Google Desktop allows users to search and index the contents of their PCs in the same way that Google.com does on the Web. The flaw was discovered by Waltham, Mass.-based Web application security vendor Watchfire Inc. and reported to Google on Jan 4.

The vulnerability is the result of the integration between Google.com and Google Desktop, as well as Google Desktop's failure to properly encode output containing malicious characters, Watchfire said in a white paper released Wednesday.

To take advantage of the flaw, an attacker would first need to find and exploit a Web page containing a cross-site scripting vulnerability within the Google.com domain, said Danny Allan, director of security services at Google. Cross-site scripting flaws are extremely common on the Web these days, and finding one to exploit is a relatively easy task, he said.

The attacker would then need to lure a victim to the page with the cross-site scripting vulnerability by getting him to click on a link pointing to the page, Allan said. Malicious JavaScript embedded in the page is then downloaded to the victim's system. Under certain circumstances, the JavaScript allows an attacker to take complete control of a system, he said.

"The entire attack takes as long as it takes you to click on a link," he said. "But it is persistent, and right now, antivirus and firewall [products] can't pick up on it."