Emails:|Gmail|-|Yahoo Email||Easy Email||Hotmail Email| Searches:|Google||Yahoo||Ask||Alltheweb||Msn||Teoma| |Lycos||Altavista||Feedster||Bloglines||Technorati| Images: Yahoo, Ask Jeeves, AllTheWeb, MSN, PicSearch, Ditto, Getty, Creatas, FreeFoto, WebShots, NASA, Flickr
information from unwitting users of Google's desktop search tool by
exploiting an unpatched flaw in Microsoft's ubiquitous Internet
Explorer.
There is a bug in the way the Web browser processes CSS rules, Matan
Gillon wrote in a description of his hack posted on Wednesday. CSS, or
Cascading Style Sheets, is a method for setting common styles across
multiple Web pages. The Web design technique is widely used on many
sites across the Internet.
The proof-of-concept
method is an example of how security flaws in software can offer all
kinds of access to programs on vulnerable PCs, including to Google Desktop.
"This design flaw in IE allows an attacker to retrieve private user
data or execute operations on the user's behalf on remote domains,"
Gillon wrote in his description
of the attack method. He crafted a Web page that--when viewed in IE on
a computer with Google Desktop installed--uses the search tool and
returns results for the query "password."
To exploit the flaw, an attacker has to lure a victim to a
malicious Web page. "Thousands of Web sites can be exploited, and there
isn't a simple solution against this attack, at least until IE is
fixed," Gillon wrote.
Microsoft is investigating the issue, which it described in
a statement as a problem affecting the cross-domain protections in
Internet Explorer. "This issue could potentially allow an attacker to
access content in a separate Web site, if that Web site is in a
specific configuration," Microsoft said in the statement.
Microsoft is not currently aware of malicious code that takes
advantage of the flaw, but is monitoring the situation, the company
said. A security update or an advisory on the problem may be coming, it
said.
Google is also investigating Gillon's findings. "We just
learned of this issue and are looking into it," Sonya Boralv, a
spokeswoman for the search giant, wrote in an e-mailed statement.
While Gillon in his example uses the IE flaw as a means to
get to Google Desktop, this flaw and other software bugs could be used
to covertly access virtually any application on a compromised computer.
"It is like any other flaw within IE, but he got creative and
used it to launch Google Desktop to retrieve data," security researcher
Tom Ferris said. "You can bet we will see this one being used to steal
users' Quicken data, database files, etc."
Steve Manzuik, a security product manager at eEye Digital Security,
agreed. "This definitely looks like a flaw in IE and not a Google bug.
He is using Google Desktop as to retrieve data, but it is IE that makes
it possible," he said.
While IE is vulnerable, Gillon found that Firefox and Opera
are not. For protection, Internet users could use one of those browsers
or disable JavaScript in IE, Gillon suggested.
It has been a busy week on the Microsoft security front. Four examples of attack code were released for flaws in the Windows operating system, and a Trojan horse is finding its way onto PCs through another yet-unpatched flaw in IE
