A hole in Microsoft's Internet Explorer (IE) might give phishers a chance to exploit the computers that sport Google Desktop, a hacker from Israel has reported. The flaw allows malicious Web sites to scan the users' hard drives and access sensitive information contained in them.
“Google Desktop users who use IE are currently completely exposed. An experienced attacker can covertly harvest their hard drives for sensitive information such as passwords and credit card numbers. Since Google also indexes e-mails which can be read in the Web interface itself, it's also possible to access them using this attack,” an email from the hacker, Matan Gillon, said. In his blog, he has also described in detail the way the attack would occur.
“This design flaw in IE allows an attacker to retrieve private user data or execute operations on the user's behalf on remote domains,” the description posted in Gillon's blog said. The flaw is related to the manner in which IE processes Web page layout info through the cascading style sheets (CSS) format. While Gillon has detailed IE 6 and Google Desktop 2 in his description, he contends that other versions of IE might also be vulnerable to such attacks. However, other browsers like Firefox and Opera do not sport this flaw.
“This vulnerability has been tested to work on a fully patched Microsoft Internet Explorer 6 browser and earlier versions are possibly vulnerable as well. Mozilla Firefox seems to adequately keep domain restrictions in CSS imports and doesn't seem to be vulnerable to this type of attack. Opera isn't vulnerable because it doesn't support the styleSheets collection. Possible solutions for users to mitigate this attack would be to disable Javascript in IE or use a different browser,” Gillon wrote on his blog.
He, however, added that switching off JavaScript in the browser could help users thwart such attacks. In the Internet Options menu of the browser, there is an option for active scripting, which should be unchecked. “Thousands of Web sites can be exploited, and there isn't a simple solution against this attack, at least until IE is fixed,” Gillon added.
Meanwhile, Google spokesperson Sonya Boralv said the company was investigating the claims. “We just learned of this issue and are looking into it,” she said. In a statement, Microsoft Corp also said that it was studying the flaw. “This issue could potentially allow an attacker to access content in a separate Web site, if that Web site is in a specific configuration,” the statement said. It, however, added that no 'active attacks or of customer impact' had been reported yet.
Tom Liston, an analyst with information security firm Intelguardians, felt that the development might turn people off Google Desktop.
“This discovery has implications that go far beyond the Google trick. Over the next few days I think we're going to see a lot of people coming out and saying the Google Desktop thing was kinda cool, but that there are far more dangerous implications,” he said.
However, Steve Manzuik of eEye Digital Security felt that the problem lay with IE and not Google. “This definitely looks like a flaw in IE and not a Google bug. He is using Google Desktop as to retrieve data, but it is IE that makes it possible,” he said.
