Wednesday, January 16, 2008

Google Desktop Exploitability

(As I published on Shvoong): It was a matter of time before someone
realized that Google Desktop has provided an opening into a PC through
which a hacker can get an easy entry. Mattan Gillon, an Israeli hacker,
performed an act of public service by exposing the flaw on his blog.

Exploiting a bug in Microsoft Internet Explorer's processing Cascading
Style Sheets (CSS). The CSS format is commonly used to give a Web
site page a consistent look and navigation properties, and attackers can
target the process by which IE
parses CSS while running Google Desktop. Gillon explains how browsers
usually turn off domain crossing. A specific web
page can direct a browser to another domain, though it may not retrieve
the contents of the page nor run any of its objects. This restriction
feature serves to preclude a site owner using JavaScript from spying on
a user. Additionally, if a user is already logged
on to a web service such as Yahoo, Hotmail or Gmail, a malicious web
page could be used to run a malicious operation in the user account.
This operation can be an opening of an email and the subsequent sending
it to a third party. In IE, these security features are easily broken
when the browser encounters a CSS import.

Mattan Gillon called this attack CSSXSS, or Cascading Style Sheets Cross-Site
Scripting. Using the IE browser's weakness of being fooled by curly
brackets strategically placed in a decoy site's code, and getting hold
of Google Desktop's key found in the application code, a hacker can
easily gain an entry into the target PC already running the Google
Desktop service.For this IE weakness to be
exploited, web surfers must first be tricked into visiting a malicious
Web site. They can protect themselves, however, if they turn off Active
Scripting in the IE's Internet Options menu, Gillon says.