It was a matter of time before someone realized that Google Desktop
has provided an opening into a PC through which
a hacker can get an
easy entry.Mattan Gillon, an Israeli hacker, performed an act of public service by exposing the flaw on his blog.Exploiting
a bug in Microsoft Internet Explorer’s processing Cascading Style
Sheets (CSS). The CSS format is commonly used to give a Web site page a
consistent look and navigation properties, and attackers can target the
process by which IE parses CSS while running Google Desktop.Gillon
explains how browsers usually turn off domain crossing. A specific web
page can direct a
browser to another domain, though it may not retrieve
the contents of the page nor run any of its objects. This restriction
feature serves to preclude a site owner using JavaScript from spying on
a user. Additionally, if a user is already logged
on to a web service such as Yahoo, Hotmail or Gmail, a
malicious web
page could be used to run a malicious operation in the user account.
This operation can be an opening of an email and the subsequent sending
it to a third party. In IE, these security features are easily broken
when the browser encounters a CSS import. Mattan
Gillon called this attack CSSXSS, or Cascading Style Sheets Cross-Site
Scripting. Using the IE browser’s weakness of being fooled by curly
brackets strategically placed in a decoy site’s code, and getting hold
of Google Desktop’s key found in the application code, a hacker can
easily gain an entry into the target PC already running the Google
Desktop service.For this IE weakness to be
exploited, web surfers must first be tricked into visiting a malicious
Web site. They can protect themselves, however, if they turn off Active
Scripting in the IE's Internet Options menu, Gillon says.