Google Desktop Search inherently insecure

Gaping holes fixed, but will users remain under constant threat?
Written by Munir Kotadia, Contributor

Google stitched up some gaping holes in its desktop search software recently but the nature of the tool's design means that the contents of users' hard drives will remain under constant threat of exposure.

According to vulnerability detection specialist firm Watchfire, a cross site scripting error makes it possible for an attacker to gain full access to a users' PC because the search giant insists on providing a link from its Web site directly to computers loaded with Google Desktop Search.

Although this particular cross site vulnerability has been fixed, the inherent design issue remains. Basically, if Google wanted to permanently close this hole then it would have to either find a completely new way to allow networked drives and remote PCs to be searched -- or it would have to drop the functionality altogether.

This is a very basic dilemma -- how much security do you sacrifice in order to improve flexibility and add functionality?

In this case though, the problem is compounded because attacks can piggyback on the functionality provided by Google and bypass detection by traditional security applications -- such as a firewall or antivirus application.

According to Watchfire, this means an "almost perfect attack" is possible because systems can be completely taken over by an attacker without leaving a trace.

Just over two years ago I wrote about the fact that desktop search tools could create a haven for virus writers. Last February, there were reports that flaws in Google's desktop search had been repaired.

With these latest revelations, administrators that allowed the installation of Google Desktop Search should be seriously reconsidering their decision -- and hoping that Microsoft has not left any gaping holes in the much touted Vista search tool.

Editorial standards