IE flaw lets intruders into Google Desktop

by admin December 3, 2005 at 12:34 pm

A security researcher in Israel has found a way to steal information from unwitting users of Google’s desktop search tool by exploiting an unpatched flaw in Microsoft’s ubiquitous Internet Explorer.

There is a bug in the way the Web browser processes CSS rules, Matan Gillon wrote in a description of his hack posted on Wednesday. CSS, or Cascading Style Sheets, is a method for setting common styles across multiple Web pages. The Web design technique is widely used on many sites across the Internet.

The proof-of-concept method is an example of how security flaws in software can offer all kinds of access to programs on vulnerable PCs, including to Google Desktop.

“This design flaw in IE allows an attacker to retrieve private user data or execute operations on the user’s behalf on remote domains,” Gillon wrote in his description of the attack method. He crafted a Web page that–when viewed in IE on a computer with Google Desktop installed–uses the search tool and returns results for the query “password.”

To exploit the flaw, an attacker has to lure a victim to a malicious Web page. “Thousands of Web sites can be exploited, and there isn’t a simple solution against this attack, at least until IE is fixed,” Gillon wrote.

Full story: CNET