[LINK] Google Desktop Vulnerable - again

rchirgwin at ozemail.com.au rchirgwin at ozemail.com.au
Mon Feb 26 07:13:58 AEDT 2007 

http://www.infoworld.com/article/07/02/23/HNsecondgoogledesktopattack_1.html

> Google's PC search software is vulnerable to a variation on a 
> little-known Web-based attack called anti-DNS pinning that could give 
> an attacker access to any data indexed by Google Desktop, security 
> researchers said this week.
>
>
> This is the second security problem reported this week for the 
> software. On Wednesday, researchers at Watchfire said they'd found a 
> flaw that could allow attackers to read files or run unauthorized 
> software 
> <http://www.infoworld.com/article/07/02/21/HNgoogledesk_1.html> on 
> systems running Google Desktop.
>
> As with Watchfire's bug, attackers would first need to exploit a 
> cross-site scripting flaw in the Google.com Web site for this latest 
> attack to work, but the consequences could be serious, according to 
> Robert Hansen, the independent security researcher who first reported 
> the attack. "All of the data on a Google desktop can now be siphoned 
> off to an attacker's machine," he said.
>
> Cross-site scripting flaws are common Web server vulnerabilities that 
> can be exploited to run unauthorized code within the victim's browser.
>
> Hansen, who is CEO of Sectheory.com, did not post proof of concept 
> code for his attack, but he said that he has "tested every component 
> of it, and it works." He has posted some details of how Google Desktop 
> data could be compromised on his blog. 
> <http://ha.ckers.org/blog/20070222/google-desktop-the-saga-continues/>
>
> Google said it was investigating Hansen's findings. "In addition, we 
> recently added another layer of security checks to the latest version 
> of Google Desktop to protect users from vulnerabilities related to Web 
> search integration in the future," the company said in a prepared 
> statement.
>
> Anti-DNS pinning is an emerging area of security research, understood 
> by just a handful of researchers, said Jeremiah Grossman, CTO at 
> WhiteHat Security. The variation 
> <http://www.securityfocus.com/archive/1/445490/30/0/threaded> of this 
> attack described by Hansen manipulates the way the browser works with 
> the Internet's DNS in order to trick the browser into sending 
> information to an attacker's computer.
>
> "Once you can re-point Google to another IP address, instead of Google 
> getting the traffic, the bad guy does," he said.
>
> Because this type of attack is so difficult to pull off and is poorly 
> understood, it is unlikely to be used by the criminals any time soon, 
> Grossman said. But anti-DNS pinning shouldn't be ignored, he added. 
> "We should keep our eyes on it in case the bad guys shift gears."
>
> News of the attack comes as Google is trying to enter the desktop 
> productivity market. On Thursday, Google launched a suite of Web-based 
> collaboration software, called the Google Apps Premier Edition, that 
> analysts say could become a competitor to Microsoft Office 
> <http://www.infoworld.com/article/07/02/22/HNgoogleappsthreatens_1.html>.
>
> The troubling thing about the attack Hanson identified, which he calls 
> anti-anti-anti-DNS pinning, is that there is very little that can be 
> done to avoid it short of eliminating cross-site scripting 
> vulnerabilities on the Web.
>
> "This is really just fundamentally about how browsers work," he said. 
> "If you allow a Web site to have access to your drive -- to modify, to 
> change things, to integrate, or whatever -- you're relying on that Web 
> site to be secure."
>
> Hansen and Grossman say that Google is not the only company vulnerable 
> to a growing category of Web-based attacks. For instance, MySpace.com 
> was hit when a fast-moving worm spread through the MySpace community 
> in early December, stealing MySpace log-in credentials and promoting 
> adware Web sites.
>
> "A lot of these new attack techniques are going to require the 
> browsers to improve," Grossman said. "The users really have very 
> little ability to protect themselves against these attacks" he said. 
> "It's very bad. Even the experts are afraid to click on each other's 
> links anymore."
>
RC

More information about the Link mailing list