Search engine leader Google has been forced to respond to a security vulnerability in its Google Desktop Search software, which reportedly made it possible for computer intruders to view desktop search results via the Web.
The hole was discovered by security researchers at Rice University and reported this week by the New York Times. Google says it has fixed the problem for current and future users of the service.
There were questions, however, as to exactly when and how Google updated the beta service for users, who have been able to download the software for free since October.
Security experts warned that such desktop search services, while useful to home computer users, could be dangerous for enterprises and might even be the basis of coordinated attacks that leverage the utility.
“Once installed, it can really make it easy to find data,” iDefense director of malicious code intelligence Ken Dunham told TechNewsWorld. “It can be an issue for enterprises and it forces you to take a look at insider/internal threats.”
According to published reports, a computer science assistant professor and two graduate students at Rice University uncovered the Google Desktop Search security holes while playing with the software, which is being tested in the market.
The researchers reported the ability to trick the Google program into providing a user’s desktop search results using a malicious Java program and Web site.
There have not been reports of similar security issues with other desktop search tools. Microsoft, Yahoo and Ask Jeeves have all announced such services this month.
The tools nonetheless prompted an enterprise warning from research firm Gartner last week, and Dunham said they are not fit for businesses because they widen access to company data.
Dunham added that internal threats — which he described as the most widespread but least reported form of computer intrusion — are amplified by the desktop search capabilities.
IDC analyst Sue Feldman, however, pointed out the usefulness of desktop search, telling TechNewsWorld that it saves time and money by providing a single point of access for desktop data and applications.
Google did not elaborate on the security weakness or its response, issuing a simple statement that indicated the problem had been addressed.
“We were made aware of this vulnerability with the Google Desktop Search software and have since fixed the problem so that all current and future users are secure,” the statement said.
Webroot vice president of threat research Richard Stiennon questioned Google’s claim, however, telling TechNewsWorld he was not notified nor did he enable an update of his Google Desktop Search.
“One big thing is, how did they update?” Stiennon asked.
The security analyst said because the Google gap did not allow access to the actual files — the vulnerability reportedly was limited to search result listings — the issue presented a minimal overall risk.
Tools for Attack
Stiennon predicted increased use of desktop search utilities to attack computers and steal data. He advised enterprises in particular to ensure desktops and data are hardened against attack.
“We’re going to see a myriad of attempts to access that data,” Stiennon said.
He said that companies might be rushing tools and features out before fully considering security implications, adding that such applications might become a helpful tool for attackers, who might attach malicious software to the local search utilities.
“The good thing is, there’s no dominant one,” Stiennon said. “Over time, a dominant one will emerge and ship with Windows, and then the viruses and worms will probably use it.”