does not then by fixing the problem on your side of things it weakens encapsulation of the function and makes it easier for future bugs to accumulate as the totality of code slowly turns to spaghetti.

Re:The bug was Google's...

[mAineAc]

This was not Google's bug. It was a flaw in IE that created the issue. All google did was make a change that would prevent the IE flaw from be accessible. IE should fix their XML flaw no matter what Google does to work around their sloppy programming.

Re:Ok everyone....

[meringuoid]

Second of all, the bug was *not* in Google Desktop, it *is* an IE bug, it just happens that people who use Google Desktop are vulnerable to it since it embeds IE.

Google, of all organisations, should know better than to trust IE for anything.

Would it be so hard for them to include a safer rendering engine? Gecko's good. KHTML's good. Both are free. Couldn't they have used those instead? Then if there were any bugs discovered, Google (having the source code) could fix 'em, rather than having to implement some workaround because Microsoft won't.

Re:Ok everyone....

[rbarreira]

They probably did it for compactness, since IE is already included in windows...

Whats the deal?

[lightweave]

Every software has some bugs.
These bugs should be fix according to their priority.
Google provides some software.
Google should fix it's bugs according to their priority.


I'm not sure what this article wants to tell us? That even Google can create bugs? Is this a surprise? Is Google special that this is actually worth to mention?
Why would a bug created by Google any better or worse than a bug by any other software vendor? Of course the bugs should be fixed and apparently Google did it. So this article tells us that a security flaw has been fixed for some special case, because apparently it can't fix it permanently unless it took over maintainence for IE.
Why this MacDonald guy needs a special plan for Google is beyond me though. Maybe somebody could enlighten me there.

An analogy for the comprehension-deficient...

[Gruneun]

Dick drives Jane's car.
Jane's car has a faulty parking brake.
Dick parks, engages the brake, but the car rolls away.
Dick stops parking on hills.

Important Points
Jane did not fix the parking brake
Dick did not fix the parking brake, but he no longer uses it.
Other drivers may or may not be aware of the broken parking brake.
The potential is still there for the car to roll away.

Re:What standards would those be?

[514CK3R]

And Microsoft counts on this. That's why they dominate - they have everybody "addicted" to their software.

Addiction? Not nearly as much as it's a sunken cost. Consumers (Your parents, non-techie siblings, the guy that lives next door) aren't given many options when they buy an off-the-shelf PC, and when Options are out there, they're not nearly as exposed as anyone would like. Combine this with the fact that almost everyone wants a specific file format that they've sunken they're teeth into (think resume + MS Word, most places won't take ANY other format), and it not addiction, the user frustration is out there in spades. It's how our marketplace works. It's all about mass marketing and availability. Ever go to the grocery store? next time you do, go to the soup isle. Chances are almost 100% that campbells will have their soup at adult eye-level, and kids-friendly soups on the lower shelfs. to get anything but Campbells, you have to look between those shelves, and higher up. Out of sight, out of mind. Microsoft also relies on this. Go to Dell or Gateway or any other "OEM" consumer product store and find a PC that ships with linux. Not a server, a desktop PC on the front page that has linux as it's primary OS. Didn't find one? That's not addiction, it's market placement. $0.02

Re:Misleading title

[HishamMuhammad]

Not really. The flaw is in IE and Google's use of CSS exposed it to their users. They were able to change their use of CSS to work around the exploit, but the exploit still remains in IE. Even Microsoft admits that.

I see. In that case, that's working around the bug, not fixing it. If I said "yesterday I was coding when I stumbled in a Glibc bug -- it took me a while but I fixed it" you'd probably infer that I actually went into Glibc's code and corrected the problem. I understand now how calling it a "Google Desktop bug" is not right either, but I still think "fixes IE bug" is misleading. Or I might be just too nit-picky. :)

Re:Responsibilty.

[HishamMuhammad]

My gripe wasn't so much with the "IE" part but with the "fixes" part. Working around broken APIs and fixing broken APIs are two different things...

Re:If they can fix stuff at their end... that's co

[aussie_a]

You do realise no matter how much testing a company does, there will be bugs in their software and vulnerabilities?

Re:Sort of good they fixed it...

[IAmTheDave]

I don't think it's a HUGE deal if it IS a bug in their software. Name a single company - MS, Apple, Oracle - any one - that has released bug free code to the customer.

The thing that needs to really be studied is the openness with which a vendor accpets that there is a flaw, and how quickly they solve said flaw.

Here, Google, whether partially, fully, or not at all at fault, has with expedience solved an issue that had the potential to affect their customers. Code is rarely free from bugs. An active developer base that is willing to drop all to solve a potentially dangerous bug is one I want writing my software.

Misleading Title

[mkraft]

Google didn't fix the IE bug. The IE bug still exists. Only Microsoft can fix the IE bug. What Google did was put in a work around so that exploiting the IE bug won't cause a security risk in Google Desktop.

The IE bug can still affect other software.

My reply on their site

[Omnifarious]

This article appears to be quite confused. In some way, it appears to point at google and claim somehow that the vulnerability was google's fault. Phrases like "Google Fixes Desktop Search Loophole" and "Since Google is providing end-user software, it must be held to the same standards that you would hold other desktop software vendors to" strongly imply this. In other parts the article is very explicit that the problem is an IE vulnerability that Microsoft hasn't patched.

So, which is it? Is google doing Microsoft a favor by avoiding the use of a feature that Microsoft flubbed? Or did google do something wrong in the first place? And precisely what standards are other makers of desktop software held to? The industry seems to almost gleefully accept an endless parade of the most egregious bugs from these vendors (Microsoft in particular). So, it seems that it would be meaningless to hold google to the same standard unless the complaint is that they have too few bugs.

Note that I have never worked for google or Microsoft.

Another annoyance is this sentence: "Does the researcher think he has really contributed to the security of Internet users worldwide by going public with details of the problem when no fix is available?" In the absence of any other data, that question can't be answered. If a vulnerability goes for longer than a month without the vendor fixing it, then I think a responsible security researcher has a duty to disclose the vulnerability so that people can protect themselves from it.

There is a fine balance to be struck. And as a rule, it is always a courtesy for a security research to disclose a vulnerability first to a vendor, and secondly to the net at large. It is never a requirement. If a vendor abuses the courtesy by not bothering to fix the bug, the researcher has every right (and indeed, a duty) to present the information to the public. You can be sure that people who are much more shadowy than the security researcher looking for a bit of acclaim have a good chance of already knowing about the bug, and are quietly exploiting it for themselves.

All in all, I find your article to be both too simplistic in its treatment of various issues, and confused and muddled about exactly where responsibility lies for various problems. You should be able to do better. You call yourselves 'CIO Today', and the average IT worker's biggest complaint about their bosses is how ill-informed their bosses are about technology while being absolutely certain that they know better than their employees. Perhaps this article points to the reason why.

Note that I have never worked for either Microsoft or google.

Re:Suggested title

[tomhudson]

And while they're at it they could change this:

The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald. "

... to this ...

The incident does raise important questions about Microsoft as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald. "

Truth in reporting and all that fine stuff.

Ethical? (Re:Sort of good they fixed it...)

[NaDrew]

This really goes to show really how much of an ethical company google really is.

I've been as much a Google fanboy as anyone--Gmail, Google search on my Web sites and built in to my Web browser, AdSense, Blogger. Except that Blogger, owned by Google, has deleted my account [slashdot.org] with no discussion and no appeal.

I think the "not evil" ethical standards may be slipping just a bit.