Google fortifies Desktop Search against IE flaw

Posted on 5 Dec 2005 at 11:19

Google has altered its Desktop Search so that it can no longer be used in digital attacks in conjunction with a flaw in Microsoft's Internet Explorer.

On Friday, an Israeli hacker reported having discovered a means of remotely using Google desktop search to remotely search the computers logged on to a specially built website using Microsoft's Internet Explorer.

Problems in the way the browser handles CSS (Cascading Style Sheets) led to a short cut round the restrictions the browser places on interaction between different domains. Normally such restrictions would prevent one domain from accessing or interacting with another, but the flaw in Internet Explorer means that CSS - the common style pages to which web pages refer for fonts and formatting - can be accessed between domains.

By creating a website that in fact contained other code in the CSS style sheets, the browser still tries to read it, giving an attacker the ability to run Google Desktop searches remotely.

The attack is said to work on fully patched Windows XP systems with the latest version of IE, and Microsoft admitted in a statement that 'This issue could potentially allow an attacker to access content in a separate Web site'.

Hacker Matan Gillon posted proof of concept code last week, but now says that it now 'no longer works because Google slightly changed their site's code'.

However, Google told reporters that the flaw is a problem with IE, rather than the search giant's software, so the CSS problem remains at large.

Author: Matt Whipp