IE flaw endangered Google Desktop
p2p news / p2pnet: Yet another security hole has been reported in Microsoft’s Internet Explorer, one its discoverer, Matan Gillon, says opened Google’s desktop search to hackers, potentially allowing them to phish user data.
"It was bound to happen," posts Gillon on his blog.
"I was recently intrigued by the possibility of utilizing Google Desktop for remote data retrieval of personal user data (such as credit cards and passwords) through the use of a malicious web page.
"Now, thanks to a severe design flaw in Internet Explorer, I managed to show it’s possible to covertly run searches on visitors to a web site by exploiting this vulnerability."
Gillon calls the attack "CSSXSS or Cascading Style Sheets Cross Site Scripting" and gives chapter and verse on how it’s used to exploit Google Desktop.
The Israeli hacker had a proof of concept page online, but, "Following the publication of the exploit, Google patched their sites to prevent the exploitation of this vulnerability," he says. "Therefore, the proof of concept no longer works."
During the time Google desktop tool was at risk, Gillon found Firefox and Opera were not, say CNET News.
"For protection, Internet users could use one of those browsers or disable JavaScript in IE, Gillon suggested," says the story, adding:
"It has been a busy week on the Microsoft security front. Four examples of attack code were released for flaws in the Windows operating system, and a Trojan horse is finding its way onto PCs through another yet-unpatched flaw in IE."
Meanwhile, Bill and the Boyz were said to be investigating.
Also read:-
blog – Google Desktop Exposed: Exploiting an Internet Explorer Vulnerability to Phish User Information, November 30, 2005
CNET New – IE flaw lets intruders into Google Desktop, December 2, 2005
