Network News

X My Profile
View More Activity

Serious Flaw in Google Desktop Prompts Patch

Search engine giant Google has issued an update for people running its powerful Desktop software. Researchers had demonstrated a potentially devastating security hole in the software that could allow bad guys to snoop on users' computers or even to install additional software.

For the uninitiated, Google Desktop is free software that sits on your computer and indexes your e-mail, chat conversations, documents and previous Web searches to make them easy to find. But according to a discovery last year by Waltham, Mass., security company Watchfire, attackers could hijack a user's sensitive data in older versions of the software.

This flaw appears to be quite dangerous, but the mechanics of it and the steps the bad guys would need to take seem complicated. Anyone who wants to learn more about this flaw should check out Watchfire's research paper here. There also is a longish video that provides a real-world example of how an attack could work.

I've always expected someone to discover a vulnerability like this. I've almost avoided installing the program entirely because of these concerns. But my need to quickly find files on my machine won out, as Microsoft's built-in Windows search capability is just too slow and ineffective. As Security Fix and others have noted, security is all about trade-offs. For the sake of productivity, this was one trade-off I was willing to make.

The good news is that Google has shipped an update to close this security hole. The bad news is that users may need to jump through a few hoops to get the new version.

I had some serious problems trying to update my installation of Google Desktop. No matter which option I tried, the program icon for Google Desktop in my Windows system tray stubbornly refused to respond. I had to dig into the Windows registry to find which version of the program I was running. According to Watchfire, any version of Google Desktop that is not version number 5.0.0701.30540 is vulnerable. The registry said my version was 3.2005.907.1757. I clearly needed to update.

I was surprised to discover that I already had an application called Google Updater installed. However, it clearly had not updated for me. When I tried to run it, the program kept producing an error message saying it could not continue. Appropriately, I "Googled" for clues to the origin of the error message. I followed advice on Google Groups to temporarily disable the anti-virus software on my machine and close any browser windows. Nothing seemed to work.

I ultimately had to completely reinstall Google Desktop and Google Updater. I then had to reboot to get the current version working properly. The latest version appears to have a function that will periodically check for and install updates as they are made available. I'm not sure whether the previous Google Updater had this option, and it isn't clear as to whether the new updater actually does what it says.

Users who have to update their Google Updater as I did may find that Google has bundled the new Updater into its "Google Pack." It seems Google is perpetually in beta phase: Earlier today, when I first visited the Google Pack page while the older, non-working version of Google Updater was installed, I had to uncheck several software options that were pre-enabled in Google Pack. This included Google Earth, Google Screensaver Pack and a six-month trial of Symantec anti-virus software. Now, after installing the latest Google Updater, when I revisit that same page, the Symantec option is gone and none of the items are pre-checked. Curiously enough, Google also is offering Adobe Reader 7, which as any avid Security Fix reader already knows, is dangerously out of date.

By Brian Krebs  |  February 21, 2007; 2:39 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft to Tighten Anti-Piracy Noose in Vista
Next: Data Breach Hits Close to Home

No comments have been posted to this entry.

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company