Google Desktop Search inherently insecure

Google Desktop Search inherently insecure

Summary: Gaping holes fixed, but will users remain under constant threat?

TOPICS: Google, Security

Google stitched up some gaping holes in its desktop search software recently but the nature of the tool's design means that the contents of users' hard drives will remain under constant threat of exposure.

According to vulnerability detection specialist firm Watchfire, a cross site scripting error makes it possible for an attacker to gain full access to a users' PC because the search giant insists on providing a link from its Web site directly to computers loaded with Google Desktop Search.

Although this particular cross site vulnerability has been fixed, the inherent design issue remains. Basically, if Google wanted to permanently close this hole then it would have to either find a completely new way to allow networked drives and remote PCs to be searched -- or it would have to drop the functionality altogether.

This is a very basic dilemma -- how much security do you sacrifice in order to improve flexibility and add functionality?

In this case though, the problem is compounded because attacks can piggyback on the functionality provided by Google and bypass detection by traditional security applications -- such as a firewall or antivirus application.

According to Watchfire, this means an "almost perfect attack" is possible because systems can be completely taken over by an attacker without leaving a trace.

Just over two years ago I wrote about the fact that desktop search tools could create a haven for virus writers. Last February, there were reports that flaws in Google's desktop search had been repaired.

With these latest revelations, administrators that allowed the installation of Google Desktop Search should be seriously reconsidering their decision -- and hoping that Microsoft has not left any gaping holes in the much touted Vista search tool.

Topics: Google, Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to start the discussion