Google Fixes IE Bug 225
aussie_a writes "Without accepting blame Google has quickly patched the vulnerability, without requiring users to download a patch. Previously covered by Slashdot, the flaw allowed people to access files and passwords on a computer via any website when viewed with IE while running Google Desktop." From the article: "'Google was able to address the problem quickly because it didn't require changing any code at the user's desktop,' MacDonald said. 'Google applied more stringent security controls on its main site, which shut down the exploit.' The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald. "
The bug was Google's... (Score:1, Interesting)
This maybe unfortunate (Score:3, Interesting)
What about the IE vulnerability? (Score:5, Interesting)
Re:Thanks for Fixing the Problem (Score:5, Interesting)
2 of our ISPs (which are actually government agencies) have blocked IE usage completely. They simply can't get on the network using IE.
This was in response to last week's security issues.
One of the apps we run uses IE specific (Active X) controls. They are not required but they just make it much easier for the users. Now those have been blocked in two locations- causing me a lot of headaches. Of course, the standard answer would be, "why did you use IE specific code?" It was an option for users...but they began to rely upon it.
So I for one, wish that Microsoft would either:
A- fix the security problems
B- release an 'IE Secure' browser, that is stripped down but secure
or
C- Umm...short of fixing the problems I don't have many other needs.
I really wouldn't mind if they had a totally secure version of their browser. Just stripped down functionality (cookies, javascript, etc) and pull out the other junk. Yes...we used some of the other junk, but at the time it seemed like a good idea.
By the way, I am now on the market for a good cross-browser in-line WYSIWYG HTML editor. A flash version would be great too.
Google (Score:1, Interesting)
Re:Responsibilty. (Score:3, Interesting)
Sounds like Windows development (Score:3, Interesting)
Irony (Score:2, Interesting)
Don't get me wrong. Google issued a quick (and relatively quiet) fix to cover their butts and should be given due credit. But let's not overstate the issue. Google dodged a potentially PR wrecking bullet. I just hope they're more careful in the future as the next issue may not be so easy to sweep under the carpet. Microsoft is waiting to pounce, and will do so at the first serious non-IE based error they can find in Google's chain of products.
Excuse me, but It's really Google's Fault (Score:0, Interesting)
We all know about buffer-overflow exploits in C/C++ programs, do we blame it on the C/C++ language compilers? Do we blame on the C/C++ language designers? Do we blame it on the C/C++ libraries? Do we blame the designers of the computer?
No, offcourse not. We blame the most high-level application that had the buffer-overflow vulnerability.
So, it's Google's fault, not IE. They should accept the responsibility.
How did they fix it w/out updating Google Desktop? (Score:2, Interesting)
Re:Thanks for Fixing the Problem (Score:4, Interesting)
Your attitude shows concern for your users, which is good -- it sounds like you put in this feature to make life easier for them, and I think that's great. However the way you implemented it was evidently a bad choice, exchanging ease of use for security, and now your clients have showed where their priorities are: security over ease-of-use.
Now would probably be a good time to either go back to the drawing board and see how you can reimplement those ease of use features, without tying yourselves down to one browser (particularly one that's developing an ever-growing reputation for being insecure and slowly patched). The alternative seems to be dumping the functionality completely, if you can't figure out a way to do it without IE ActiveX. Just waiting or hoping for Microsoft to release a "Secure IE" (how do you know it's secure?) seems foolish, and just begging to be put in the same position again down the road.
I admit I don't like Microsoft much, but I would be saying the same thing if you had written a Firefox-only interface and then some massive security hole was found with it.