Google Desktop allows users to search and index the contents of their PCs in the same way that Google.com does on the Web. The flaw was discovered by Waltham, Mass.-based Web application security vendor Watchfire Inc. and reported to Google on Jan 4.
The vulnerability is the result of the integration between Google.com and Google Desktop, as well as Google Desktop's failure to properly encode output containing malicious characters, Watchfire said in a white paper released Wednesday.
To take advantage of the flaw, an attacker would first need to find and exploit a Web page containing a cross-site scripting vulnerability within the Google.com domain, said Danny Allan, director of security services at Google. Cross-site scripting flaws are extremely common on the Web these days, and finding one to exploit is a relatively easy task, he said.
The attacker would then need to lure a victim to the page with the cross-site scripting vulnerability by getting him to click on a link pointing to the page, Allan said. Malicious JavaScript embedded in the page is then downloaded to the victim's system. Under certain circumstances, the JavaScript allows an attacker to take complete control of a system, he said.
"The entire attack takes as long as it takes you to click on a link," he said. "But it is persistent, and right now, antivirus and firewall [products] can't pick up on it."
The vulnerability also would have allowed an attacker to compromise the "Search Across Computers" feature in Google Desktop that allows a user to search for information stored on his computer from any other Internet-connected system via his Google account. The feature requires information from a personal desktop to be stored on Google's servers and can be compromised to allow attackers unfettered access to the information, Allan said.
Though the specific vulnerability identified by Watchfire has been fixed, the tight integration between Google Desktop and Google.com continues to pose a security problem, he said. For instance, when searching the Web for information via Google.com, desktop search results are also injected into the response by Google Desktop, the Watchfire white paper noted. The feature, while potentially useful, gives attackers a way to break into systems via the Google.com site, the paper noted.
The threat is mitigated somewhat in current Google Desktop versions because the integration of Google desktop results in a Web search is optional, the white paper noted. It can also be disabled on current Desktop versions.
However, a Desktop link that is associated with the search box on Google.com and that can't be disabled by users can also provide an entry point to a system, the white paper noted. "Since Google Desktop can access highly sensitive information, the possible impact of an external malicious access to Google Desktop's Web interface is far-reaching," the paper said.
In an e-mailed statement, a Google spokesman said that the company had been notified by Watchfire of a "potential vulnerability, which requires an attacker to first find and attack a vulnerability in Google.com. A fix was developed quickly, and users are being automatically updated with the patch. In addition, we have another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future," he said.
Google has so far not received any reports of the flaw being exploited, the spokesman added.