Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A Second Google Desktop Vulnerability

kdawson posted more than 7 years ago | from the anti-anti-anti-DNS-pinning dept.

Security 80

zakkie writes "According to InfoWorld, Google's Desktop indexing engine is vulnerable to an exploit (the second such flaw to be found) that could allow crackers to read files or execute code. By exploiting a cross-site scripting vulnerability on google.com, an attacker can grab all the data off a Google Desktop. Google is said to be investigating. A security researcher is quoted: 'The users really have very little ability to protect themselves against these attacks. It's very bad. Even the experts are afraid to click on each other's links anymore.'"

cancel ×

80 comments

Sorry! There are no comments related to the filter you selected.

I'd RTFA but... (4, Funny)

Joebert (946227) | more than 7 years ago | (#18141536)

What's all the fuss about ?
I'd RTFA but I'm afraid of what will happen if I do.

I'll bet... (0, Troll)

theuedimaster (996047) | more than 7 years ago | (#18141710)

5 bucks that google won't get the /. microsoft treatment.

Re:I'll bet... (0)

Anonymous Coward | more than 7 years ago | (#18144332)

I'm still waiting for the 'haha' tag

E. E. Cummings to the rescue (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18141786)

why must itself up every of a park
anus stick some quote statue unquote to
prove that a hero equals any jerk
who was afraid to dare to answer "no"?

F*CK*NG lies ! Google does NOT do any harm !! (0)

Anonymous Coward | more than 7 years ago | (#18145948)



I am NOT a Google SHILL !!

Hindsight... (1)

lordsid (629982) | more than 7 years ago | (#18141568)

In hindsight I'm glad I never installed Google Desktop.

Re:Hindsight... (2)

jorgevillalobos (1044924) | more than 7 years ago | (#18142322)

Same here. Even when I used Windows I decided that it was kind of risky to install such an app on my desktop. Sure, it sounded tempting to have such a powerful indexing scheme and be able to find everything on your hard drive with relative ease and a very innovative UI for it, but I came to the conclusion that is was not worth it given that I don't search for files that often, and I don't want to trust Google with absolutely everything (I use gmail and Google calendar though).

It's a non-issue with Spotlight now :).

I can't be the only one... (2, Interesting)

Wilson_6500 (896824) | more than 7 years ago | (#18141628)

Even the experts are afraid to click on each other's links anymore.

Does anyone else think that was tremendously funny in a sixth-grade-humor sort of way? Maybe I just am up too early.

Misleading summary (4, Informative)

Potor (658520) | more than 7 years ago | (#18141678)

TFA is clear that this does not refer to the Google Desktop vulnerability in specific, but rather to the general state of browser security. TFA:

"A lot of these new attack techniques are going to require the browsers to improve," Grossman said. "The users really have very little ability to protect themselves against these attacks" he said. "It's very bad. Even the experts are afraid to click on each other's links anymore."

Re:Misleading summary (1)

CCFreak2K (930973) | more than 7 years ago | (#18150036)

You missed the point of the grandparent which, I'll give you a hint, has something to do with the word "phallic."

Re:I can't be the only one... (1)

1010110010 (1002553) | more than 7 years ago | (#18141700)

Or too late.

Re:I can't be the only one... (0)

Anonymous Coward | more than 7 years ago | (#18141796)

Does anyone else think that was tremendously funny in a sixth-grade-humor sort of way?

Don't ever be embarrased by your sense of humor - at least you have one.

Experts? (3, Insightful)

notlisted (645771) | more than 7 years ago | (#18141640)

"Even the experts are afraid to click on each other's links anymore."

Umm.. Google desktop runs on Windows.. Seriously, how many "security experts" do you know running Windows?

Re:Experts? (3, Insightful)

MichaelSmith (789609) | more than 7 years ago | (#18141668)

Seriously, how many "security experts" do you know running Windows?

Since most of the money (and challenges) for security is on Windows, I supose they could hardly be using anything else.

Re:Experts? (3, Insightful)

notlisted (645771) | more than 7 years ago | (#18141724)

Since most of the money (and challenges) for security is on Windows, I supose they could hardly be using anything else.

Certainly.. they run it just like it's supposed to be, as a VMWare image sandboxed inside their *nix/BSD workstation. Again, anyone that's using a web browser running under the same account permissions as any sensitive data on that machine is _not_ a security "expert".

Re:Experts? (2, Interesting)

MichaelSmith (789609) | more than 7 years ago | (#18141836)

Certainly.. they run it just like it's supposed to be, as a VMWare image sandboxed inside their *nix/BSD workstation. Again, anyone that's using a web browser running under the same account permissions as any sensitive data on that machine is _not_ a security "expert".

Yes, I agree with you. But where I work if you are in any senior position you would be running windows on your desktop. Our "IT manager" has no IT experience at all, beyond knowing who has what contracts. Thats the guy in charge of security.

Re:Experts? (1)

notlisted (645771) | more than 7 years ago | (#18141896)

Our "IT manager" has no IT experience at all, beyond knowing who has what contracts. Thats the guy in charge of security.
..and as such, would definitely not be considered a "security expert". Anyone that doesn't understand the concept of privilege separation probably should be afraid to click on urls.

Re:Experts? (0)

Anonymous Coward | more than 7 years ago | (#18142098)

Our "IT manager" has no IT experience at all, beyond knowing who has what contracts. Thats the guy in charge of security.
That's about as sensible as hiring blind paraplegics to deliver pizza. Your company deserves to have IT disaster after IT disaster; maybe eventually they'll wake up to the reality that computers aren't easy.

Re:Experts? (1)

ortholattice (175065) | more than 7 years ago | (#18142286)

> Our "IT manager" has no IT experience at all, beyond knowing who has what contracts. Thats the guy in charge of security.

That's about as sensible as hiring blind paraplegics to deliver pizza. Your company deserves to have IT disaster after IT disaster; maybe eventually they'll wake up to the reality that computers aren't easy.

A manager doesn't deliver pizzas (in a big enough operation). A blind paraplegic, if competent, could probably manage it just fine.

I agree that it would be better for an IT manager to have an IT background, but in a large organization, managerial skills can be just as important if not more so in that position. Assuming he has hired a competent staff, including security experts, they will be making the technical recommendations for his consideration and approval. He is not going to be configuring firewalls or pulling CAT5 cable.

Re:Experts? (1)

OnlineAlias (828288) | more than 7 years ago | (#18143160)

But what he will do is listen to every vendor that comes down the pike. Approve hair brained projects that do little or nothing for security. Be vulnerable to others in the organization who think that they know about security. I could go on and on.

The security manager who knows nothing about security is probably the most damaging and costly in all of IT.

Re:Experts? (3, Informative)

value_added (719364) | more than 7 years ago | (#18142468)

[T]hey run it just like it's supposed to be, as a VMWare image sandboxed inside their *nix/BSD workstation.

BSD isn't supported as a VMWare host OS.

Re:Experts? (1)

daveschroeder (516195) | more than 7 years ago | (#18143012)

VMWare Workstation officially supports [vmware.com] FreeBSD as a guest. Parallels Workstation for Windows and Linux and Parallels Desktop for Mac OS X officially supports [parallels.com] FreeBSD as a guest.

Of course, many other *BSDs will also work fine under VMWare and Parallels products as well, even if officially "unsupported".

Re:Experts? (1)

flosofl (626809) | more than 7 years ago | (#18143940)

guest!=host

Try reading what he wrote, again.

Re:Experts? (1)

daveschroeder (516195) | more than 7 years ago | (#18144102)

I utterly misread what he said. For some reason, I jumped to the conclusion that the post to which he was replying was saying that they ran UNIXes or BSDs as guests inside of VMware on a *Windows* host, but they were really making the opposite assertion, which he answered correctly. I glossed over the "host" thing completely, and when I saw "BSD" and "VMware", immediately assumed it was another person who didn't think any BSD was supported as a *guest* under VMWare.

So yes, my reply was totally not speaking to that point, since I misread what he said and assumed a different context. Thanks for pointing that out.

Re:Experts? (1)

okinawa_hdr (1062664) | more than 7 years ago | (#18141734)

Good point.

Re:Experts? (1)

NOLFXceptMe (1013903) | more than 7 years ago | (#18141790)

ya...

Re:Experts? (1)

TodMinuit (1026042) | more than 7 years ago | (#18141758)

A lot, kid.

Joanna Rutkowska? (0)

Anonymous Coward | more than 7 years ago | (#18141780)

Not sure if you consider he as a security expert but Joanna Rutkowska uses Windows Vista. She was running Windows XP 64 bit before Vista was released IIRC.

http://theinvisiblethings.blogspot.com/2007/02/run ning-vista-every-day.html [blogspot.com]

Re:Joanna Rutkowska? (2)

notlisted (645771) | more than 7 years ago | (#18141878)

Not sure if you consider he as a security expert but Joanna Rutkowska uses Windows Vista. She was running Windows XP 64 bit before Vista was released IIRC.
And if you check out her "about" [invisiblethings.org] page on her personal site you'll see she runs Linux as her OS of choice. The Windows system she uses for testing.

"Soon after she switched to Linux world, got involved with some system and kernel programming, focusing on exploit development for both Linux and Windows x86 systems."

Re:Joanna Rutkowska? (0)

Anonymous Coward | more than 7 years ago | (#18142002)

.....and if you check her entry for feb the 4th you will read that she has installed vista on her Primary laptop. There's no mention anywhere on the site that linux is her favored OS for personal use. I'm sure she uses multiple OS's in the course of work and home. A lot of us do.

Re:Experts? (3, Funny)

MillionthMonkey (240664) | more than 7 years ago | (#18141820)

Seriously, how many "security experts" do you know running Windows?

Not me. *I* find my Windows XP SP2 vulnerabilities using a Commodore 64 and a Commodore 1541 disk drive with a VM in its controller.

Re:Experts? (1)

notlisted (645771) | more than 7 years ago | (#18141980)

Not me. *I* find my Windows XP SP2 vulnerabilities using a Commodore 64 and a Commodore 1541 disk drive with a VM in its controller.
Ah jeez.. Sorry I wasn't clear enough for Captain Sarcasm... Let me revise: Seriously, how many "security experts" do you know that store sensitive personal/business data on a Windows account under the same permissions as the process running the web browser?

No shit they still use Windows for testing.. Sorry I didn't dumb that down enough for you first time. My bad.

Re:Experts? (0)

Anonymous Coward | more than 7 years ago | (#18142944)

Seriously, how many "security experts" do you know running Windows?

That depends on your definition of "security expert".

If that's "someone who tries to makes himself sound interesting by telling everybody how insecure the 'other' OS is that he's refusing to even look at from up close", the number of security experts is high, but the number of them running windows must be close to zero.

It it's "someone who knows about the problems because he studies them" - well, you can't study an OS's security without looking at it, and you can't have a good look at it without running it.

Concluding that "windows is insecure because a lot of windows computers run malware" says a lot about the so-called security expert that says it, but nothing, not one little thing, about windows itself. I don't know if the numbers still support it today, but just a few years ago you could "prove", along the exact same reasoning, and backed by hacked website statistics, that *n*x was the least secure server OS there was.

Re:Experts? (1)

enharmonix (988983) | more than 7 years ago | (#18143222)

Seriously, how many "security experts" do you know running Windows?
That's like asking, "Seriously, how many 'cultural anthropologists' do you know working in Borneo?" or "how many 'astronauts' do you know working in space?" Where do you expect them to be, Boston? You go where the action is.

Afraid to click on links? (1)

Whiney Mac Fanboy (963289) | more than 7 years ago | (#18141650)

A security researcher is quoted: 'The users really have very little ability to protect themselves against these attacks. It's very bad. Even the experts are afraid to click on each other's links anymore.'"

That's all those "security experts" out there who use Google Desktop (yeeesh).

Google Desktop pre-loaded on Dells (4, Interesting)

PoconoPCDoctor (912001) | more than 7 years ago | (#18141910)

I noticed a while ago that Google Desktop was preloaded on the Dells we buy. These Dells can wind up in areas that might access patient information. Since this is a major research hospital/medical school, I brought my concerns to the security group (HIPAA laws mandate privacy for patient information). Dell/Google assured us that this was a non-issue.

The end result was that not much happened.

My take? I still uninstall it whenever I see it.

Re:Google Desktop pre-loaded on Dells (5, Insightful)

synx (29979) | more than 7 years ago | (#18141986)

Any hospital that is using whatever Dell or HP or any vendor has pre-installed on a box is being irresponsible.

Those Dells should have been wiped and had a secure configuration reloaded. Yeeeesh

What hospital are you at, so I can avoid it?

Re:Google Desktop pre-loaded on Dells (1)

Anonymous Coward | more than 7 years ago | (#18142360)

I'm just wondering why PCs with patient files on them are connected to the internet?

Re:Google Desktop pre-loaded on Dells (1)

zoftie (195518) | more than 7 years ago | (#18142480)

i would think any large place would have their own pre-cleaned product image, that computers can be zapped with, to remove any possible fluff that might compromised the overall business process.
just a thought.
google is in business of search, and rich client software development. as such i don't see it as issue. People shouldn't use such internet warts. Service based ware always was pain...
Java script is pretty cool, but it has been bane for many people who develop reliable sites for wide market audience. Which means html with standard css bits.
Doubt this can be considered news, a bug for bugtraq?

Re:Google Desktop pre-loaded on Dells (0)

Anonymous Coward | more than 7 years ago | (#18142640)

i would think any large place would have their own pre-cleaned product image

I'll go one better. Dell already have a plan in place to preload your purchase machines with YOUR system image. Maybe this institution should stop buying from the "home and home office" web site and actually contact their business rep?

Re:Google Desktop pre-loaded on Dells (1)

PoconoPCDoctor (912001) | more than 7 years ago | (#18145562)

We do and we don't have an image. The hospital side does, the school side doesn't. Also, users are set up as admin, install Google Desktop and other junk.

This may be changing in the near future, but my point was that Dell didn't fix their image to fit our environment, even though thye sold a lot of systems. Guess Dell likes it when HP gains market share?

Re:Google Desktop pre-loaded on Dells (0)

Anonymous Coward | more than 7 years ago | (#18158836)

You should use the built-in Group Policy or registry options to disable Google's sharing of content "across computers". See Google's Enterprise page for that. They even provide the Administrative Templates (ADM files) for applying those settings. Apply once via GPO and you shouldn't have to worry about the pre-loaded Dells again.

Of course, you should probably not be using the OEM image for other reasons ...

Welcome to ubiquity, Google (3, Interesting)

caywen (942955) | more than 7 years ago | (#18141804)

I wonder how many more exploits would be found if Google Desktop ended up on 90% of desktop computers?

Re:Welcome to ubiquity, Google (0)

Anonymous Coward | more than 7 years ago | (#18142080)

I wonder how many more exploits would be found if Google Desktop ended up on 90% of desktop computers?

I don't.

Re:Welcome to ubiquity, Google (1)

Naurgrim (516378) | more than 7 years ago | (#18142440)

I wonder how many more exploits would be found if Google Desktop ended up on 90% of desktop computers?

What with bundling, I'm seeing Google Desktop preinstalled on almost every new PC I work on. Dell, Lenovo, HP all seem to do so now.

Why Google Desktop is too frustrating to be used (5, Insightful)

Cato (8296) | more than 7 years ago | (#18141868)

Google Desktop says that it automatically updates itself, but that doesn't work, and there's no 'force an update' feature as with Firefox.

More infuriatingly, Google Desktop also doesn't understand that emails that it indexes in my Outlook Inbox won't stay there forever due to restrictions on server mailbox size, and doesn't re-index them when they move to an offline .PST file. So I frequently find an email, then try to open it in Outlook, then find I can't and have to find it manually by date/time. Same issue with files that are renamed or moved. Many people have complained about this, but the Google Desktop team ignored this, and instead spent their time producing the incredibly useless widgets, rather than *making the search features really work well*.

Google Desktop still doesn't support the use of '-' to join two words, i.e. "foo bar" can be written as foo-bar. And the Google Desktop results within Outlook are still not a proper Outlook result list (as with Outlook Find), so you can't just drag items into a new email as attachments - no, you have to open up the email (if it can find it...), use Outlook to copy it to a temp folder, then drag from that folder into the new email.

Google Desktop is simply too annoying to use any more, even though I've used it from version 1, and is actually a very un-Google-like product. Unlike the core Google.com search, which has been quietly optimised over the years to add stemming, proximity, spelling correction, etc, Google Desktop is actually a rather mediocre and barely usable desktop search tool whose primary benefit is that it integrates well with Google Toolbar.

Re:Why Google Desktop is too frustrating to be use (0)

Anonymous Coward | more than 7 years ago | (#18141938)

You could use windows desktop search:
http://www.microsoft.com/windows/desktopsearch/def ault.mspx [microsoft.com]
I've been using it recently and works quite well.

Re:Why Google Desktop is too frustrating to be use (0)

Anonymous Coward | more than 7 years ago | (#18142288)

WDS doesn't index Thunderbird/mozilla/firefox. Complete waste of time.

Re:Why Google Desktop is too frustrating to be use (1)

Mascot (120795) | more than 7 years ago | (#18142796)

Google Desktop says that it automatically updates itself, but that doesn't work, and there's no 'force an update' feature as with Firefox.

They seem to be having some issues with auto updating in general. Google Talk on my home computer lags behind the one on my work computer, and no amount of manually clicking "Check for updates now" will update it.

I asked Google about it, and they told me to uninstall, download new version, install. Which I did. But that was a few versions ago and I'm now lagging behind again. Not impressed.

Re:Why Google Desktop is too frustrating to be use (1)

SuperQ (431) | more than 7 years ago | (#18143730)

It's called a controlled roll-out. It saves bandwidth and if a bug is found that breaks users, you can roll back or fix it without causing everyone to be broken all at once. It's a much better way of doing things than having "Patch Tuesday"

Re:Why Google Desktop is too frustrating to be use (1)

Mascot (120795) | more than 7 years ago | (#18156126)

You work at Google and can vouch for that? Because the reply I got was quite clear that doing a "check for updates" should've done the trick.

Not to mention that I'm talking about weeks and weeks of lag here, not a few days. For example I was still at 1.0.0.100 when I wrote the original post, while 104 was released at the turn of the year.

Re:Why Google Desktop is too frustrating to be use (2, Insightful)

costas (38724) | more than 7 years ago | (#18143446)

To add to your list: GDS doesn't index Outlook/email attachments even if they are in a format that it does know how to index. Like you mention, it doesn't deal well with documents moving from one location to another (not just within Outlook, anywhere in the filesystem). And the bug you mention about email is much worse than just not able to locate a moved email: it means that spam that gets moved by a client-filter to a folder you've told GDS not to index, will still be in the GDS index because it usually indexes it before the spam filter gets to move it. So, your index eventually gets clogged up with spam too.

It gets worse: GDS actually "forgets" about documents it has previously indexed (so results get *worse* over time, not better). And its index keeps growing (yes, even though its results are getting worse). And as the parent mentions, it doesn't have a "re-index now" option, so you are forced to uninstall and re-install.

The only good thing about GDS is its integration with google.com (who's embracing and extending now?). I am no MS apologist and I put up with GDS for over 1.5 years, but I switched to Windows Desktop Search and never looked back: WDS is head-and-shoulders above GDS (BTW, it can be downloaded into XP and is pretty much the same as the WDS in Vista): better results, better UI, way better integration with Windows, smaller index, ability to re-set the index whenever and faster to index the drive than GDS to begin with. WDS started life as Lookout, a third-party freeware app that was bought by MS, and it was better than GDS back then (oh what 4 years ago?).

If only developers would embrace WDS to fix some obvious shortcomings (no Firefox/Thunderbird indexing, no hotkeys like GDS). I doubt Microsoft has anything to fear from Google competing for the desktop if GDS is any indication...

Re:Why Google Desktop is too frustrating to be use (1)

timcrews (763629) | more than 7 years ago | (#18143844)

GDS does have a "re-index" now option. Options...Indexing...Re-Index.

Re:Why Google Desktop is too frustrating to be use (1)

jagdish (981925) | more than 7 years ago | (#18145728)

A good alternative to google desktop is AvaFind. It is shareware, but the features are just as good. And the best thing is that it indexes the whole disk in about half a minute.
Download link http://www.think-less-do-more.com/avafind/download / [think-less-do-more.com]

The root cause and how I avoid it (4, Insightful)

Wills (242929) | more than 7 years ago | (#18141944)

This kind of security bug never affects me for a simple reason -- I permanently turn off Javascript. But the main issue for me is actually not a concern about security; afterall serious holes tend to be fixed quickly. The issue is that I use the web primarily to to find information, to study, to learn and when I do those things, what I am mostly doing is reading text . I don't need fancy "interactivity" features which would be a distraction from reading text. I don't need the additional "beauty" that CSS enables. All I need is a good font and then I read. In other words, I am completely and totally satisfied with how web was in 1995 based on web standards of that time -- so-called Web 1.0. For me, this is very productive. I don't use Google Desktop.

I realise there are many other people who see Web 1.0 as too limited for all the usual reasons, e.g. because they want interactivity features, or Flash movies, or proper CSS support for different display devices, etc, all of which are good reasons for them and do require the use of Javascript / AJAX. I don't need any of that, however, so I disable Javascript. I have yet to find a website with textual information that could not have been written or read by me based on good old HTML. Another reason I prefer websites that avoid relying heavily upon Javascript, even to make simple links between webpages, is that they can be properly indexed by search engines.

Re:The root cause and how I avoid it (1)

marcello_dl (667940) | more than 7 years ago | (#18142018)

I agree in keeping as much as possible info as textual. Youtube videos animations flash... all things that in the end make it more difficult to classify and search for acquired info. It seems strange you equate css with js though. I don't recall many holes in the css rendering, nor them having a different quality than html rendering holes.

I'd not consider the speed of patching security holes because that starts from the official discovering of a vulnerability, which can happen well after black hat hackers have begun exploiting it.

Back to topic, i'm afraid i can't trust even the not evil google with searching sensitive data on the desktop. Especially on non free stacks like windows, where even a good behaving app still has to deal with the OS black box. The security threat is the app, not only its weaknesses.

Re:The root cause and how I avoid it (1)

Wills (242929) | more than 7 years ago | (#18142096)

I wasn't equating CSS with Javascript. I was saying I don't need Javascript or CSS. I therefore disable both. This has the side-effect of reducing the attackable surface of my browser, although in practice it may not be much of an issue because security holes tend to be fixed quickly, and anyway, as I said, that's not the main issue for me. The issue is that I need and am completely satisfied with only text, a good font and simple, good old fashioned HTML for linking between webpages and for (sparingly) embedding images etc.

Re:The root cause and how I avoid it (0)

Anonymous Coward | more than 7 years ago | (#18142188)

Some wise companies such as Apple ship search with OS and they are clever not to net-enable their search tool. There is Google search spotlight plugin but it is a "hack" (in good meaning) and has nothing to do with Spotlight engine running deep down kernel.

You will see OS X 10.5 Leopard comes with net enabled spotlight but it will be surely local network only with zero Internet connection.

Hey 1996 called... (0)

Anonymous Coward | more than 7 years ago | (#18145124)

and they want their internet back.

Re:The root cause and how I avoid it (1)

Raenex (947668) | more than 7 years ago | (#18182040)

I agree, up to a point. I do most of my browsing with Javascript disabled, cookies disabled, use my own font & colors, and turn off images that don't come from the original site. All this along with AdBlock leads to a suprisingly good web experience. However, when it comes to online shopping, banking, and stuff like Google Maps, I can't do without Javascript, so I use a separate browser with all the bells & whistles enabled just for that.

Quick fix (5, Insightful)

infonote (1065258) | more than 7 years ago | (#18141968)

Vulnerabilities exist and will continue to exist. As long as it is fixed within a short period of time it is ok. Saying that, If I was a manager in a commercial organization, I would never allow Google Desktop on my employees computers as online security is still in its infancy.

People keep complaining bout my sig (3, Interesting)

TheLink (130905) | more than 7 years ago | (#18142058)

People keep complaining about my sig. But they should just learn.

Browsers suck. javascript is unsafe and most sites/webapps don't sign url/form parameters. So learn to think before you click.

And if you are thinking of clicking on some strange stuff, open a pristine VM, and use a clean browser there (you can even "sort of" put the VM on a different network from your computer - get two NICs).

Asshole (0)

Anonymous Coward | more than 7 years ago | (#18143980)

In younger years, my friends and I dug a hole on a path by our fort. We covered it up, and then started yelling "Snake snake", so that by brother, a snake collector, would come a running and probably not notice the hole. He didn't. We laughed.

Grow Up.

Re:People keep complaining bout my sig (1)

AlHunt (982887) | more than 7 years ago | (#18145902)

>People keep complaining about my sig. But they should just learn.

Maybe. Doesn't mean you're not a dick, though.

Re:People keep complaining bout my sig (1)

TheLink (130905) | more than 7 years ago | (#18152078)

Yeah, but I'm a harmless dick. So hopefully people learn from that, and don't click on something that causes big problems.

There really is plenty that can be done nowadays, and the url shortening sites make it possible to do even more "interesting" stuff.

For example: some discussion boards only check the url endings to see if it ends with jpg or gif before allowing you to specify it as your avatar.

Most url shortening sites allow you to add /blah.jpg to the shortened url without grumbling, and they will just append /blah.jpg to the final expanded URL.

So if you pick an expanded URL of http://targetsite.com/do=somethingnaughty&foo=

And the shortened URL is say: http://shorturl.org/s/szxvnf

Then you can specify an image to be http://shorturl.org/s/szxvnf/blah.jpg
and it will expand to http://targetsite.com/do=somethingnaughty&foo=/bla h.jpg

And something naughty happens without the victim even needing to click on anything.

If the site signs urls with the user's session cookie, and all urls and forms must have a checksum derived from this, then it makes it harder for the attacker.

However, if the attacker manages to inject javascript somewhere, that javascript could figure out the session cookies and other stuff. And that is why javascript is a risk.

To reduce such risks, I proposed years ago to the W3C and browser makers to have an HTML tag that disables active content, but nobody really seemed interested.

Example:
<shieldson lock="randomstring" allowed="java,vrml,svg" />
disallowed material disabled
<shieldsoff lock="randomstring"/>

The attacker has to guess "randomstring" in order to inject active content that's not specifically allowed between <shieldson> and <shieldsoff>. Otherwise the browser will just ignore it (and/or log an error).

Without such tags, HTML is like driving a car with 100 accelerator pedals, but not a single brake pedal. To stop you need to make sure that ALL 100 accelerator pedals are not pressed.

Various people have said: "Just escape stuff correctly". But I think the evidence is that even though in theory people can make sure all 100 "Go" pedals are "escaped", in practice that doesn't happen well enough.

Furthermore, if someone comes up with a new "Go" tag #101, your old escaping libraries might not escape it correctly. Whereas my proposed "brake" tag will have a "default deny" behaviour, the browser should only allow specified active content. So any new type of active content that slips through escaping will still be ignored.

In my opinion the browser makers and browser language makers are not really interested about security.

Who uses this crap anyway? (2, Interesting)

Anonymous Coward | more than 7 years ago | (#18142154)

I tried google desktop... consumed 10gb of disk space, had a process that ran 100% cpu eating nearly 700MB of ram, and kept indexing usb devices so you couldn't eject them. All this and it couldn't tell when you moved a file from one directory to another... or deleted it entirely! Hell the Windows XP "Search" can at least find a file if you know the name of it.

Re:Who uses this crap anyway? (1)

Nasarius (593729) | more than 7 years ago | (#18144154)

Yeah, that was my impression too. The index file gets ridiculously large, and apparently it has no mechanism for detecting when a file has been deleted. Garbage. Vista's built-in search is probably superior for most users, even though it doesn't index the contents of files. KDE 4 will have some nifty search technology (Tenor), but time will tell if it's done right.

Thought so. (0)

Anonymous Coward | more than 7 years ago | (#18142162)

I caught wind of the first explot found, but I didn't bother checking out what it was all about. And now, yet another exploit in a matter of days. I KNEW this would happen. I knew that having a desktop search engine connected to the web was a bad idea and I never tried it.

Overconfidence? (1)

gweihir (88907) | more than 7 years ago | (#18142342)

It seems to me Google urgently needs to hire some people that really understand software security and give them real influence on design decision. Making it work only does not cut it today, not if you are a high-profile target....

Re:Overconfidence? (0)

Anonymous Coward | more than 7 years ago | (#18144376)

Sorry, but the security candidates couldn't pass all the cute "guess what I'm thinking" puzzles that Google is famous for including in interviews.

you Fail it (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18142878)

Are you a NIGGER the public eye: about bylaws Us the courtesy MAKES ME SICK JUST *BSD is dead. would take about 2 is dying.Things

Re:you Fail it (0)

Anonymous Coward | more than 7 years ago | (#18143082)

U TROLLING = BAD.

What is with these surreal troll posts? Every topic gets one or two. Is this Al Quaeda's new way of communicating with George W. Bush? Are they command and control messages for a botnet? An early release of a new movie, compressed by a very lossy algorithm?

Or are they just written by crackheads who think that not making sense is always funny?

Netcraft confirms it - GNAA is dying!

Doesn't affect all Google Desktop users (3, Interesting)

fname (199759) | more than 7 years ago | (#18143276)

This doesn't appear to affect all Google Desktop users. The article talks about data being intercepted as it is sent to Google. IOW, this is only applicable for users who are storing a complete index of their hard drive on Google's servers. As if that wasn't an obvious security threat!

Simple solution: make sure you disable the "feature" allowing you to index your hard drive on Google's servers. IMHO, a terrible feature that has caused Google far more harm than good. Many companies have banned Google Desktop because of this capability. It was even more inexcusable when it was enabled by default.

Moral of the story: even if they aim to "do no evil," Google's self-assuredness often leaves the user paying the price for Google's mistakes.

Re:Doesn't affect all Google Desktop users (2, Informative)

blchrist (695764) | more than 7 years ago | (#18145928)

If you read the whole whitepaper [watchfire.com] , the authors say (p15) that an attacker could use the vulnerability to turn on the "search across computers" feature.
The whitepaper is well written and worth the read. It's a pretty scary vulnerability.

Mod parent up (1)

fname (199759) | more than 7 years ago | (#18146230)

Wow. I just read the white paper, and it appears that one way to exploit this security flaw is to enable "Search across computers," but it's not necessary for the attack. This is a giant hole. I use Google Desktop every day, and I have no choice except to disable it. I was a big Google Desktop booster, but there's no way I can use it now.

Any recommendations on a good, safe desktop search application?

Snort signatures here: (2, Interesting)

farker haiku (883529) | more than 7 years ago | (#18143286)

I've said it before [slashdot.org] and I'll say it again. Snort signatures available here [bleedingsnort.com]

Google Hiring Academic Programmers (0)

Anonymous Coward | more than 7 years ago | (#18143412)

Well, Well. Seems the vaunted Google hiring mechanism; you know the one that selects only the creme of the crop is broken. Or, maybe it never worked to begin with. Come to think of it, Google hasn't done ANYTHING technically since the Pagerank Algo stuff. If you downloaded Google desktop you are an idiot! You actually believed that "First do no evil" B.S. marketing schtick didn't you? Didn't you know the first rule of corporations, all corporations is "First, make money".

Idiocy (0)

Anonymous Coward | more than 7 years ago | (#18150446)

By exploiting a cross-site scripting vulnerability on google.com, an attacker can grab all the data off a Google Desktop.

WTF is "a Google Desktop"? That's like saying "a Mozilla" or "a Microsoft Word". Retards.

Re:Idiocy (0)

Anonymous Coward | more than 7 years ago | (#18151514)

It's a product name you twhat!!
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?