(As I published on Shvoong): It was a matter of time before someone
realized that Google Desktop has provided an opening into a PC through
which a hacker can get an easy entry. Mattan Gillon, an Israeli hacker,
performed an act of public service by exposing the flaw on his blog.
Exploiting a bug in Microsoft Internet Explorer's processing Cascading
Style Sheets (CSS). The CSS format is commonly used to give a Web
site page a consistent look and navigation properties, and attackers can
target the process by which IE
parses CSS while running Google Desktop. Gillon explains how browsers
usually turn off domain crossing. A specific web
page can direct a browser to another domain, though it may not retrieve
the contents of the page nor run any of its objects. This restriction
feature serves to preclude a site owner using JavaScript from spying on
a user. Additionally, if a user is already logged
on to a web service such as Yahoo, Hotmail or Gmail, a malicious web
page could be used to run a malicious operation in the user account.
This operation can be an opening of an email and the subsequent sending
it to a third party. In IE, these security features are easily broken
when the browser encounters a CSS import.
Mattan Gillon called this attack CSSXSS, or Cascading Style Sheets Cross-Site
Scripting. Using the IE browser's weakness of being fooled by curly
brackets strategically placed in a decoy site's code, and getting hold
of Google Desktop's key found in the application code, a hacker can
easily gain an entry into the target PC already running the Google
Desktop service.For this IE weakness to be
exploited, web surfers must first be tricked into visiting a malicious
Web site. They can protect themselves, however, if they turn off Active
Scripting in the IE's Internet Options menu, Gillon says.
realized that Google Desktop has provided an opening into a PC through
which a hacker can get an easy entry. Mattan Gillon, an Israeli hacker,
performed an act of public service by exposing the flaw on his blog.
Exploiting a bug in Microsoft Internet Explorer's processing Cascading
Style Sheets (CSS). The CSS format is commonly used to give a Web
site page a consistent look and navigation properties, and attackers can
target the process by which IE
parses CSS while running Google Desktop. Gillon explains how browsers
usually turn off domain crossing. A specific web
page can direct a browser to another domain, though it may not retrieve
the contents of the page nor run any of its objects. This restriction
feature serves to preclude a site owner using JavaScript from spying on
a user. Additionally, if a user is already logged
on to a web service such as Yahoo, Hotmail or Gmail, a malicious web
page could be used to run a malicious operation in the user account.
This operation can be an opening of an email and the subsequent sending
it to a third party. In IE, these security features are easily broken
when the browser encounters a CSS import.
Mattan Gillon called this attack CSSXSS, or Cascading Style Sheets Cross-Site
Scripting. Using the IE browser's weakness of being fooled by curly
brackets strategically placed in a decoy site's code, and getting hold
of Google Desktop's key found in the application code, a hacker can
easily gain an entry into the target PC already running the Google
Desktop service.For this IE weakness to be
exploited, web surfers must first be tricked into visiting a malicious
Web site. They can protect themselves, however, if they turn off Active
Scripting in the IE's Internet Options menu, Gillon says.