SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#615857

Google Desktop vulnerable to cross-site scripting

Overview

A cross-site scripting vulnerability exists in the Google Desktop Search application. This vulnerability may allow an attacker to take any action on a vulnerable system that the Google Desktop Search can.

I. Description

Google Desktop Search is a desktop search program that is integrated into the Google search engine. Google Desktop Search indexes the user's local hard drive, and allows the results to be searched from a browser.

The Google Desktop Search program contains a cross-site scripting vulnerability in the under parameter. This vulnerability occurs because the Google Desktop Search engine fails to properly sanitize user input.

Note that this vulnerability may not be exploited remotely without the presence of another vulnerability.

II. Impact

A remote unauthenticated attacker may be able to perform any action that the Google Desktop Search engine is capable of performing. This includes executing programs that are already on a vulnerable system, searching and viewing files and exfiltrating sensitive data.

III. Solution

Upgrade

Google has addressed this issue in the most recent version of the Google Desktop Search. Note that Google updates the Google Desktop Search automatically.

Disable JavaScript

Disable JavaScript in your browser's preferences. Instructions for disabling JavaScript can be found in the Securing Your Web Browser document and the Malicious Web Scripts FAQ. Some Mozilla add-ons can simplify the ability to enable or disable JavaScript, or set up site-specific rules for doing so.

Systems Affected

VendorStatusDate NotifiedDate Updated
GoogleVulnerable22-Feb-2007

References


http://desktop.google.com/
http://desktop.google.com/support/bin/answer.py?answer=15935&topic=95
http://www.watchfire.com/resources/Overtaking-Google-Desktop.pdf
http://www.cert.org/tech_tips/securing_browser/#how_to_secure
http://www.cert.org/tech_tips/malicious_code_FAQ.html
http://www.cert.org/tech_tips/securing_browser/
https://addons.mozilla.org/
http://news.com.com/IE+flaw+lets+intruders+into+Google+Desktop/2100-7349_3-5980623.html?part=rss&tag=5980623&subj=news

Credit

Thanks to Yair Amit, Danny Allan, and Adi Sharabani for providing information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public:2007-02-21
Date First Published:2007-02-22
Date Last Updated:2007-02-27
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:0.52
Document Revision:53

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader