Google Desktop Search on IE: Putting Information at Risk
Matan Gillon, a security researcher, discovered a way to steal information from Google Desktop Search users by exploiting a flaw in Internet Explorer. Google has now altered its Desktop Search so that it can no longer be used in digital attacks in conjunction with a flaw in Microsoft's Internet Explorer.
Gillon supplied proof of concept code using Google News to highlight the potential risk. "A complete exploit can also iterate through the result pages to get more data and log the results on a remote server," he said. But Google has now closed that hole.
Problem only with IE Browser
Gillon said he wrote a web page that used a CSS which allowed the page to query Google Desktop searches for anything, including vital information such as "password" queries. In order to work, Internet Explorer users must enter malicious websites which contain this IE/CSS exploit. The researcher did not find any similar vulnerability in Firefox and Opera. Users can switch to Firefox, at least until Microsoft fixes this matter to any of those browsers or they can disable JavaScript in IE, Gillon suggests.
Description of Security Hole
Problems in the way the browser handles CSS (Cascading Style Sheets) led to a short cut round the restrictions the browser places on interaction between different domains. Normally such restrictions would prevent one domain from accessing or interacting with another, but the flaw in Internet Explorer means that CSS can be accessed between domains.
By creating a website that in fact contained other code in the CSS style sheets, the browser still tries to read it, giving an attacker the ability to run Google Desktop searches remotely. The attack is said to work on fully patched Windows XP systems with the latest version of IE.
Microsoft Response to IE Flaw
"This issue could potentially allow an attacker to access content in a separate Web site, if that Web site is in a specific configuration," Microsoft said in the statement.
"Our investigation indicates that this issue will have limited impact because an effective attack requires a website to expose sensitive information in a specific way. Basically, an attacker would need to find a way to make a response look like a Cascading Style Sheet, and that response would need to contain sensitive information," explained Microsoft security researcher Michael Howard.
Google this week rolled out a fix to mitigate the risk from a newly discovered vulnerability in Internet Explorer that puts users of Google Desktop at risk even if they are running a fully updated system. Microsoft developers thanked Google for their work and say they are working on a patch for IE.
Matan Gillon, a security researcher, discovered a way to steal information from Google Desktop Search users by exploiting a flaw in Internet Explorer. Google has now altered its Desktop Search so that it can no longer be used in digital attacks in conjunction with a flaw in Microsoft's Internet Explorer.Gillon supplied proof of concept code using Google News to highlight the potential risk. "A complete exploit can also iterate through the result pages to get more data and log the results on a remote server," he said. But Google has now closed that hole.
Problem only with IE Browser
Gillon said he wrote a web page that used a CSS which allowed the page to query Google Desktop searches for anything, including vital information such as "password" queries. In order to work, Internet Explorer users must enter malicious websites which contain this IE/CSS exploit. The researcher did not find any similar vulnerability in Firefox and Opera. Users can switch to Firefox, at least until Microsoft fixes this matter to any of those browsers or they can disable JavaScript in IE, Gillon suggests.
Description of Security Hole
Problems in the way the browser handles CSS (Cascading Style Sheets) led to a short cut round the restrictions the browser places on interaction between different domains. Normally such restrictions would prevent one domain from accessing or interacting with another, but the flaw in Internet Explorer means that CSS can be accessed between domains.
By creating a website that in fact contained other code in the CSS style sheets, the browser still tries to read it, giving an attacker the ability to run Google Desktop searches remotely. The attack is said to work on fully patched Windows XP systems with the latest version of IE.
Microsoft Response to IE Flaw
"This issue could potentially allow an attacker to access content in a separate Web site, if that Web site is in a specific configuration," Microsoft said in the statement.
"Our investigation indicates that this issue will have limited impact because an effective attack requires a website to expose sensitive information in a specific way. Basically, an attacker would need to find a way to make a response look like a Cascading Style Sheet, and that response would need to contain sensitive information," explained Microsoft security researcher Michael Howard.
Google this week rolled out a fix to mitigate the risk from a newly discovered vulnerability in Internet Explorer that puts users of Google Desktop at risk even if they are running a fully updated system. Microsoft developers thanked Google for their work and say they are working on a patch for IE.