[isalist] 0 day in Google desktop

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Fri, 1 Jun 2007 20:53:47 -0700

http://www.ISAserver.org
-------------------------------------------------------

T <http://it.slashdot.org/> : Zero Day Hole in Google Desktop 
<http://it.slashdot.org/it/07/06/01/2050252.shtml>  


Posted by Zonk <http://slashdot.org/%7EZonk/>  on Friday June 01, @05:47PM from 
the please-stop-the-internet-from-leaking dept. 

Google <http://slashdot.org/search.pl?tid=217> 

40by40 writes "A Web application security specialist has figured out a way to 
launch man-in-the-middle attacks <http://blogs.zdnet.com/security/?p=253>  
against a computer with a fully patched Google Desktop installed. With 
knowledge of the Google Desktop security model (a combination of one-time 
tokens, iFrames and JavaScript), hacker Robert Hansen figured out a way to sit 
between a target launching a Google search query and manipulate the search 
results to take control of other programs on the desktop. From the article: 
'This should drive home the point that deep integration between the desktop and 
the web is not a good idea, without tremendous thought put into the security 
model. As Google's site is unencrypted, and they place their content that can 
run executables on their site, it can be subverted by an attacker," Hansen 
warns. Hansen's advisory come just days after a Chris Soghoian's exposé of a 
similar man-in-the-middle attack scenario against a remote vulnerability in the 
upgrade mechanism used by a number of commercial Firefox extensions.'"


Ain't life grand..?

All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » [isalist] 0 day in Google desktop

1. Home
2. isalist
3. Archive
4. 06-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---