IE flaw lets intruders into Google Desktop

[David Farber <dave () farber net>]

Begin forwarded message:

From: "Sean C. Sheridan" <scs () CampusClients com>
Date: December 3, 2005 1:03:55 PM EST
To: dave () farber net
Subject: IE flaw lets intruders into Google Desktop
Reply-To: scs () CampusClients com

By  Joris Evers,  CNET News.com
Published on ZDNet News: December 2, 2005, 1:31 PM PT
http://news.zdnet.com/2100-1009_22-5980623.html


A security researcher in Israel has found a way to steal information  
from
unwitting users of Google's desktop search tool by exploiting an  
unpatched
flaw in Microsoft's ubiquitous Internet Explorer.

There is a bug in the way the Web browser processes CSS rules, Matan
Gillon wrote in a description of his hack posted on Wednesday. CSS, or
Cascading Style Sheets, is a method for setting common styles across
multiple Web pages. The Web design technique is widely used on many  
sites
across the Internet.

The proof-of-concept method is an example of how security flaws in
software can offer all kinds of access to programs on vulnerable PCs,
including to Google Desktop.

"This design flaw in IE allows an attacker to retrieve private user data
or execute operations on the user's behalf on remote domains," Gillon
wrote in his description of the attack method. He crafted a Web page
that--when viewed in IE on a computer with Google Desktop installed-- 
uses
the search tool and returns results for the query "password."

To exploit the flaw, an attacker has to lure a victim to a malicious Web
page. "Thousands of Web sites can be exploited, and there isn't a simple
solution against this attack, at least until IE is fixed," Gillon wrote.

Microsoft is investigating the issue, which it described in a  
statement as
a problem affecting the cross-domain protections in Internet Explorer.
"This issue could potentially allow an attacker to access content in a
separate Web site, if that Web site is in a specific configuration,"
Microsoft said in the statement.

Microsoft is not currently aware of malicious code that takes  
advantage of
the flaw, but is monitoring the situation, the company said. A security
update or an advisory on the problem may be coming, it said.

Google is also investigating Gillon's findings. "We just learned of this
issue and are looking into it," Sonya Boralv, a spokeswoman for the  
search
giant, wrote in an e-mailed statement.

While Gillon in his example uses the IE flaw as a means to get to Google
Desktop, this flaw and other software bugs could be used to covertly
access virtually any application on a compromised computer.

"It is like any other flaw within IE, but he got creative and used it to
launch Google Desktop to retrieve data," security researcher Tom Ferris
said. "You can bet we will see this one being used to steal users'  
Quicken
data, database files, etc."

Steve Manzuik, a security product manager at eEye Digital Security,
agreed. "This definitely looks like a flaw in IE and not a Google  
bug. He
is using Google Desktop as to retrieve data, but it is IE that makes it
possible," he said.

While IE is vulnerable, Gillon found that Firefox and Opera are not. For
protection, Internet users could use one of those browsers or disable
JavaScript in IE, Gillon suggested.

It has been a busy week on the Microsoft security front. Four  
examples of
attack code were released for flaws in the Windows operating system,  
and a
Trojan horse is finding its way onto PCs through another yet-unpatched
flaw in IE.

--

Sean C. Sheridan

Campus Party, Inc.
201 Spring Garden St.
Philadelphia, PA 19123
(215) 320-1810
(215) 320-1814 fax
http://www.CampusClients.com
http://www.CampusParty.com




-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/