Google Cleans Up A Mess Microsoft Made
Last week an Israeli hacker, Matan Gillon, posted his discovery of a bug in Internet Explorer (I know it's not exactly big news that there are bugs in IE, but bear with me, this one gets interesting). He used a malici
Google has had its share of problems lately -- the messy backlash over its plan to scan whole libraries of books is still spreading, for example. But it's cleaned up one mess it didn't even make.
Last week an Israeli hacker, Matan Gillon, posted his discovery of a bug in Internet Explorer (I know it's not exactly big news that there are bugs in IE, but bear with me, this one gets interesting). He used a malicious cascading style sheet to exploit the IE bug and get Google Desktop Search to reveal the user information stored on the target PC.
Google patched the problem on Monday, so if you run Google Desktop you're protected -- the program updates itself automatically.Gillon's explanation the hack on his Web site makes interesting reading. Who would have thought something as apparently harmless as a CSS file could open the door to your bank account? Not Microsoft, apparently.
What Gillon discovered is that CSS files can be made to behave just like cross-site scripting (XSS) attacks. These attacks use malevolent code included in URLs to fool a Web browswer into doing foolish things.
In Gillon's case, the foolish thing was revealing a secret key Google Desktop uses to identify itself to the Google search engine so that local files can be found in queries.
Google is being pretty close-mouthed about what it did to fix the XSS hole in Desktop, which isn't surprising. Microsoft has promised it will patch up IE to prevent such attacks. But it didn't say when.
About the Author
You May Also Like