Watchfire Discovers Google Desktop Vulnerability That Hackers Could Exploit to Gain Full System Control.Web Application Security Leader's Researchers Demonstrate New Generation of Computer Vulnerabilities Based on Interaction Between Desktop and Web Applications WALTHAM, Mass. -- Web application security leader Watchfire, today announced its security researchers have discovered a vulnerability in Google Desktop A desktop search application from Google that runs under Windows or Mac. It searches a user's computer for keywords in Office documents, Outlook messages, AOL chats and Web pages. which could enable a malicious individual to achieve not only remote, persistent access to sensitive data, but in some conditions full system control. Watchfire's security researchers have uncovered a new attack methodology that clearly emphasizes the danger of integration between desktop applications and web-based applications as an aperture for a malicious attacker to escalate his/her privileges by crossing from the Web environment to the desktop application environment. This outcome is the combined result of the integration between the Google.com Web site and Google Desktop, and Google Desktop's failure to properly encode output containing malicious or unexpected characters. This attack, described in a new research paper http://www.watchfire.com/resources/Overtaking-Google-Desktop.pdf describes how the malicious logic acts as a parasite, using JavaScript code to control Google Desktop functionality. While evading current information protection systems, such as anti-virus software anti-virus software n → Antivirensoftware f and firewalls, the attacker could covertly hijack sensitive local information. (For example: Office documents, media files, emails -- in many cases, even deleted emails -- chat sessions and files could be accessed.) In this paper Watchfire details the methodology of attack and provides a valid use case including a description of the basic technique and some theoretical outcomes. Finally, Watchfire provides fix recommendations that are appropriate for Google Desktop, as well as for many other web-based applications. Google has been responsive and has issued a patch which mitigates the immediate risk of the attack. "Application security vulnerabilities need to be taken seriously. As the potential damage of a Cross Site Scripting attack against a desktop application with a Web interface is enormous, Web application security must be comprehensively evaluated and continually monitored," said Michael Weider, founder and CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey. , Watchfire. "Industry leaders like Google continue to make strides in security but due to the dynamic nature of applications vulnerabilities can surface." To learn more about this attack including fix recommendations please visit: http://www.watchfire.com/resources/Overtaking-Google-Desktop.pdf To view a demonstration how the Google Desktop attack works please visit: http://download.watchfire.com/googledesktopdemo/index.htm About Watchfire Watchfire is the leading provider of web application vulnerability assessment A Department of Defense, command, or unit-level evaluation (assessment) to determine the vulnerability of a terrorist attack against an installation, unit, exercise, port, ship, residence, facility, or other site. software and the only company to offer an end-to-end solution including intelligent fix recommendations to evaluate, understand and resolve issues. More than 800 enterprises and government agencies, including AXA AXA Anguilla, Anguilla (Airport Code) AXA Alpha Chi Alpha AXA Animal Crossing Ahead (online forum community/guide to the game Animal Crossing) AXA Auxiliary Artery Financial, SunTrust, HSBC HSBC Hongkong and Shanghai Banking Corporation HSBC Humane Society of Broward County (Florida) HSBC Humane Society of Bay County (Bay County, Michigan) , Vodafone, Veterans Affairs and Dell rely on Watchfire to identify, report and help remediate security vulnerabilities. Watchfire has been the recipient of several industry honors including: winning an unprecedented three out of five 2007 SC Magazine Excellence Awards (including Best Security Company); the HP/IAPP Privacy Innovation Award; Computerworld's Innovative Technology Award; finalist for the pending Dr. Dobb's 2007 Jolt Product Excellence Awards; and "Recommended" rating by Computer Reseller News. For two years in a row, Watchfire has been named by IDC as the worldwide market share leader in web application vulnerability assessment software. Watchfire's partners include IBM Global Services IBM Global Services is the world's largest business and technology services provider. It is the fastest growing part of IBM, with over 190,000 professionals serving customers in more than 160 countries. , Fortify for·ti·fy v. for·ti·fied, for·ti·fy·ing, for·ti·fies v.tr. To make strong, as: a. To strengthen and secure (a position) with fortifications. b. To reinforce by adding material. , PricewaterhouseCoopers, Sapient sa·pi·ent adj. Having great wisdom and discernment. [Middle English, from Old French, from Latin sapi , Microsoft, Interwoven in·ter·weave v. in·ter·wove , in·ter·wo·ven , inter·weav·ing, inter·weaves v.tr. 1. To weave together. 2. To blend together; intermix. v.intr. , EMC (1) (EMC Corporation, Hopkinton, MA, www.emc.com) The leading supplier of storage products for midrange computers and mainframes. Founded in 1979 by Richard J. Egan and Roger Marino, EMC has developed advanced storage and retrieval technologies for the world's largest companies. Documentum and Mercury. Watchfire is headquartered in Waltham, MA. For more information, please visit www.watchfire.com. Watchfire, WebXM, AppScan, PowerTools, the Bobby Logo and the Flame Logo are trademarks or registered trademarks of Watchfire Corporation. All other products, company names, and logos are trademarks or registered trademarks of their respective owners. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion