Google Fixes IE Bug

aussie_a writes "Without accepting blame Google has quickly patched the vulnerability, without requiring users to download a patch. Previously covered by Slashdot, the flaw allowed people to access files and passwords on a computer via any website when viewed with IE while running Google Desktop." From the article: "'Google was able to address the problem quickly because it didn't require changing any code at the user's desktop,' MacDonald said. 'Google applied more stringent security controls on its main site, which shut down the exploit.' The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald. "

The bug was Google's...

[Anonymous Coward]

...so why is it headlined "IE Bug"? It's not a bug in IE.....

This maybe unfortunate

[sgent]

Its my understanding that this flaw has nothing to do with Google Desktop per se -- but rather was just discovered on Google. Although I'm glad they shut down the flaw where Google is concerned, it seems that it still exists for other programs -- since the security breach itself is not specific to Google.

What about the IE vulnerability?

[erroneus]

If I recall previous discussions correctly, the flaw was in MSIE. If that's the case, what's to prevent an attacker from exploiting the flaw with his own code?

Re:Thanks for Fixing the Problem

[bigman2003]

I create web apps for a very widely distributed organization. We have dozens of different offices, all using their own type of Internet connection.

2 of our ISPs (which are actually government agencies) have blocked IE usage completely. They simply can't get on the network using IE.

This was in response to last week's security issues.

One of the apps we run uses IE specific (Active X) controls. They are not required but they just make it much easier for the users. Now those have been blocked in two locations- causing me a lot of headaches. Of course, the standard answer would be, "why did you use IE specific code?" It was an option for users...but they began to rely upon it.

So I for one, wish that Microsoft would either:

A- fix the security problems
B- release an 'IE Secure' browser, that is stripped down but secure
or
C- Umm...short of fixing the problems I don't have many other needs.

I really wouldn't mind if they had a totally secure version of their browser. Just stripped down functionality (cookies, javascript, etc) and pull out the other junk. Yes...we used some of the other junk, but at the time it seemed like a good idea.

By the way, I am now on the market for a good cross-browser in-line WYSIWYG HTML editor. A flash version would be great too.

Google

[certel]

Way to go Google. Fix issues that Microsoft would fail to address in a timely manor.

Re:Responsibilty.

[headkase]

Yup. And since you can't do it all, it all comes back to who's responsible for the code - in this case Microsoft.

Sounds like Windows development

[Urusai]

When a web browser and media player are "integral parts" of your O/S, you've got encapsulation problems.

Irony

[jeffvoigt]

Microsoft is kicking themselves for this one. They are finally given a juicy exploit that they could use to knock Google down a notch or two, but the exploit occurs because of IE's code. Microsoft's entire PR department is going, "Arrgh!" If the fault had lain anywhere else, Google would have had Microsoft-funded bad press everywhere. (And I think Slashdot would have toned down the Google love.)

Don't get me wrong. Google issued a quick (and relatively quiet) fix to cover their butts and should be given due credit. But let's not overstate the issue. Google dodged a potentially PR wrecking bullet. I just hope they're more careful in the future as the next issue may not be so easy to sweep under the carpet. Microsoft is waiting to pounce, and will do so at the first serious non-IE based error they can find in Google's chain of products.

Excuse me, but It's really Google's Fault

[Anonymous Coward]

It's the fault of the most high-level system, and not the low-level system.

We all know about buffer-overflow exploits in C/C++ programs, do we blame it on the C/C++ language compilers? Do we blame on the C/C++ language designers? Do we blame it on the C/C++ libraries? Do we blame the designers of the computer?

No, offcourse not. We blame the most high-level application that had the buffer-overflow vulnerability.

So, it's Google's fault, not IE. They should accept the responsibility.

How did they fix it w/out updating Google Desktop?

[robo45h]

The article notes that Google fixed it because they didn't have to update any client code (implying that if an update would be required, they wouldn't have done it). Ignoring the fact that that's not necessarily a good reason, my question is how is this possible at all? The article mentions that they simply "tightend" some setting on the main Google site. This is surprising. Google Desktop is an offline application -- you can use it when you are not on the Internet. Of course, the main way that the bug will be exploited is when you *are* on the internet and you browse a malicious site. So I have to presume that there is some file (like a .css or .html) that Desktop references from the main Google website rather than from it's local code, and that this somehow is related to the IE bug that can be exploited. The article was completely vague on this. Anyone have more definitive information?

Re:Thanks for Fixing the Problem

[Kadin2048]

I'm sorry, but I can't come up with much sympathy for you or your users, because you used those IE-only, ActiveX controls. It's not as if IE being insecure is exactly news; sure the last few weeks have been particularly bad, but a whole lot of people have been saying this is coming for a while. Years, really.

Your attitude shows concern for your users, which is good -- it sounds like you put in this feature to make life easier for them, and I think that's great. However the way you implemented it was evidently a bad choice, exchanging ease of use for security, and now your clients have showed where their priorities are: security over ease-of-use.

Now would probably be a good time to either go back to the drawing board and see how you can reimplement those ease of use features, without tying yourselves down to one browser (particularly one that's developing an ever-growing reputation for being insecure and slowly patched). The alternative seems to be dumping the functionality completely, if you can't figure out a way to do it without IE ActiveX. Just waiting or hoping for Microsoft to release a "Secure IE" (how do you know it's secure?) seems foolish, and just begging to be put in the same position again down the road.

I admit I don't like Microsoft much, but I would be saying the same thing if you had written a Firefox-only interface and then some massive security hole was found with it.