Google Cleans Up A Mess Microsoft Made

Last week an Israeli hacker, Matan Gillon, posted his discovery of a bug in Internet Explorer (I know it's not exactly big news that there are bugs in IE, but bear with me, this one gets interesting). He used a malici

David DeJean, Contributor

December 7, 2005

1 Min Read
InformationWeek logo in a gray background | InformationWeek

Google has had its share of problems lately -- the messy backlash over its plan to scan whole libraries of books is still spreading, for example. But it's cleaned up one mess it didn't even make.

Last week an Israeli hacker, Matan Gillon, posted his discovery of a bug in Internet Explorer (I know it's not exactly big news that there are bugs in IE, but bear with me, this one gets interesting). He used a malicious cascading style sheet to exploit the IE bug and get Google Desktop Search to reveal the user information stored on the target PC.

Google patched the problem on Monday, so if you run Google Desktop you're protected -- the program updates itself automatically.Gillon's explanation the hack on his Web site makes interesting reading. Who would have thought something as apparently harmless as a CSS file could open the door to your bank account? Not Microsoft, apparently.

What Gillon discovered is that CSS files can be made to behave just like cross-site scripting (XSS) attacks. These attacks use malevolent code included in URLs to fool a Web browswer into doing foolish things.

In Gillon's case, the foolish thing was revealing a secret key Google Desktop uses to identify itself to the Google search engine so that local files can be found in queries.

Google is being pretty close-mouthed about what it did to fix the XSS hole in Desktop, which isn't surprising. Microsoft has promised it will patch up IE to prevent such attacks. But it didn't say when.

Read more about:

20052005

About the Author

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights