In a report published on Feb. 21, researchers at application security software maker Watchfire, based in Waltham, Mass., detailed an existing attack which is designed to exploit the Google Desktop flaw.

According to the company, the cross-site scripting threat -- which the firm also described as a so-called parasitic virus -- could allow attackers to steal information from affected PCs and track end users' Web browsing habits.

Cross-site scripting (XSS) threats typically take advantage of security vulnerabilities in legitimate Web pages to inject malicious content into the browsers of people visiting the URLs or to redirect them to fraudulent sites used in phishing attacks. Like many other XSS threats, the attack currently leveled at Google Desktop uses JavaScript code to deliver its payload.

Watchfire experts said the Google Desktop XSS problem is very dangerous for a number of reasons. Among the more serious characteristics is the malicious program's ability to affect clusters of computers connected by Google Desktop's information sharing capabilities. That could allow attackers to spread the attack to new machines or simply steal data from multiple PCs linked by the application.

Most enterprises have invested significant amounts of time and money installing security applications to protect against the loss of sensitive data over the last several years, but the Google Desktop attack would circumvent many of those systems, leaving information on corporate desktops running the program open for potential theft.