Google Desktop tweaked to avoid IE flaw

Google Inc. has made an "adjustment" to its Google Desktop application to protect users from an unpatched design flaw in Microsoft Corp.'s Internet Explorer browser. The bug, which was discovered and reported by Israeli hacker Matan Gillon, provides malicious attackers with an easy way to use Google Desktop or other Internet-facing applications to covertly hijack user information. "We have made an adjustment to the product to help protect users," said Google spokesperson Sonya Boralv. She declined to provide details on the extent of the Google Desktop modifications. Boralv said users aren't required to take any action to get protected because the changes were made "on our end" to block the remote access attack vector. According to Gillon's public advisory, which included a proof-of-concept exploit, the flaw exists on fully patched IE browsers with default security and privacy settings. Microsoft has confirmed the existence of the vulnerability and promised a fix would be included in a future IE update. To exploit the flaw, an attacker simply needs to lure a target to visit a malicious web page. "Much like classic XSS [cross site scripting] holes, this design flaw in IE allows an attacker to retrieve private user data or execute operations on the user's behalf on remote domains," Gillon said. Gillon described the issue as a design flaw that causes IE to allow a violation of the cross-domain security model. He discovered that IE does not properly parse CSS (cascading style sheet) files and allows the importation of files that are not valid CSS files. This opens the door for attackers to disclose HTML and script code from the remote site that was improperly imported as a CSS file. This site may exist in another domain than the site that exploits the issue. "Thousands of websites can be exploited, and there isn't a simple solution against this attack at least until IE is fixed," Gillon said. As a temporary solution, he recommends that IE users disable JavaScript or use a different browser. UKFast is not responsible for the content of external Internet sites.

print this article

Return to internet news headlines
View Internet News Archive

Share with: