Tech Shout!

Google has announced that it has made an “adjustment” to its Google Desktop application, to halt attacks that exploit and take advantage of an unpatched vulnerability in Microsoft’s Internet Explorer (IE) Web browser.

The IE flaw was reported late last week by Israeli security researcher Matan Gillon, who found a way of stealing information from un-witting Google Desktop users through exploiting the IE flaw.

Gillon designed a Web page, which when viewed in IE on a computer with Google Desktop installed, used the search tool and returned results for the query “password”.

The researcher described the IE flaw as a design error, which causes IE to allow a violation of the cross-domain security model. He said that IE does not properly parse CSS (cascading style sheet) files, and allows the importation of files that are not valid CSS files. Thereby allowing an attacker to retrieve private user data, or execute operations on behalf of the user on remote domains.

Gillon states that by simply luring a potential tareget to visit a malicious webpage, the bug could be actually exploited. He advised users to disable JavaScript or use a different browser, till such a time as Microsoft releases a patch for the IE flaw.

Meanwhile help has come from unexpected quarters

On December 6th, Google spokesperson - Sonya Boralv reportedly said, that they have made an adjustment to the product, to help protect users.

Boralv said that users are not required to take any action to get protected, because the changes have been made at Google’s end, to block the remote access attack vector. She did not divulge any details, on the extent of the modification to Google Desktop.

Post the Google announcement, a test of the proof-of-concept page created by Gillon has confirmed that the attack no longer works.

Microsoft has said it might go ahead and issue a security update or an advisory on the problem.