An article in today’s New York Times reports that some university researchers have found a Flaw in Google’s New Desktop Search Program. This does seem like a legitimate concern, but here’s the part that troubles me:
An attack would require a user to visit the attacker’s Web site first, and any type of Web browser could make a user vulnerable. Google said there was no evidence that any such attacks had occurred.
The Rice group was able to create a Java program that makes network connections back to the computer from where it was downloaded and then make it appear as if it were asking for a search at Google.com. That was enough to fool the Google desktop software into providing the user’s search information. The program was able to do anything with the results, including transmitting them back to the attacking site.
OK, so in order to take advantage of this security exploit, you, dear Google user, have to visit a Web site run by some nasties, where you have to download a Java program and allow it to be installed on your computer. Presumably, the nasties would disguise this Java program as a game or screen saver or something equally shiny and appealing.
Which is the entire point. I’ll say it again: If a bad guy can convince you to install a program on your computer, it’s game over. Don’t install software from untrusted sources on your computer. And assume that any source is untrusted until you are certain that the opposite is true.
By the way, as the story makes clear, this exploit would work with any browser on any operating system.
Ed Bott 