Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Internet Explorer The Internet Businesses Google Security

IE Flaw Utilizes Google Desktop Search 165

abscondment writes "An error in the way Internet Explorer parses CSS files has been discovered by Matan Gillon of Israel. The flaw can be exploited by any website, and used to access personal information via Google's Desktop Search program. Of course, Google contends that this is a flaw with IE, and not their search software."
This discussion has been archived. No new comments can be posted.

IE Flaw Utilizes Google Desktop Search

Comments Filter:
  • by altoz ( 653655 ) on Friday December 02, 2005 @06:05PM (#14170004)
    Which do I believe?....
    • by krakelohm ( 830589 ) on Friday December 02, 2005 @06:21PM (#14170126)
      Who's who?
    • "Evil Empire vs Company making great products"

      You should have more respect for Google sir!
  • by Anonymous Coward on Friday December 02, 2005 @06:06PM (#14170011)
    I am shocked to learn of this, shocked and dismayed.
    • by nmoog ( 701216 ) on Friday December 02, 2005 @07:25PM (#14170652) Homepage Journal
      Its an awesome feature for Developers! Developers! Developers! - This feature has been in IE at least since IE 6 came out. That means Microsoft is again leading the field when it comes to AJAX and Web2.0 products.

      Think of the awesome client-side applications people will be able to come up with now that they are no longer restricted by pesky cross-domain security policies!
      • by Anonymous Coward
        Think of the awesome client-side applications people will be able to come up with now that they are no longer restricted by pesky cross-domain security policies!

        like this [pc-help.org] ?, except they dont need a browser flaw, just a few hidden 302 redirects, only phsically blocking the server with a firewall or hosts file can protect you, oh and it works on every browser and every platform that supports server redirects
        and its still in use to this day
  • It wouldn't surprise me if Microsoft sued Google (or vice versa) for this. If not, they might start blocking Google's search bar like they blocked msn.com [msn.com] from Opera.
    • Re:Lawsuit? (Score:4, Informative)

      by whitehatlurker ( 867714 ) on Friday December 02, 2005 @07:40PM (#14170742) Journal
      How about this link [com.com] instead. It has been a while since that affair. Some of the younger viewers might not remember. (And older ones forgotten about it.)
      • Yep, I (mis)remember that. Even afterward, Hotmail was still IE only for quite a while. .. paranoid crackpot leftover from the days of Amiga. That makes two of us!
  • by Gothmolly ( 148874 ) on Friday December 02, 2005 @06:07PM (#14170018)
    Will this be the flaw that breaks the patch cycle's back?

    Puh-lease. This ridiculous question could be asked of any flaw. How about from the 'its 5pm lets leave early so we accept any sensationalist submission' department?

    I can see how the Slashbot must suffer over this - its Google, but its a security vulnerability, but its Microsoft, so its OK, but its still Google, so what do we do? Laugh, cry, sell stock?
    • by Anonymous Coward on Friday December 02, 2005 @06:11PM (#14170047)
      an see how the Slashbot must suffer over this - its Google, but its a security vulnerability, but its Microsoft, so its OK, but its still Google, so what do we do? Laugh, cry, sell stock?

      According to the zdnet article Firefox and Opera aren't affected - so it really is Microsoft's problem, and independent of google
    • by _Sharp'r_ ( 649297 ) <sharper@@@booksunderreview...com> on Friday December 02, 2005 @06:12PM (#14170058) Homepage Journal
      The only connection to Google in this vulnerability is that the exploit allows access to local files that a web site isn't supposed to have access to and Google stores local files on the user's computer that can then be accessed.

      The google thing was a proof of concept (with a pretty page for showing it to people who use Google Desktop), not any particular relationship to the vulnerability.

      But I guess if you mention Google, it gets more attention? The summary could have just as easily said "vulnerability allows access to user's Hotmail email!!!!!!!!", which would be just as true, assuming the user is storing a cookie for easier access to hotmail.com.
    • We all love Google and hate the Borg Collective - well at least the vast majority of us. I think that we're all stuck on how to react to this. I find that having yet another vulnerablity in IE disclosed is yet another reason to want Apple to license OSX for x86 machines.

      If Apple would just give me the stabilty of Unix, the power of a CLI, and a GUI so nice that I don't really need the CLI on commodity hardware, I'd be a happy camper indeed. It would take me about all of 35 seconds to shove the disk into
  • by sammykrupa ( 828537 ) <sam@theplaceforitall.com> on Friday December 02, 2005 @06:07PM (#14170021) Homepage Journal
    Here is the easiest way to stop this from hurting you:

    Turn off your computer.

    P.S. Okay, seriously, use Firefox. [getfirefox.com]
    • Off-topic question, but has anyone had some random bugs after upgrading to Firefox 1.5? Like, the Bank of America website doesn't work properly anymore. Same with a couple other companies' sites.
    • Use Firefox or Opera. Keep IE only for the sites which explicitly requite it. This is not the last bug.
    • Actually, I tell my friends and familily this all the time when they ask me how to keep from getting the nasties on their computers. The safest way to browse the internet? Unplug the ethernet cable or phone line. The most sure fire way to not get a computer virus? Turn the computer off.

      That's about when they ask me for browsing tips with a reasonable risk.
    • Or run a Desktop DMZ that isolates the browser (and any helper apps) from the desktop and prevents any exploits from being able to read files, key strokes, etc.

      Note, Desktop DMZs are *not* personal firewalls, but a new form of security. There are several out there for Windows.

  • by Nom du Keyboard ( 633989 ) on Friday December 02, 2005 @06:09PM (#14170033)
    So it's finally happened. Microsoft's first salvo against Google. What else could it be?
    • If they make these things look like security holes no-one will suspect.
      Google: Help Help, Microsoft is trying to run us out of business...
      Anti-M$ Cr3w: What seems to be the problem?
      Google: Well, there's this security hole
      Anti-M$ Cr3w: So, What else is new... *Goes quietly on their way*
  • Misquote? (Score:4, Funny)

    by dada21 ( 163177 ) * <adam.dada@gmail.com> on Friday December 02, 2005 @06:11PM (#14170044) Homepage Journal
    This makes me wonder if Ballmer's chair throwing scream was actually "I will f##king end Google Desktop!" instead of "...end Google on the desktop."

    Hmm...
  • by u2boy_nl ( 927513 ) on Friday December 02, 2005 @06:15PM (#14170077) Homepage
    Of course, Google contends that this is a flaw with IE, and not their search software.

    And why shouldn't they?

    I've read TFA, according to the article it's a design flaw in IE. No one seems to be blaming Google anyway?

    (Well at least not yet.)
    • Even if it was Google's fault, I doubt anyone (except Microsoft staff) would blame them. Google is the hero and Microsoft is the villain, it's always been like that. Nobody would blame the goverment if the terrorists had a valid reason.
    • "I've read TFA, according to the article it's a design flaw in IE. No one seems to be blaming Google anyway?"

      They are just taking a defensive stance early on. Considering microsoft is going up against google in several different webapps, it wouldn't surprise me (or anyone else) that the M$ uses this to try and hurt googles pretty boy image. I bet the exploit will be "very difficult to fix" and M$ will throw blame in thier direction while they "work furiously" to produce a patch.

      • by Anonymous Coward
        This flaw can virtually affect any application installed on a computer, but Google Desktop was just used as a proof of concept.

        You can put the tinfoil hat away now.
  • Wow! (Score:2, Funny)

    by drcarson ( 935537 )
    I wish I knew of this sooner
  • This is a complex technical issue. I can easily imagine that users of the Google software will say to themselves:

    Google Toolbar allows badguy to get data -> Google software bad

    But on the other hand, perhaps the users will say to themselves:

    Oh -- MicroSoft made yet another security mistake. Rats!

    But normally I've seen people blame the additional software -- but as software folks, we know that if you have to add a feature (in this case, the IE plugin) on a crappy foundation, normally you see the faults in
    • Looks like the issue here is that IE tries to cleanup any bad html code.
      In a way this is good because IE can render a page properly even if it has unclosed tags or as in this case incorrectly rendered CSS braces.
      On the otherhand, this had led to web designers getting away with crappy html pages.

      In this case, Looks like Google is properly sanitizing the url parameters on all their sites except news.google.com
      This is a classic cross-site scripting attack.
      In my opinion, Google should fix the news.google implem
    • This is a complex technical issue. I can easily imagine that users of the Google software will say to themselves:

      Google Toolbar allows badguy to get data -> Google software bad

      But on the other hand, perhaps the users will say to themselves:

      Oh -- MicroSoft made yet another security mistake. Rats!

      But normally I've seen people blame the additional software -- but as software folks, we know that if you have to add a feature (in this case, the IE plugin) on a crappy foundation, normally you see the faults in

  • by Spy der Mann ( 805235 ) <spydermann.slash ... minus physicist> on Friday December 02, 2005 @06:23PM (#14170140) Homepage Journal
    spyware gets access to your computer's resources. Doh.
  • by sycomonkey ( 666153 ) on Friday December 02, 2005 @06:24PM (#14170148) Homepage
    The bug is that it uses IE in the first place.
    • Yeah. Consider the 3rd party MacOS X Dashboard Widgets that mimmic Google Desktop features. Hell of a lot safer using Google services that way than via IE and Google Desktop.
      • I'd feel more comfortable using Apple's software than Googles, now that I think about it. Google seemed like a good company, but they didn't fully embrace Linux and *nix. I think that was a mistake. What it means is I don't have any loyalty to them whatsoever, as far as I'm concerned they are sellouts just the same as Microsoft and Apple. But at least Apple is selling out to style, attitude, open source, etc. Instead of just for the money.

        I hope Google comes around, but I won't count on it.
        • Yeah, the nice thing about the OS X Dashboard widgets is their simplicity: HTML, javascript, and CSS. *Anyone* can figure that stuff out! And with HTTP post just about anything possible with widgets that's on Google Desktop. As for them not supporting *nix - nearly the same with OS X. Because I use Firefox I have Toolbar, and outside of a Gmail notifier nothing else runs from the desktop on Mac. Though rather than feel slighted I like that - it means most of the stuff I use most often is accessible from ne
          • Yeah, Google's webservices kick ass. I don't mind using their stuff and recommending them. Just wish I could use that map program and maybe their picture organizer thingy on Linux.. but maybe it works fine with Wine. I haven't tried that.
    • it uses the default browser app not necessarily IE.
      my desktop search opens up in firefox :-)
  • Gillon said other browsers, such as Firefox, are sufficiently locked down that the hack doesn't work on them.

    [...]However, given the danger presented by this and other recent discoveries of IE security holes, I would strongly recommend that IE users consider downloading and using another browser, like Firefox, Opera or Netscape.

    Go Brian Krebs !!!

    On a more serious note, it's nice to see somebody post an article clearly promoting [generic non-IE browser], but IMHO security shouldn't be the only reason w

    • "We shouldn't lose sight of the initial raison-d'etre of FF, which is to be an open-source browser, not a "more secure" browser (which is an added side benefit)."

      Mozilla evangelists keep praising Firefox's security because they really want to make it to the mainstream, but the average people does not care about open source, much less actually understand it (and god knows I've long given up trying to explain non-programmers what open source means).

      Sadly, being more secure than IE (which is not saying much) i
      • Sadly, being more secure than IE (which is not saying much) is really the only "selling point" of Firefox, really.

        Yeah, tabbed browsing, the lack of obfuscated histories of browsing one can't delete (IE index.dat), granular cookie handling, ad and Flash blocking extensions, and a hundred other things must not be selling points.

        • To average people? No, they're not.

          Non-geek people I've converted (read: forced) to Firefox don't use tabs. They don't understand the concept, and/or don't think about using it.

          Everything else you mentionned is technical stuff, or requires configuration. All minor stuff that won't convince people to install a new browser instead of simply using that blue 'e' that has always been there all along on their desktop, and that before you told them, thought *it* was *the Internet*.
  • by XiticiX ( 712612 )
    And it's really quite interesting how he lays it all out. It seems IE's CSS @import (or more specifically the "addimport" jscript function) doesn't block access to outside domains. So essentially, I can import any stylesheet I want from the web. This also means I can import _anything_ that is mal-formed as a css rule. Javascript comes to mind with it's curly braces. with classic injection attacks, you can inject anything you want, including jscript. Scary stuff. I think I'll go look at everyone's har
  • Ugh (Score:5, Informative)

    by n0dalus ( 807994 ) on Friday December 02, 2005 @06:34PM (#14170219) Journal
    Before everyone goes posting about MS vs Google rubbish, please RTFA. This has very little to do with Google.

    "This issue could potentially allow an attacker to access content in a separate Web site, if that Web site is in a specific configuration," Microsoft said in the statement.

    In other words, this flaw is just loading files from Google Desktop's internal http server. It could load the internal http server of hundreds of different programs (particularly administration tools).
    • by n6mod ( 17734 )
      It's even narrower than that if you real all the way through TFA. There's an extra layer of security in the Google implementation that is broken by a bug in news.google.com. Google could pretty easily fix that and solve the problem.

  • by ArsenneLupin ( 766289 ) on Friday December 02, 2005 @06:35PM (#14170228)
    Folks, RTFA!

    Ok, so the FA is a bit long, so here you have a three sentence summary:

    The exploit allows to read foreign Web pages by abusing a broken security check in the document.stylesheets javascript method.

    The malicious code first loads the page to be snarfed as a CSS into the current document using addImport, and from there into a javascript variable using document.stylesheets. Finally the variable is posted back to the website of the exploiter.

    The google desktop was only cited as an example. But basically any protected web page could have been targetted (a webmail site such as hotmail, any other password-protected page, intranet server not accessible from outside, ...)
    • by Tim C ( 15259 ) on Friday December 02, 2005 @06:45PM (#14170300)
      abusing a broken security check in the document.stylesheets javascript method.

      Technically, that's an element of the DOM, and is nothing to do with javascript, and is certainly not a javascript function. (In fact it's not a method at all, it's a property of the document object).
    • Of course if google didn't inject the secret key to access their desktop search into your google web page when you access google, this wouldn't be a problem. So it in fact _does_ have something to do with google. It is a trivial fix for google, and a more complex fix for microsoft. Google should do the right thing and fix their desktop search (or "work around microsoft's bug", if you just can't bring yourself to admit that "super google" can make a mistake), even if their code is 'technically correct' ('tec
  • Corporate banning (Score:1, Informative)

    by DietCoke ( 139072 )
    This is the type of scenario we kept in mind when we decided to ban the use of the tool on our corporate PCs. It would have been nice if (at least at that time) Google had provided more than just a slight clue as to how to easily block the installation.

    Of course, it didn't take too long and isn't incredibly tamper-proof, but it's kept the average user from really sitting down to find a way to get it installed.

    This is a simple registry file that we run as part of the setup. Like I said, not too high-tech,
    • And had you bothered reading the article, instead of relying on Slashdot's headline and making an ass of yourself, you would know the bug resides in IE, and accessing Google Desktop was just an example given.
    • In a perfect world corporate employees wouldn't have administrative rights, but the world isn't perfect.

      If your users are admins, why bother with the program restrictions?

    • Found a security bug in your reg file, here is a patch

      -start-
      --- nogoogle.reg.ori 2005-12-03 03:26:19.000000000 +0100
      +++ nogoogle.reg 2005-12-03 03:26:35.000000000 +0100
      @@ -4,8 +4,5 @@
      "disallowrun"=dword:00000001

      [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\disallowrun]
      -"1"="G oogleDesktop.exe"
      -"2"="GoogleDesktopSearchSetup. exe"
      -"3"="Troubleshoot Network.exe"
      -"4"="GoogleDesktopIndex.exe"
      +"1"= "iexplore.exe"

      -end-

  • It shouldn't matter whose fault it is. That's for lawyers to decide.

    What Google should do is immediately patch their software to block that attack, and if an attack does get into the wild, shut down their service until it is patched. In the future, maybe not integrating with IE would help.
    • Re:Just fix it. (Score:4, Insightful)

      by rm69990 ( 885744 ) on Friday December 02, 2005 @07:24PM (#14170638)
      God would you people RTFA!!! It is a problem with IE, not with Google Desktop. Google Desktop does not integrate with IE, it uses the default browser on your system. When I double click on Google Desktop, Firefox opens for me.

      Also, Google Desktop was given as an EXAMPLE, the flaw can be used elsewhere.

      Of course, sitting around and pretending you know what you are talking about is easier, isn't it?
      • Um, you could stand to re-RTFA too. According to aformentioned TFA all of Google's pages take an extra measure that prevents this from working, but on Google News it's broken.
      • Maybe you should step back and think about this. I know some people as a knee-jerk reaction will accuse Microsoft off the bat. However, why doesn't anyone ask the obvious question of why Google chose to run their Desktop Search in a browser, especially IE? Obviously, they were aware of the fact that IE has a huge installation base and isn't known for pristine security. You're obviously asking for problems off the bat - and now we have some. Notice that MSN Desktop Search doesn't have this issue.

        Note
  • After the next security update, all cookies created by IE will be prefixed with $sys$.
  • by vagabond_gr ( 762469 ) on Friday December 02, 2005 @07:26PM (#14170655)
    The answer is not so simple. Sit down for a second a think.

    The flaw allows a malicious web page to open a window with a different web page and read information from there. So a script in 'www.badguy.com' can read data from 'www.goodguy.com'. Now how bad is up to here? Pretty bad, but not catastrophic. badguy.com could open, say, mail.yahoo.com, and provided you have a yahoo mail account and you login, it could read some of your mails. Is there a chance of reading private info? Yes. Is there a chance of reading a file in your disk. NO! badguy.com can't read a file in your disk using yahoo mail. And given the fact that really critical data are stored in the local disk, not webmail accounts, the danger is limited.

    Now imagine there exists a web site containing all your private local files! This is exactly what Google Desktop Search is! GDS creates a local web server at port 4664, bound only to the 127.0.0.1 to avoid remote access. It is a web site accessible only from your pc and google takes a lot of measures to ensure that. But the script at badguy.com runs in your pc, and using the exploit it can access this personal web site. Now how bad is the situation? Catastrophic. All indexed data, pretty much your whole hard disk, are accessible to badguy.com.

    Of course this wouldn't happen if there was no IE flaw. But who put all your data at a (local) web server? Google Desktop Search. IMHO, the problem is once again the tight integration of a browser to the rest of the system. If Google used a custom client to query the local index instead of the browser this wouldn't happen. It would require a flaw that allows remote code execution and these flaws are more rare and more difficult to exploit (ok, in case of MSIE it's every day routine, I agree). This exploit is a piece of cake, because local data are promptly served by GDS.

    Just to make things clear, I don't really blame Google for this. But to achieve good security you need good software design and integrating a browser with everything is not a good idea. Google made a decision on that so it has some responsibility.

    And then public opinion is a totally different subject. I totally understand someone who loses its credit card number and blames google for indexing this number and making it accessible to badguy.com. If amazon stores your credit card number in an Oracle database and the number gets stolen because of an Oracle flaw, will you blame Oracle or Amazon?
    • The new religion among IT admins is to ban any software from being installed on users' PCs. So instead of having small fast interactive secure application-specific clients, everything has to go through the browser.

      The fact that anything that goes through the browser is vulnerable to any attack launched on the browser - and can potentially expose all the organization's confidential data to whatever browser vulnerability the attackers choose to exploit - is ignored because it would sully the purity of the doc
    • You give a very clear description of the problem.

      I understand that you are not bashing Google.

      Some people would make the argument that Google has some responsibility in this because of how they designed their desktop search (as a local web server). The conclusion of this line of argument is that Google should have designed their software differently.

      To rebut that argument, one could argue that when some other hypothetical exploit comes along (and there have been some in the past) that allows www.b
      • You give a very clear description of the problem.
        I understand that you are not bashing Google.


        And yet, someone modded me flaimbait! At least some people pay attention.

        To rebut that argument, one could argue that when some other hypothetical exploit comes along (and there have been some in the past) that allows www.badguy.com to execute arbitrary code, that then www.badguy.com could still exploit Google's program. Should Google have to design to guard against any hypothetical vulnerability in Microsoft's bro
  • ... the hack works because IE does not properly parse cascading style sheet (CSS) files, a Web design language used by thousands of Internet sites.

    Yeah, this was already discovered by that kid 'samy' when he thrashed MySpace. Microsoft hasn't patched it.

    But yeah, it's Google's fault. Right.

  • By Google mainly creating products on the Windows platform, they will fall into Microsoft's trap: the 'integrated approach' philosophy. With the Microsoft approach to design, ease of installation is a fact, BUT an application is as weak as its weakest component (as someone mentioned). Unfortunately, that component is built into the operating system! And so since Microsoft controls that foundation, the can easily blame any 3rd party application since the OS still "works".

    Therefore, my advice to Google: be pr

  • you know, it's very sad that after all these years of variouspatches [mozilla.com] and fixes [opera.com] being availible for people's computers [apple.com], people still use inferior software more inherently prone to flaw [microsoft.com].
  • I've never seen the OS that didn't have some kind of search capabilities, and in Linux we have excellent tools which can even be combined and scripted from the command line into the custom algorithm of your choice. Why exactly, would anybody want a web site to crawl their hard drive in the first place? When I first heard of that, I thought it sounded a little risky.
  • I blame Gucci for not making my wallet more secure.

C makes it easy for you to shoot yourself in the foot. C++ makes that harder, but when you do, it blows away your whole leg. -- Bjarne Stroustrup

Working...