Google Desktop Flaw Fixed, But Future Attacks Still Possible
Google issued several fixes at the beginning of February for a flaw that affected one of its most popular desktop applications called Desktop Search, but the problems are not over.
The flaw was discovered by security firm Watchfire and it could have allowed a hacker to access private information remotely and even take control of the entire system.
According to the three authors of the report, the vulnerability is the “outcome [of] both the integration between the Google.com Web site and Google Desktop, and Google Desktop’s failure to properly encode output containing malicious or unexpected characters. Unlike traditional computer penetration attacks, there is no need for binary code to be injected.”
The authors underline the potential danger represented by the integration between Web-based applications and desktop applications, which opens doors for future attacks, based on the model offered by Google Desktop Search. They say a hacker could escalate his/her privileges by crossing from the Web environment to the desktop application environment: “These attacks take advantage of Web application vulnerabilities and the increasing power of the Web browser. Their purpose is to remotely access private information.”