"This attack is almost undetectable, it won't get picked up by any anti-virus system or firewall, and it can be used in a lot of different ways to harm end users," said Danny Allen, director of security research at Watchfire.

"It allows someone using the attack to control all the applications on a computer or access the network to which an affected machine is attached, and it is almost impossible to get rid of."

As part of a demonstration of the exploit, Allen showed off how the program could be used to change the version number in the Google Desktop application itself. Doing so could allow attackers to fool users of the desktop search program into believing they have a version of the software that has been fixed for security reasons, when in fact they are still potentially vulnerable.

"Some IT security people have dismissed the impact of [cross-site scripting] attacks to a certain extent, but we wanted to highlight the potential damage that something like this could deliver," Allen said.

Media representatives at Google said that after Watchfire informed the company of the attack, engineers at the search giant created a patch for the issue that was automatically distributed to Google Desktop users. Google said it has also added a new set of security features to the latest iteration of the product to prevent similar attacks in the future. On Feb. 9, Google launched its newest version of the desktop search program, labeled Desktop 3 Beta.