Serious Flaw in Google Desktop Prompts Patch
Search engine giant Google has issued an update for people running its powerful Desktop software. Researchers had demonstrated a potentially devastating security hole in the software that could allow bad guys to snoop on users' computers or even to install additional software.
For the uninitiated, Google Desktop is free software that sits on your computer and indexes your e-mail, chat conversations, documents and previous Web searches to make them easy to find. But according to a discovery last year by Waltham, Mass., security company Watchfire, attackers could hijack a user's sensitive data in older versions of the software.
This flaw appears to be quite dangerous, but the mechanics of it and the steps the bad guys would need to take seem complicated. Anyone who wants to learn more about this flaw should check out Watchfire's research paper here. There also is a longish video that provides a real-world example of how an attack could work.
I've always expected someone to discover a vulnerability like this. I've almost avoided installing the program entirely because of these concerns. But my need to quickly find files on my machine won out, as Microsoft's built-in Windows search capability is just too slow and ineffective. As Security Fix and others have noted, security is all about trade-offs. For the sake of productivity, this was one trade-off I was willing to make.
The good news is that Google has shipped an update to close this security hole. The bad news is that users may need to jump through a few hoops to get the new version.
I had some serious problems trying to update my installation of Google Desktop. No matter which option I tried, the program icon for Google Desktop in my Windows system tray stubbornly refused to respond. I had to dig into the Windows registry to find which version of the program I was running. According to Watchfire, any version of Google Desktop that is not version number 5.0.0701.30540 is vulnerable. The registry said my version was 3.2005.907.1757. I clearly needed to update.
I was surprised to discover that I already had an application called Google Updater installed. However, it clearly had not updated for me. When I tried to run it, the program kept producing an error message saying it could not continue. Appropriately, I "Googled" for clues to the origin of the error message. I followed advice on Google Groups to temporarily disable the anti-virus software on my machine and close any browser windows. Nothing seemed to work.
I ultimately had to completely reinstall Google Desktop and Google Updater. I then had to reboot to get the current version working properly. The latest version appears to have a function that will periodically check for and install updates as they are made available. I'm not sure whether the previous Google Updater had this option, and it isn't clear as to whether the new updater actually does what it says.
Users who have to update their Google Updater as I did may find that Google has bundled the new Updater into its "Google Pack." It seems Google is perpetually in beta phase: Earlier today, when I first visited the Google Pack page while the older, non-working version of Google Updater was installed, I had to uncheck several software options that were pre-enabled in Google Pack. This included Google Earth, Google Screensaver Pack and a six-month trial of Symantec anti-virus software. Now, after installing the latest Google Updater, when I revisit that same page, the Symantec option is gone and none of the items are pre-checked. Curiously enough, Google also is offering Adobe Reader 7, which as any avid Security Fix reader already knows, is dangerously out of date.
By Brian Krebs |
February 21, 2007; 2:39 PM ET
New Patches
Previous: Microsoft to Tighten Anti-Piracy Noose in Vista |
Next: Data Breach Hits Close to Home
Posted by: mhenriday | February 21, 2007 4:23 PM
While I also run a linux distro on my home computers, I'm not wondering when Google will make anything available to me--I don't need the problems, thanks.
Posted by: ebrke | February 21, 2007 5:28 PM
While I also run a linux distro on my home computers, I'm not wondering when Google will make anything available to me--I don't need the problems, thanks.
Posted by: ebrke | February 21, 2007 5:29 PM
While the built-in search in Windows may be slow, Microsoft offers an excellent, free program for Windows XP called Microsoft Desktop Search, which I think is actually better than Google Desktop. People who think Google Desktop is creepy should give it a try.
Posted by: Gobrien | February 21, 2007 5:56 PM
While the built-in search in Windows may be slow, Microsoft offers an excellent, free program for Windows XP called Microsoft Desktop Search. Microsoft's search software seems to be lighter on resources than Google desktop, gives users more control over what's indexed, isn't connected to the Web, and integrates extremely well with Office. People who think Google Desktop Search is creepy should give it a try.
Posted by: Gobrien | February 21, 2007 6:00 PM
I'm not sure of Google details, but even older versions of Adobe Reader have been updated to deal with last month's security issue, which had already been addressed by last year's Adobe Reader 8.
http://www.adobe.com/support/security/reader_7_0_9.html
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3579
I just wrote a confusing sentence. ;-) But it's quite possible for Google to be linking to an older Reader version, possibly for people with older operating systems, which includes the security fixes for the JavaScript cookie-swiping possible exploit which drew such heavy coverage last month.
jd/adobe
Posted by: John Dowdell | February 21, 2007 7:24 PM
Don't let Google lurk on you.
http://w-m-w-p.blogspot.com/2006/12/paronoia-security-lapse-google-gmail.html
Posted by: Careful | February 21, 2007 8:32 PM
Microsoft Windows Desktop Search (free download) and the new Windows Vista Instant Search provide as good if not better search on the Windows Platform - better integration with the OS and MS Office and without the security flaws. Though I cannot speak for the other security flaws that have lurked in the OS and IE, etc. :p.
Posted by: scottfree | February 21, 2007 11:33 PM
Why on earth would someone want to install prog like that into a linux system ? I mean linux has so good command line search tools that any gui system would be inferior.
Posted by: Slacker | February 22, 2007 1:51 AM
It's nice to be called an "avid" reader. :-))
Posted by: Pete from Arlington | February 22, 2007 10:30 AM
Isn't this a time to tell us about other desktop organizers, such as Copernic?
Posted by: hcg | February 22, 2007 1:22 PM
The comments to this entry are closed.
Wonder when Google is finally going to get 'round to making Desktop available to users of various Linux distros, in particular Ubuntu....
Henri