[LINK] Google Desktop Vulnerable - again
rchirgwin at ozemail.com.au
rchirgwin at ozemail.com.au
Mon Feb 26 07:13:58 AEDT 2007
http://www.infoworld.com/article/07/02/23/HNsecondgoogledesktopattack_1.html
> Google's PC search software is vulnerable to a variation on a
> little-known Web-based attack called anti-DNS pinning that could give
> an attacker access to any data indexed by Google Desktop, security
> researchers said this week.
>
>
> This is the second security problem reported this week for the
> software. On Wednesday, researchers at Watchfire said they'd found a
> flaw that could allow attackers to read files or run unauthorized
> software
> <http://www.infoworld.com/article/07/02/21/HNgoogledesk_1.html> on
> systems running Google Desktop.
>
> As with Watchfire's bug, attackers would first need to exploit a
> cross-site scripting flaw in the Google.com Web site for this latest
> attack to work, but the consequences could be serious, according to
> Robert Hansen, the independent security researcher who first reported
> the attack. "All of the data on a Google desktop can now be siphoned
> off to an attacker's machine," he said.
>
> Cross-site scripting flaws are common Web server vulnerabilities that
> can be exploited to run unauthorized code within the victim's browser.
>
> Hansen, who is CEO of Sectheory.com, did not post proof of concept
> code for his attack, but he said that he has "tested every component
> of it, and it works." He has posted some details of how Google Desktop
> data could be compromised on his blog.
> <http://ha.ckers.org/blog/20070222/google-desktop-the-saga-continues/>
>
> Google said it was investigating Hansen's findings. "In addition, we
> recently added another layer of security checks to the latest version
> of Google Desktop to protect users from vulnerabilities related to Web
> search integration in the future," the company said in a prepared
> statement.
>
> Anti-DNS pinning is an emerging area of security research, understood
> by just a handful of researchers, said Jeremiah Grossman, CTO at
> WhiteHat Security. The variation
> <http://www.securityfocus.com/archive/1/445490/30/0/threaded> of this
> attack described by Hansen manipulates the way the browser works with
> the Internet's DNS in order to trick the browser into sending
> information to an attacker's computer.
>
> "Once you can re-point Google to another IP address, instead of Google
> getting the traffic, the bad guy does," he said.
>
> Because this type of attack is so difficult to pull off and is poorly
> understood, it is unlikely to be used by the criminals any time soon,
> Grossman said. But anti-DNS pinning shouldn't be ignored, he added.
> "We should keep our eyes on it in case the bad guys shift gears."
>
> News of the attack comes as Google is trying to enter the desktop
> productivity market. On Thursday, Google launched a suite of Web-based
> collaboration software, called the Google Apps Premier Edition, that
> analysts say could become a competitor to Microsoft Office
> <http://www.infoworld.com/article/07/02/22/HNgoogleappsthreatens_1.html>.
>
> The troubling thing about the attack Hanson identified, which he calls
> anti-anti-anti-DNS pinning, is that there is very little that can be
> done to avoid it short of eliminating cross-site scripting
> vulnerabilities on the Web.
>
> "This is really just fundamentally about how browsers work," he said.
> "If you allow a Web site to have access to your drive -- to modify, to
> change things, to integrate, or whatever -- you're relying on that Web
> site to be secure."
>
> Hansen and Grossman say that Google is not the only company vulnerable
> to a growing category of Web-based attacks. For instance, MySpace.com
> was hit when a fast-moving worm spread through the MySpace community
> in early December, stealing MySpace log-in credentials and promoting
> adware Web sites.
>
> "A lot of these new attack techniques are going to require the
> browsers to improve," Grossman said. "The users really have very
> little ability to protect themselves against these attacks" he said.
> "It's very bad. Even the experts are afraid to click on each other's
> links anymore."
>
RC
More information about the Link
mailing list