Security researchers at Watchfire discovered a serious flaw in Google's desktop software over a month ago, but it has only been made public today. Google was first notified of the problem way back on January 4 and produced its fix on February 1. While Google is automatically delivering a patch, Google Desktop users may want to make sure they are running version 5.0.701.30540 or later. In addition to its bug fix, Google has added, "another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future. We have received no reports that this vulnerability was exploited," said Google Spokesman Barry Schnitt.
According to Watchfire, the flaw lies in a search parameter used by Google Desktop's Advanced Search feature, which could be used to execute malicious JavaScript code. For this attack to work, the criminal would have to first go through a number of steps, including hacking Google.com to find a cross site scripting vulnerability on the Web site (something that has been done several times in the past year). If successful, a criminal could search for anything on the computer or even take it over by tricking Google desktop into running malicious software stored on another computer, Watchfire claims.
View: Google Desktop
News source: InfoWorld