Imagine my shock when I read the headline “Google shuts hole in desktop product.”
I have been using Google Desktop for some months now as it is convinient. One can find any file in a jiffy…from pictures to text files and even the sites searched recently…and now I hear it was a big security risk! Unfortunately I heard about this only now, when the flaw has been fixed.Apparently the flaw was discovered late last year by
Watchfire, a Web application security leader:
…security researchers have discovered a vulnerability in Google Desktop which could enable a malicious individual to achieve not only remote, persistent access to sensitive data, but in some conditions full system control.
Watchfire has submitted a research paper on this and what is unnerving is that it says that the Google desktop parasite can “evade current information protection systems, such as anti-virus software and firewalls.”
However what is puzzling is that all these news reports talk as if this flaw was discovered just at the end of last year. The Washington Post says so. The Post goes on to say that Google fixed the problem within weeks of it being informed. But while researching for this write-up, I found a news report which was more than two years old and it said:
Scientists at Rice University in Texas found a glitch in Google Desktop that could permit an attacker to search the contents of a PC from the internet, The New York Times reports. Dan Wallach, an assistant professor of computer science at Rice, and two graduate students, Seth Fogarty and Seth Nielson, say the risk is real, although an exploit would require a thorough understanding of the flaw…the Rice University team say the tool can actually allow attackers to search for files on the PCs of Google Desktop users without their knowledge….According to the New York Times, the flaw is what computer scientists call a composition flaw, or a weakness that emerges when separate components interact. When you put them together, out jumps a security flaw. These are subtle problems, and it takes a lot of experience to ferret out this kind of flaw.
Now this news report goes back to 2004 December. And Google Desktop was launched in October 2004. This means that the flaw was discovered within two months but Google did nothing until a research paper came out? If Google found this out as far back as 2004, why did they refuse to take cognizance of it? Or was it so difficult to find a fix? More than two years? Can you imagine what sort of disaster this could mean to those who have confidential information about their businesses stashed away on their computers?