Friday, 23 February 2007

Google Desktop: get vital security update!






For some time I've used the free Google Desktop search tool to index and track down documents, emails, and particularly Webpages from my browser history (both Firefox and Internet Explorer), and I find it invaluable. (You can download Google Desktop by itself, or as part of Google Pack - if you have the Pack, you'll have Desktop). But if you have it, you should make sure it's updated immediately.

There's a serious security flaw in Desktop which could enable malicious attackers to access your files and other information on your computer, and ultimately even take control of your computer. The vulnerability:
  • "enables a malicious individual to achieve not only remote, persistent access to sensitive data, but full system control as well. This outcome is the result both of the integration between the Google.com Web site and Google Desktop, and Google Desktop's failure to properly encode output containing malicious or unexpected characters..."
  • "...allows an attacker to install persistent JavaScript malware. Every time the victim searches using Google Desktop, the malicious script is silently executed in the background—without attracting attention..."
  • "An attacker controlling the victim's Google Desktop can search for almost anything on the computer. It is possible to search for and immediately find sensitive information including Office documents, media files, email (in many cases, even deleted ones), Web history cache, chat sessions, and an extensive chronologic record of the user's activity on his/her personal or corporate computer." And even enable searching of password-protected files and secure webpages (https), so they can access your online banking details etc, yet hide the preference changes from the victim.
  • "executable files (.exe) can be executed as well. If a malicious executable file is dropped into the victim's local hard-drive, it is possible to execute it, effectively gaining full system control."
All this is possible if you've clicked a single innocent-looking link, whether in an email, on a webpage or in a newsfeed. Doesn't matter if you have a firewall, and existing anti-virus software and anti-spyware etc won't catch it. Scary indeed.

The problem was discovered by Watchfire who produced a white paper Overtaking Google Desktop - A Security Analysis (by Yair Amit, Danny Allan, Adi Sharabani) and even a video demonstrating the attack (see their 21 February 2007 press release). For anyone interested, the video is excellent - very clear, and comprehensible (at least in the early stages!) even to relative non-techies like me.

Fortunately, Google have now released an upgrade to Desktop which fixes this vulnerability.

Now I'm one of those security and privacy-conscious people who has tweaked their GDS preferences in the way described in the video, and I've even disabled searching of my Gmail and certainly Search across computers. Plus, from the start I've made sure Google Integration is disabled so that my normal Google searches won't also search my desktop and display Google Desktop search results on the same page as Google Web search results (Preferences, Display tab, last item "Google Integration" not ticked). So I'm less vulnerable than some. Plus, I have Google Pack with Google Updater (and the "Automatically update software" option checked), so Google Desktop should have updated itself automatically, as other Google Pack software has in the past. But it hadn't.

Don't assume your update's automatic!

Despite thinking I had Google Pack on auto-update, as soon as I read about this security issue I checked to make sure my Desktop had been upgraded to the latest version. And guess what? It hadn't (and on searching, I noticed that I'm not the only person who found this). When I went into Google Updater (just via my Start Menu) and clicked the Updates tab, the Google Desktop update was shown in the list, but it hadn't been installed. So I had to click to install it manually, and then restart my computer for the security upgrade to take. And then check that the version of Google Desktop was now the latest one.

How to check your version of Google Desktop

If you use Google Desktop, you should urgently make sure you've patched that security hole. Check if you have the latest version: rightclick the icon in your system tray, choose About; a Webpage will come up, and at the very bottom in tiny print it'll say Google Desktop plus some numbers. If it's not at least Google Desktop 5.0.0701.30540, make sure you update it at once. Do what you have to to make sure it's updated, and if the upgrade won't take (check the version again as mentioned above to see if the number has changed), then uninstall and reinstall it if you have to.

(Via Heise Security)

No comments: