Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Vista
Google Desktop flaw allows data theft
Robert Lemos, SecurityFocus 2007-02-21

Security firm Watchfire warned Google Desktop users on Wednesday to update the program to make certain that they are protected from a vulnerability that could allow an attacker to use JavaScript to search for and steal specific data on a user's system.

Comments Mode:
Google Desktop flaw allows data theft 2007-02-23
Anonymous
This is a useful discovery, and I applaud it. However, the recomendations for mitigation are extreamly narrow in places. For example on a corporate network running Cisco equipment (using CBAC and other acl type application controls) it is possible to disabled application layer javascript, recognise patterns and prevent this type of exploit. Checkpoint is also capable of achieving this. (Obivously the consequences on performance are an issue).

Also IE does store Javascript locally when it is executed (look at the cache). Files are not permently removed as they are not securely deleted.

There are software intrusion prevention products that will also detect signatures i.e. why does javascript need to access RFC1918 addresses for example.

I could go on but hey.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11443/34348#34348




 

Privacy Statement
Copyright 2007, SecurityFocus