RE: Google Desktop Exposed

["Debasis Mohanty" <debasis () hackingspirits com>]

> > Google Desktop Exposed: 

Just for a second I thought that the remote GDS bug which I reported to the
Vendor last month is somehow leaked.. However, after going through the url
it seems to be something different. It is yet to be made public as the
vendor is investigating the same. 

- D

Ps: IE is well-known for its cross-zone weaknesses. This is not a GDS bug.

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Richard M. Smith
Sent: Saturday, December 03, 2005 5:24 AM
To: funsec () linuxbox org
Subject: [funsec] Google Desktop Exposed


http://www.hacker.co.il/security/ie/css_import.html


Google Desktop Exposed: Exploiting an Internet Explorer Vulnerability to
Phish User Information

Overview

It was bound to happen. I was recently intrigued by the possibility of
utilizing Google Desktop   for remote data retrieval of personal user data
(such as credit cards and passwords) through the use of a malicious web
page. Now, thanks to a severe design flaw in Internet Explorer, I managed to
show it's possible to covertly run searches on visitors to a web site by
exploiting this vulnerability. In this article I will detail what the
vulnerability in IE is and how it is used to exploit Google Desktop. If you
have IE 6 and Google Desktop v2 installed you can test it for yourself
<http://www.hacker.co.il/security/ie/gdsexploit.html>  in my proof of
concept page. 

...

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.