Google says it has no evidence that the bug was used in actual attacks but the severity of the risk -- malicious hackers can gain full system control -- underscores the real dangers associated with Web-connected search indexing software.
The bug was reported to Google by Watchfire in January along with a demo that shows how Google Desktop's protection mechanisms can be circumvented by remote intruders.
Watchfire's explained the issue in detail in a research paper (PDF) and warned that a malicious hacker can achieve not only remote, persistent access to sensitive data, but in some cases full system control as well.
The attack scenario exploits web-application security flaws in Google Desktop and the tight integration with the Google.com Web site.
In the paper, Watchfire explains how, under certain conditions, it is possible to covertly inject and execute malicious applications on attacked systems, using Google Desktop's own features.
The company also released a demonstration of the attack flow against Google Desktop.