IE Flaw Puts Google Desktop at Risk
Internet Explorer is not having a good week. After the discovery of an unpatched flaw in the ubiquitous Web browser and code to exploit it prompted Microsoft to issue a public advisory, a new vulnerability has been found that puts users of Google Desktop at risk -- even if they are running a fully patched system.
Uncovered by Israeli hacker Matan Gillon, the security hole involves a problem with the way IE imports cascading style sheets (CSS) from other Web sites, a technique referred to as cross site scripting (XSS). IE will import any type of file with a bracket, regardless of whether or not it's valid CSS.
By combining the flaw with Google's Desktop Search, a malicious Web site could read personal data off a visitor's machine.
"Much like classic XSS holes, this design flaw in IE allows an attacker to retrieve private user data or execute operations on the users behalf on remote domains," explained Gillon. "The difference is that in this case the target site doesn't have to be vulnerable to script injection. All an attacker has to do is lure a user to a malicious web page."
Specifically, the Web page could employ the IE flaw to gain access to a user's private Google Desktop Search key, which is used as a security measure to limit outside access. Once that key is obtained, the Web site could do a CSS import on the desktop search URL, retrieving potentially private information.
Gillon supplied proof of concept code to highlight the potential risk. "A complete exploit can also iterate through the result pages to get more data and log the results on a remote server," he said. "Needless to say, I don't log any of the results."
The vulnerability could extend beyond Google Desktop Search, however, to any service or application that relies on cross-domain security policies within Internet Explorer.
The exploit affects IE6 on Windows XP SP2 with all patches installed. Mozilla's Firefox is not affected, nor is Opera, "because it doesn't support the styleSheets collection," said Gillon.