Zero Day Hole In Google Desktop

40by40 writes "A Web application security specialist has figured out a way to launch man-in-the-middle attacks against a computer with a fully patched Google Desktop installed. With knowledge of the Google Desktop security model (a combination of one-time tokens, iFrames and JavaScript), hacker Robert Hansen figured out a way to sit between a target launching a Google search query and manipulate the search results to take control of other programs on the desktop. From the article: 'This should drive home the point that deep integration between the desktop and the web is not a good idea, without tremendous thought put into the security model. As Google's site is unencrypted, and they place their content that can run executables on their site, it can be subverted by an attacker," Hansen warns. Hansen's advisory comes just days after a Chris Soghoian's exposé of a similar man-in-the-middle attack scenario against a remote vulnerability in the upgrade mechanism used by a number of commercial Firefox extensions.'"

Easily solved

[tedhiltonhead]

It sounds like this takes advantage of the "Google Integration" feature, where the Google Desktop software adds a link to your Google search results page. I found his explanation rather unclear, but it sounds like you can avoid this by going into Google Desktop's preferences, then the Display tab, then un-checking the last checkbox, "Show Desktop Search results on Google Web Search result pages".

I've always thought that was a scary idea anyway, since my desktop content should be in a clearly-partitioned security domain from Web content.

Disable Indexing of Executables?

[crymeph0]

How does one stop Google desktop from indexing executables? When I open the Google Desktop preferences, exe files aren't even listed as something I can index, but search for an executable like hypertrm.exe on Google desktop, and it shows up anyway, which is the 'meat' of this vulnerability.

Re:Logical

[snarkbot]

Yeah for sure, now that Apache runs 60% of the Web, all those crackers are finding tons of exploits for it everyday!

http://search.cert.org/query.html?col=certadv&col= vulnotes&qt=apache&charset=iso-8859-1 [cert.org]

Yes, Apache has a good reputation for security, but like most popular, complex programs, its history is far from exploit-free.

-snarkbot

A little more encryption?

[isnoop]

Google is nice enough to offer SSL for most of its services these days. It would make a lot of sense for them to round out their secure offerings with an SSL search as well.

Right now, any request to an encrypted Google search URL redirects you to www.google.com.

Re:A little over blown perhaps?

[qbwiz]

I think that ActiveX components are signed/named, so there wouldn't be as much of a problem with them. Don't quote me on that, though.

armchair OS designer's reading list

[Gary W. Longsine]

Hrm... you seem unaware that the very desktop (and mobile) friendly Macintosh and the coming generation of iPhones, iPods, and probably other digital appliances from Apple are based on a real UNIX underneath? The UNIX foundation of the system design is partly responsible for the rapid pace of evolution of Mac OS X [apple.com].

Although extreme hubris might combine with extreme resources (both dollars and talent) at Google to lead to the creation of an entirely new OS from the ground up, there may not be any need for that. The UNIX wheel is relatively round these days, particularly considering the Mac OS X / OSX example. Better yet, UNIX is nicely modular. If anyone devises a clever way to "avoid buffer overflow situations" it seems likely, on the basis of past evidence concerning technology development and adoption within UNIX systems in general, that it would be easier to integrate that language and compiler, or whatever technology it happens to be, into a UNIX operating system than it would be to create a fully capable system on top of it from whole cloth.

Since you seem genuinely interested in the topic, here are some reasonable books on operating system design which you might enjoy.

The Design and Implementation of the 4.4 BSD Operating System [amazon.com]
Design of the UNIX Operating System [amazon.com]
Operating System Design: The Xinu Approach [amazon.com]
UNIX Internals: The New Frontiers [amazon.com]
Mac OS X Internals: A Systems Approach [amazon.com]
Solaris Internals [amazon.com]


The other issues you raise are largely issues of interface design, which the open source community seems to do rather poorly, or at least not as well as it does other things. Google certainly does not need to re-invent the entire operating system wheel to improve URL integration, or provide a "minimalist" desktop interface, for example. They don't even need to strip features, really. Mac OS X, for example, provides enough of a minimalist default interface that novice computer users are comfortable with it. A Linux based OS from Google could take a similar approach, perhaps being even more spartan in the basic features, if that's really a desirable goal (which is another question entirely).

Re:Google imitating Microsoft security holes.

[WalterGR]

you do not provide functions which can execute arbitrary programs.... This is the source of most of the vulnerabilities involving web browsing. Now we have Google competing to offer similar security holes.

Firefox offers the exact same mechanism. Firefox extensions can contain (and run) executable code. (See below.)

As the Greasemokey security vulnerability [oreillynet.com] demonstrated, web pages can "script" Firefox extensions.

ActiveX = executable code + scripting from the web browser. Firefox extensions introduce the same risks as ActiveX.

Take for instance FoxyTunes [mozilla.org], which is listed on the Recommended Add-ons [mozilla.org] page. Download the XPI file, rename it to ZIP. Open it in WinZip or whatever. You'll notice several files:

• FoxyTunes.dll
• FoxyTunes.dll.linux
• FoxyTunes.dll.mac
• FoxyTunesBonobo.so.file

DLL files are executable code on Windows. I'm assuming the *.linux and *.mac are similar. SO files are executable code under Linux, not sure why it has .file after it. I'm sure there are more extensions with executable code, that was just the first I looked at. Look for any extension that integrates with external software - almost always there will be a DLL or EXE.

Re:armchair OS designer's reading list

[AKAImBatman]

armchair OS designer's reading list

That's great. When you graduate beyond armchair reading, perhaps you might consider getting out of your chair and learning about actually designing an Operating System [osdev.org]? It's a very rewarding experience and teaches one about all the wonderful spagetti and legacy problems inherent in designs like Unix. It even shows how the greater resources present in modern computers can be utilized to reduce or eliminate the problems exhibited by previous OSes.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:pwnt!

[JFitzsimmons]

*beagle