Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Fixes IE Bug

Zonk posted more than 8 years ago | from the quik-fix dept.

Google 225

aussie_a writes "Without accepting blame Google has quickly patched the vulnerability, without requiring users to download a patch. Previously covered by Slashdot, the flaw allowed people to access files and passwords on a computer via any website when viewed with IE while running Google Desktop." From the article: "'Google was able to address the problem quickly because it didn't require changing any code at the user's desktop,' MacDonald said. 'Google applied more stringent security controls on its main site, which shut down the exploit.' The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald. "

Sorry! There are no comments related to the filter you selected.

Thanks for Fixing the Problem (3, Insightful)

teiresias (101481) | more than 8 years ago | (#14193052)

Well I'm just glad Google fixed the issue whether it's their fault or not.

I don't care who's fault it is. Just fix the problem. //not that I use IE but you know still.

Re:Thanks for Fixing the Problem (5, Interesting)

bigman2003 (671309) | more than 8 years ago | (#14193221)

I create web apps for a very widely distributed organization. We have dozens of different offices, all using their own type of Internet connection.

2 of our ISPs (which are actually government agencies) have blocked IE usage completely. They simply can't get on the network using IE.

This was in response to last week's security issues.

One of the apps we run uses IE specific (Active X) controls. They are not required but they just make it much easier for the users. Now those have been blocked in two locations- causing me a lot of headaches. Of course, the standard answer would be, "why did you use IE specific code?" It was an option for users...but they began to rely upon it.

So I for one, wish that Microsoft would either:

A- fix the security problems
B- release an 'IE Secure' browser, that is stripped down but secure
or
C- Umm...short of fixing the problems I don't have many other needs.

I really wouldn't mind if they had a totally secure version of their browser. Just stripped down functionality (cookies, javascript, etc) and pull out the other junk. Yes...we used some of the other junk, but at the time it seemed like a good idea.

By the way, I am now on the market for a good cross-browser in-line WYSIWYG HTML editor. A flash version would be great too.

Re:Thanks for Fixing the Problem (1)

DrSkwid (118965) | more than 8 years ago | (#14193376)

Flash is a vector for trouble too.

You should really consider the second source approach.

Make sure the web app your company runs on works in at least 2 browsers, on 2 OSes.
Make sure the server side can run on disparate hardware using disparate OSes.

Ideally it should run on which install CD you find in the box first.

Re:Thanks for Fixing the Problem (4, Funny)

Chi-RAV (541181) | more than 8 years ago | (#14193471)

One of the apps we run uses IE specific (Active X) controls.
release an 'IE Secure' browser, that is stripped down but secure
Sure, we'll just take ActiveX out of IE and call it a "secure" version.

Re:Thanks for Fixing the Problem (0)

Anonymous Coward | more than 8 years ago | (#14193269)

"I don't care who's fault it is. Just fix the problem. //not that I use IE but you know still." - by teiresias (101481) on Tuesday December 06, @09:24AM

Agreed, 110% - bitching about something, &/or pointing fingers doesn't solve hassles, work & actual results, do.

(On using IE? I do, when a page forces it, such as Windows Update... but, that's about it imo & as far as I am concerned as to utilizing IE @ home (in the workplaces I have been, it's the defacto std., & especially for intranet usage)).

Sometimes, you just don't have a choice as to which browser you use, but this & other IE problems should hopefully get better with VISTA & IE7, because for example, the version of IE in Windows Server 2003 is a heck of a lot more secure (& XP SP2 as well) than the defaults given IE in Windows 2000 & earlier models of IE6.x as well as IE 5.x...

Myself, as far as webbrowsers? I go with Opera, & with GOOD reason, see this study:

http://www.howtocreate.co.uk/browserSpeed.html#win [howtocreate.co.uk]

Opera is just the fastest browser out there, & that test's pretty recent with fairly recent builds of IE, &/or FireFox etc. & Opera's also shown less security related bugs vs. those other 2 as well.

BOTTOM-LINE - Time heals all wounds... well, that & developer's sweat and the crew @ GOOGLE didn't waste any time on this fix, good job on their parts imo by all means!

* :)

APK

Sort of good they fixed it... (1)

porkThreeWays (895269) | more than 8 years ago | (#14193277)

From an end user standpoint, it's good they fixed it even though it definatly wasn't their fault in the least bit.

However by fixing it, it would seem to the average Joe an admittance that it was a bug in their software. This isn't the case in the least bit. I remember the old slashdot story and the trolls were out that day. Google desktop was given as an example of one of the dozens, if not thousands of various web based programs affected by this IE bug. Make no mistakes about it, this was an IE bug.

This really goes to show really how much of an ethical company google really is. They took charge and created a workaround in their software for a problem that really isn't theirs. Sadly, this won't convince the google trolls and they'll just add this to the bug count.

If they can fix stuff at their end... that's cool! (5, Insightful)

byolinux (535260) | more than 8 years ago | (#14193055)

As more and more desktop apps serve as an interface to a website, it'll become a lot easier to fix and deploy new functionality. This is a good thing.

Re:If they can fix stuff at their end... that's co (-1, Flamebait)

molo (94384) | more than 8 years ago | (#14193117)

WTF. I thought the whole point of google DESKTOP was that it didn't require any interface to the outside world to work! WHY was google desktop going out to google.com? Isn't the privacy question more important here?

-molo

Re:If they can fix stuff at their end... that's co (1)

dreamchaser (49529) | more than 8 years ago | (#14193128)

Um. Have you used Google Desktop? Have you looked at it, read the privacy policy, looked into it's 'Advanced Features'?

Oh. I didn't think so.

Re:If they can fix stuff at their end... that's co (1)

molo (94384) | more than 8 years ago | (#14193249)

Yes. They are disabled.

-molo

Re:If they can fix stuff at their end... that's co (-1, Flamebait)

Mayhem178 (920970) | more than 8 years ago | (#14193228)

That really depends on how they define "their end." Microsoft, for instance, is obviously of the impression that your computer is their computer, and they can install whatever they want on it. Remember when SP2 came out?

Stages of SP2 Installation:

  1. Windows has automatically-downloaded updates waiting to be installed (i.e. SP2). Would you like to install them now?
  2. NO
  3. Now installing Service Pack 2...
  4. CANCEL
  5. Are you sure?
  6. YES
  7. Are you really sure?
  8. Freakin' YES!
  9. *Disable automatic updates*
Two days later...minding your own business...
  1. Windows has automatically-downloaded updates waiting to be installed (i.e. SP2). Would you like to install them now?
  2. NO
  3. Now installing Service Pack 2...
  4. CANCEL
  5. Thank you for installing Service Pack 2! Your machine will now reboot.
  6. * crying *
  7. BSOD

Re:If they can fix stuff at their end... that's co (1)

Eightyford (893696) | more than 8 years ago | (#14193266)

As more and more desktop apps serve as an interface to a website, it'll become a lot easier to fix and deploy new functionality. This is a good thing.

I disagree. Having this ability encourages software companies to release buggy and unfinished software before adequate testing is done.

Re:If they can fix stuff at their end... that's co (1)

Talrinys (888624) | more than 8 years ago | (#14193356)

And companies don't do this now? There will always be bad seeds in whatever industry you want to look into, but they should never be allowed to control the market. Now i think Google did a great thing here, i'm not sure i would have even thought about fixing it if i was in their shoes, since it's obiviously a bug in IE. And for gods sake, for those people whining about having to rewrite from ActiveX to other technologies now, do you buy a car without a locking system and then whine when it gets stolen too?

Re:If they can fix stuff at their end... that's co (1)

Eightyford (893696) | more than 8 years ago | (#14193485)

do you buy a car without a locking system and then whine when it gets stolen too?

I don't accept situations like that as inevitable.

Bill: "Life sucks."
Ted: "Then fucking do something about it."

Re:If they can fix stuff at their end... that's co (2, Insightful)

aussie_a (778472) | more than 8 years ago | (#14193441)

You do realise no matter how much testing a company does, there will be bugs in their software and vulnerabilities?

The bug was Google's... (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14193063)

...so why is it headlined "IE Bug"? It's not a bug in IE.....

Re:The bug was Google's... (4, Informative)

TCFOO (876339) | more than 8 years ago | (#14193102)

They fixed their code so that their Desktop Search program couldn't be used maliciously because of a flaw in IE.

Re:The bug was Google's... (-1, Troll)

TheSpoom (715771) | more than 8 years ago | (#14193103)

Because this is Slashdot.

Re:The bug was Google's... (3, Insightful)

Big Nothing (229456) | more than 8 years ago | (#14193112)

"The bug was Google's... ...so why is it headlined "IE Bug"? It's not a bug in IE..."

Actually, the bug IS originally in the IE code. But Google's Desktop implementation of that code failed to address the security hole. In other words: Microsoft created the security hole and Google Desktop made it dangerous. Who's to blame? MS? Google? Both? None? You decide.

Re:The bug was Google's... (4, Funny)

TedCheshireAcad (311748) | more than 8 years ago | (#14193152)

Who's to blame? MS? Google? Both? None? You decide.

George W. Bush, clearly.

Re:The bug was Google's... (0, Offtopic)

jim_redwagon (845837) | more than 8 years ago | (#14193311)

Please get it right. Al Gore created the Internet and is solely responsible for all the virii/spyware/naughty bits/etc that now spew forth from it.

Re:The bug was Google's... (1, Funny)

mrnukem (832838) | more than 8 years ago | (#14193427)

Al Gore is to blame. He created the interwebs you know..

Re:The bug was Google's... (0, Funny)

Anonymous Coward | more than 8 years ago | (#14193438)

Actually, I think Canada is to blame here.

Re:The bug was Google's... (-1, Flamebait)

estebanf (814656) | more than 8 years ago | (#14193208)

Google... MS has nothing to do with this...

Re:The bug was Google's... (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14193262)

Your sig is stupid. The grammar is wrong, and it doesn't make any sense. Try "not" instead of "no"... but even then... what does P2P have to do with open source?

Re:The bug was Google's... (1)

xoip (920266) | more than 8 years ago | (#14193116)

Initial reports out of other media as reported here yesterday cited the problem being with IE.

Re:The bug was Google's... (4, Informative)

TheRealMindChild (743925) | more than 8 years ago | (#14193121)

I think the problem was that the google's software was being run in the "Local Zone", which is almost always highly trusted. The flaw was that a site on the Internet could manipulate the toolbar. Sort of like an XSS vulnerability.

Re:The bug was Google's... (3, Informative)

nicc777 (614519) | more than 8 years ago | (#14193122)

From the article: "Even though Internet Explorer is the root cause of the vulnerability, Google's changing its Desktop Search so that it was no longer remotely accessible though the vulnerability in IE was the responsible thing for Google to do," said Gartner Research vice president Neil MacDonald.

Re:The bug was Google's... (4, Insightful)

FunkyELF (609131) | more than 8 years ago | (#14193155)

The bug was an IE bug. Lets say there is a windows exploit out there and it has the potential to let people run arbitrary code on the victim's computer. If that code accesses e-mail files stored on the computer that have usernames / passwords / credit card information....it is not the fault of Thunderbird, Eudora, Netscape, or whatever e-mail client is running there. That isn't how they got in, they got in through the windows exploit. I'm sure google didn't fix the IE bug, they prevented people using that exploit from getting personal information from Google Desktop Search. The IE bug is still there. This will just put less pressure on Microsoft to fix their POS browser.

Re:The bug was Google's... (2, Insightful)

mAineAc (580334) | more than 8 years ago | (#14193206)

This was not Google's bug. It was a flaw in IE that created the issue. All google did was make a change that would prevent the IE flaw from be accessible. IE should fix their XML flaw no matter what Google does to work around their sloppy programming.

Re:The bug was Google's... (1)

Trolling4Columbine (679367) | more than 8 years ago | (#14193369)

And furthermore, if it was an IE bug, how did Google get access to the IE code to fix it?

Credibility? (5, Funny)

connah0047 (850585) | more than 8 years ago | (#14193064)

The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald.

I question Mr. MacDonald's credibility. If this is the same gentleman I'm thinking of, he's an older man who has a farm...or at least had one.

Re:Credibility? (2, Funny)

headkase (533448) | more than 8 years ago | (#14193124)

Come on everyone! Join in!!!! [singingbabies.com] .
I thought that song was great at one point in my life :)

Re:Credibility? (3, Funny)

Jawju (614159) | more than 8 years ago | (#14193133)

So that means the bug isn't in IE - it's in EI-EI version 0.

Indeed (5, Funny)

Gruneun (261463) | more than 8 years ago | (#14193160)

If I remember correctly, he was far more concerned with EI than IE.

IE IE I/O (1)

brotherash (4278) | more than 8 years ago | (#14193428)

I suppose when you get to the end it is all about IO.

Re:Indeed (5, Funny)

aug24 (38229) | more than 8 years ago | (#14193535)

Oh?

Re:Credibility? (0, Offtopic)

Pneuma ROCKS (906002) | more than 8 years ago | (#14193318)

Did he have bugs in his farm? I think you're on to something...

Re:Credibility? (0, Offtopic)

simong_oz (321118) | more than 8 years ago | (#14193321)

No no no, that's Old MacDonald you're thinking of. The Mr MacDonald referred to here runs a fast food business and dresses in a clown costume. Emminently more credible I think you'll agree.

Re:Credibility? (0, Offtopic)

jim_redwagon (845837) | more than 8 years ago | (#14193331)

This has to be the FUNNIEST post I have ever read here at /.

Thank You!

Misleading title (4, Informative)

HishamMuhammad (553916) | more than 8 years ago | (#14193065)

The title sounds as if Google had fixed a bug in Internet Explorer's code. Shouldn't it be "Google fixes Google Desktop bug"?

Granted, it does make it sound less like news... but I suppose it's because it isn't, really. You don't see stories like "Adobe fixes Photoshop bug", "KDE team fixes Konqueror bug", etc... since of course that's just part of the daily life in development.

Responsibilty. (4, Insightful)

headkase (533448) | more than 8 years ago | (#14193180)

...Shouldn't it be "Google fixes Google Desktop bug"?...

Nope. Object-orientated programming. If the api documentation says that something should operate in a certain way and it does not then by fixing the problem on your side of things it weakens encapsulation of the function and makes it easier for future bugs to accumulate as the totality of code slowly turns to spaghetti.

Re:Responsibilty. (2, Insightful)

HishamMuhammad (553916) | more than 8 years ago | (#14193372)

My gripe wasn't so much with the "IE" part but with the "fixes" part. Working around broken APIs and fixing broken APIs are two different things...

Re:Responsibilty. (2, Interesting)

headkase (533448) | more than 8 years ago | (#14193406)

Yup. And since you can't do it all, it all comes back to who's responsible for the code - in this case Microsoft.

Re:Responsibilty. (0)

Anonymous Coward | more than 8 years ago | (#14193448)

Object-oriented, not object-orientated. To orientate is to turn to face east.

Sounds like Windows development (2, Interesting)

Urusai (865560) | more than 8 years ago | (#14193469)

When a web browser and media player are "integral parts" of your O/S, you've got encapsulation problems.

Re:Misleading title (0)

Anonymous Coward | more than 8 years ago | (#14193191)

RTFA, mate. RTFA.

Re:Misleading title (4, Informative)

skyhawker (234308) | more than 8 years ago | (#14193234)

The title sounds as if Google had fixed a bug in Internet Explorer's code. Shouldn't it be "Google fixes Google Desktop bug"?

Not really. The flaw is in IE and Google's use of CSS exposed it to their users. They were able to change their use of CSS to work around the exploit, but the exploit still remains in IE. Even Microsoft admits that.

Re:Misleading title (2, Insightful)

HishamMuhammad (553916) | more than 8 years ago | (#14193353)

Not really. The flaw is in IE and Google's use of CSS exposed it to their users. They were able to change their use of CSS to work around the exploit, but the exploit still remains in IE. Even Microsoft admits that.

I see. In that case, that's working around the bug, not fixing it. If I said "yesterday I was coding when I stumbled in a Glibc bug -- it took me a while but I fixed it" you'd probably infer that I actually went into Glibc's code and corrected the problem. I understand now how calling it a "Google Desktop bug" is not right either, but I still think "fixes IE bug" is misleading. Or I might be just too nit-picky. :)

Re:Misleading title (2, Informative)

masklinn (823351) | more than 8 years ago | (#14193344)

Shouldn't it be "Google fixes Google Desktop bug"?

No, because it was not a bug in Google Desktop but a bug in IE that allowed the abuse of the Google Desktop software (and others, BTW).

Google changed part of their server software to remove the ability to use GDesktop the way it was used, but the flaw in MSIE is still there...

"Raises questions"? (4, Insightful)

argent (18001) | more than 8 years ago | (#14193066)

Well, I guess.. like "why would you go with Microsoft who sit on a vulnerability for months, instead of someone who actually fixes security holes?"

Re:"Raises questions"? (0)

Anonymous Coward | more than 8 years ago | (#14193283)

Because Google doesn't make operating systems?

Google and security (1)

Recovering Hater (833107) | more than 8 years ago | (#14193070)

While this does raise concerns about Google as a desktop, I think these same concerns should be voiced about any software vendor. Security is a process not a product.

This maybe unfortunate (3, Interesting)

sgent (874402) | more than 8 years ago | (#14193076)

Its my understanding that this flaw has nothing to do with Google Desktop per se -- but rather was just discovered on Google. Although I'm glad they shut down the flaw where Google is concerned, it seems that it still exists for other programs -- since the security breach itself is not specific to Google.

Mod parent up! (1)

porkThreeWays (895269) | more than 8 years ago | (#14193294)

This is important to understand. This wasn't a google desktop bug. They just created a workaround to mitigate IE's bug MS won't fix. And because this is still an IE bug, MANY other programs are still affected.

Standards?!? (2, Funny)

thechao (466986) | more than 8 years ago | (#14193077)

"Since Google is providing end-user software, it must be held to the same standards that you would hold other desktop software vendors to," he said.

That's when I realized this was an article by 'The Onion'.

Yay! (1, Insightful)

Donniedarkness (895066) | more than 8 years ago | (#14193080)

Props to Google for taking responsability and fixing this so quickly. They could have spent a few weeks blaming Microsoft (their competition), as I thought they would, but they didn't.

Re:Yay! (1)

BarryNorton (778694) | more than 8 years ago | (#14193115)

They could have spent a few weeks blaming Microsoft (their competition), as I thought they would, but they didn't.
No, they'll leave that to the Slashdot audience!

(See above already...)

Without Accepting Blame? (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14193092)

wth does that mean?

The root problem is in IE. They made a work-around for their software. Why should they accept blame?

I'm a bit confused (1)

amrust (686727) | more than 8 years ago | (#14193093)

Was this vulnerability able to be exploited by any website, if you had Google desktop installed on your machine, regardless of what you used to surf the Internet with from said machine? If so, then that wasn't a Google vulnerabilty, it was a Windows vulnerability. Seeing as how IE is hard to uninstall and comes with every single Windows machine, and all.

Re:I'm a bit confused (1)

aussie_a (778472) | more than 8 years ago | (#14193467)

I believe the bug only ocurred when using IE to access a page, while Google Desktop was running. So if you didn't run Google Desktop all the time, you were safe. Or if you used Firefox, you were safe. Microsoft in fact encouraged people to use another browser until it fixed the issue.

Hmm (-1, Troll)

voice_of_all_reason (926702) | more than 8 years ago | (#14193096)

Who didn't see this coming a mile away?

It's okay if Google has access to my hard drive AND the internet, right? They do no evil!

I don't think Google 'patched' the vulnerability (3, Informative)

kclittle (625128) | more than 8 years ago | (#14193114)

If I RTFA correctly, they just avoided using it. The vulnerability (in IE, which only MS can patch) is still there...

Ok everyone.... (5, Informative)

brunes69 (86786) | more than 8 years ago | (#14193120)

This article summary, and also most comments posted so far, are total misinformed garbage.

First of all, Google did not fix an IE bug. All they did is make their own software a bit more tight in security, so that *they* are not suceptible to the IE bug. It does not *fix* it.

Second of all, the bug was *not* in Google Desktop, it *is* an IE bug, it just happens that people who use Google Desktop are vulnerable to it since it embeds IE.

But *ANY* app that embeds IE is (and remains) vulnerable, including many other pieces of software. For example, for all you poker players, if you have an account a UltimateBet [ultimatebet.com] , you *are* vulnerable to ths bug, and in theory someone could use it to steal your account information, which is very dangerous, since they may be able th initate withdraws from your account as well.

This is just the tip of the iceburgm there are literally hundreds of apps that embed the IE engine for rendering. All are at risk.

Re:Ok everyone.... (2, Insightful)

meringuoid (568297) | more than 8 years ago | (#14193209)

Second of all, the bug was *not* in Google Desktop, it *is* an IE bug, it just happens that people who use Google Desktop are vulnerable to it since it embeds IE.

Google, of all organisations, should know better than to trust IE for anything.

Would it be so hard for them to include a safer rendering engine? Gecko's good. KHTML's good. Both are free. Couldn't they have used those instead? Then if there were any bugs discovered, Google (having the source code) could fix 'em, rather than having to implement some workaround because Microsoft won't.

Re:Ok everyone.... (2, Insightful)

rbarreira (836272) | more than 8 years ago | (#14193231)

They probably did it for compactness, since IE is already included in windows...

Re:Ok everyone.... (2, Informative)

masklinn (823351) | more than 8 years ago | (#14193365)

Google, of all organisations, should know better than to trust IE for anything.

Would it be so hard for them to include a safer rendering engine? Gecko's good. KHTML's good. Both are free. Couldn't they have used those instead? Then if there were any bugs discovered, Google (having the source code) could fix 'em, rather than having to implement some workaround because Microsoft won't.

Embedding the MSHTML engine in a Win32 application (or using a framework that wraps the controls) takes a few seconds and requires no code integration at all, while using the Gecko engine takes a bit more work.

Re:Ok everyone.... (1, Informative)

dr.newton (648217) | more than 8 years ago | (#14193250)

I'm glad you pointed out the distinction between fixing a bug and preventing someone to exploit it using a particular piece of software, but I thought I should in turn point out that Google Desktop does not "embed IE" - I use it fine with firefox. It's just an app that runs locally intercepting google queries by ANY web browser and modifying the data google sends back to you, adding the "Desktop" link to the main page, for example, and performing local hard drive searches.

It does not embed any html renderer - it doesn't render html at all. It is an application that uses html and javascript to present a GUI, and then the browser does the rendering just like it does for any other page. Google Desktop is just another website to the browser.

Re:Ok everyone.... (1)

_Sprocket_ (42527) | more than 8 years ago | (#14193484)

It depends on how you use it. What your describing is how I also used Google Desktop when I had it running. However, there IS an embeded part too. I seem to remember something about HTML being rendered in a slide-up window from the taskbar. I didn't use this feature much because it did use IE to render it and I don't trust IE.

Re:Ok everyone.... (1)

dr.newton (648217) | more than 8 years ago | (#14193509)

oic... my mistake. I didn't know it used IE to render that stuff. Actually, I'd forgotten about that part of the app altogether, since I've never used it.

Thanks.

You're 1/2 right (3, Informative)

brunes69 (86786) | more than 8 years ago | (#14193495)

Yes, a large part of Google Desktop will run in any browser.

But parts of the Sidebar component are rendered using an IE rendering engine. It is simple to verify if you check the references in the EXE and DLLs.

Re:Ok everyone.... (1)

n00tz (926304) | more than 8 years ago | (#14193391)

*panic* so my Firefox [mozdev.org] is vulnerable?

/sarcasm

I'm sure in reality it is, but IE Tab [mozdev.org] does add quite a bit of functionality for those sites that are not firefox-friendly.

Google Free Operating System is needed (1)

digitaldc (879047) | more than 8 years ago | (#14193135)

As long as we are fixing things, why not just go all the way? Oh well, I guess we all can dream.

I will be surfing over to http://labs.google.com/ [google.com] just in case.

Re:Google Free Operating System is needed (1)

HishamMuhammad (553916) | more than 8 years ago | (#14193398)

Well, you can just go with Google's free operating system [linux.org] of choice... ;)

Alternative Motives (1)

EBFoxbat (897297) | more than 8 years ago | (#14193148)

If g00 doesn't fix the bug and something bad happens to enough (or enough loud) people, it looks really bad for them. Especially when they could (apparently easily) fix it.

They did this to cover their own butts.

Re:Alternative Motives (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14193315)

This News just in:
  A man had an alternative motive for buying a hamburger. He did not only want to support the restaurant out of the goodness of his heart. The dastardly burger eater was just hungry.

Re:Alternative Motives (0, Offtopic)

unbeatable73 (726493) | more than 8 years ago | (#14193446)

Mod parent insightful!

What about the IE vulnerability? (4, Interesting)

erroneus (253617) | more than 8 years ago | (#14193156)

If I recall previous discussions correctly, the flaw was in MSIE. If that's the case, what's to prevent an attacker from exploiting the flaw with his own code?

Re:What about the IE vulnerability? (0)

Anonymous Coward | more than 8 years ago | (#14193252)

nothing. they just can't take advantage of it using Google's software, anymore.

What standards would those be? (4, Insightful)

Billosaur (927319) | more than 8 years ago | (#14193170)

From CIO Today: The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald.

"Since Google is providing end-user software, it must be held to the same standards that you would hold other desktop software vendors to," he said.

Standards? What standards would those be? Last I checked, most software manufacturers are sending out buggy copies of their code hoping you won't notice, patching it up continuously, then going ahead and doing it repeatedly. And let's not forget that Microsoft is the king of them all!

And exactly how are we to hold them to these "standards"? So many people use Microsoft routinely that they have the lion's share of the market, and their competitors are left with the spoils. And while you may not like MS, many of their programs work just well enough that you believe you've got a decent, everday product. Of course they break down, and people scream and rant, but in the end what do they do? Do they immediately switch to something else? No! They patch up their flawed software and keep the status quo.

It's a classic case of addiction, a lot like gambling but in reverse. You use the software every day and most days it works. The one time it doesn't, you fret, but because you restart it or patch it and it works, you go right back to it, rather than exploring alternatives. And Microsoft counts on this. That's why they dominate - they have everybody "addicted" to their software.

Re:What standards would those be? (0, Offtopic)

dopelogik (862715) | more than 8 years ago | (#14193193)

Thank you for saving me some keystrokes... mod parent!

Re:What standards would those be? (2, Insightful)

514CK3R (875865) | more than 8 years ago | (#14193273)

And Microsoft counts on this. That's why they dominate - they have everybody "addicted" to their software.
Addiction? Not nearly as much as it's a sunken cost. Consumers (Your parents, non-techie siblings, the guy that lives next door) aren't given many options when they buy an off-the-shelf PC, and when Options are out there, they're not nearly as exposed as anyone would like. Combine this with the fact that almost everyone wants a specific file format that they've sunken they're teeth into (think resume + MS Word, most places won't take ANY other format), and it not addiction, the user frustration is out there in spades. It's how our marketplace works. It's all about mass marketing and availability. Ever go to the grocery store? next time you do, go to the soup isle. Chances are almost 100% that campbells will have their soup at adult eye-level, and kids-friendly soups on the lower shelfs. to get anything but Campbells, you have to look between those shelves, and higher up. Out of sight, out of mind. Microsoft also relies on this. Go to Dell or Gateway or any other "OEM" consumer product store and find a PC that ships with linux. Not a server, a desktop PC on the front page that has linux as it's primary OS. Didn't find one? That's not addiction, it's market placement. $0.02

Re:What standards would those be? (1)

winkydink (650484) | more than 8 years ago | (#14193420)

Last I checked, most software manufacturers are sending out buggy copies of their code hoping you won't notice, patching it up continuously, then going ahead and doing it repeatedly

Of course, some of them dodge the issue by labelling everything "BETA".

CYA (1)

Suidae (162977) | more than 8 years ago | (#14193198)

In other news, a large company covers its ass.

This is news, but it's not particularly unusual. When you are vulnerable to an attack, you take steps to remove the vulnerability using resources under your control.

Nothing to see here folks, move along.

What about MS? (1)

VisceralLogic (911294) | more than 8 years ago | (#14193224)

So if Google already fixed it, when will MS?

Re:What about MS? (1)

trollable (928694) | more than 8 years ago | (#14193430)

MS roadmap:
IE7 will not be subject to this bug.
IE7 will be included with Vista.
Vista is planned for 2006 and will be released in 2007.

Still IE problem exploitable by bad web sites (-1, Redundant)

RichMan (8097) | more than 8 years ago | (#14193225)

If code at Googles end could allow access to user system passwords then this could be replicated by other web sites. We are not safe. Only Google has cleaned its act up. Malicious web sites could still exploit the problem.

"the flaw allowed people to access files and passwords on a computer via any website when viewed with IE while running Google Desktop."
"Gillon said he created a test Web page that, when viewed in Internet Explorer on a computer running Google Desktop, allowed him to search that computer for passwords. The researcher said the vulnerability in Internet Explorer could allow ahacker to steal private information from a victim's computer."

Who does Google think they are, SONY? (0)

Anonymous Coward | more than 8 years ago | (#14193238)

But seriously, Google responded quickly and fixed the problem once it was pointed out to them.
No comments like 'Most end users don't even know where their passwords are...'

I would hope that most corporate networks and government systems would lock down
their PC configurations to prevent the random installation of the Google toolbar (and other things).

But I have seen companies where I.T. security decisions are overruled by the executives, so
workers 'creativity' isn't restricted. (Very frustrating to the I.T. People who have to clean up end-user problems.)

It used to be that I.T. security had to fight just the virus programmers and kids,
but now-a-days it's a real battle to protect the company network from other corporations, spammers, and more professional threats.

so we have (1, Funny)

Anonymous Coward | more than 8 years ago | (#14193247)

a 3rd party application which permits to exploit a bug in a software and open a big security hole...?
And this 3rd party company are fixing their product to no longer be vulnerable to this bug.
So what is the big deal?

Whats the deal? (1, Insightful)

lightweave (522226) | more than 8 years ago | (#14193251)

Every software has some bugs.
These bugs should be fix according to their priority.
Google provides some software.
Google should fix it's bugs according to their priority.


I'm not sure what this article wants to tell us? That even Google can create bugs? Is this a surprise? Is Google special that this is actually worth to mention?
Why would a bug created by Google any better or worse than a bug by any other software vendor? Of course the bugs should be fixed and apparently Google did it. So this article tells us that a security flaw has been fixed for some special case, because apparently it can't fix it permanently unless it took over maintainence for IE.
Why this MacDonald guy needs a special plan for Google is beyond me though. Maybe somebody could enlighten me there.

Google (1, Interesting)

certel (849946) | more than 8 years ago | (#14193263)

Way to go Google. Fix issues that Microsoft would fail to address in a timely manor.

An analogy for the comprehension-deficient... (5, Insightful)

Gruneun (261463) | more than 8 years ago | (#14193267)

Dick drives Jane's car.
Jane's car has a faulty parking brake.
Dick parks, engages the brake, but the car rolls away.
Dick stops parking on hills.

Important Points
Jane did not fix the parking brake
Dick did not fix the parking brake, but he no longer uses it.
Other drivers may or may not be aware of the broken parking brake.
The potential is still there for the car to roll away.

Re:An analogy for the comprehension-deficient... (1, Funny)

Anonymous Coward | more than 8 years ago | (#14193442)

Dick parks, engages the brake, but the car rolls away... crushing Spot.

E_IEIO (1)

foobarbazquux (78027) | more than 8 years ago | (#14193459)

"When Google Desktop encounters a situation in which Internet Explorer's security hole could be exploited, it raises E_IEIO" said MacDonald.

Re:E_IEIO (1, Funny)

scheming daemons (101928) | more than 8 years ago | (#14193528)

"When Google Desktop encounters a situation in which Internet Explorer's security hole could be exploited, it raises E_IEIO" said MacDonald.

Would that be "Old" MacDonald?

Irony (2, Interesting)

jeffvoigt (866600) | more than 8 years ago | (#14193477)

Microsoft is kicking themselves for this one. They are finally given a juicy exploit that they could use to knock Google down a notch or two, but the exploit occurs because of IE's code. Microsoft's entire PR department is going, "Arrgh!" If the fault had lain anywhere else, Google would have had Microsoft-funded bad press everywhere. (And I think Slashdot would have toned down the Google love.)

Don't get me wrong. Google issued a quick (and relatively quiet) fix to cover their butts and should be given due credit. But let's not overstate the issue. Google dodged a potentially PR wrecking bullet. I just hope they're more careful in the future as the next issue may not be so easy to sweep under the carpet. Microsoft is waiting to pounce, and will do so at the first serious non-IE based error they can find in Google's chain of products.

Excuse me, but It's really Google's Fault (0, Interesting)

Anonymous Coward | more than 8 years ago | (#14193506)

It's the fault of the most high-level system, and not the low-level system.

We all know about buffer-overflow exploits in C/C++ programs, do we blame it on the C/C++ language compilers? Do we blame on the C/C++ language designers? Do we blame it on the C/C++ libraries? Do we blame the designers of the computer?

No, offcourse not. We blame the most high-level application that had the buffer-overflow vulnerability.

So, it's Google's fault, not IE. They should accept the responsibility.

The bug is not fixed! (-1, Redundant)

chunews (924590) | more than 8 years ago | (#14193519)

The IE bug, that is. Google definitely did not fix the IE bug. Rather, they fixed their own bug that was exploitable iff the IE bug was also exploited.

This gives witness to the defense-in-depth approach to security. If Google had previously secured their desktop from this behaviour, they never would have been vulnerable in the first place.

My two main points are:
1- the IE bug still exists; Google does nothing to mitigate the very real and dangerous security defect that still exists out there!
2- there obviously was something wrong with Google's implementation, or it would have been able to defend itself against having its permiter protection compromised
---- I awoke with a jerk and slowly started to remember what I had done last night.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?