Google plugs desktop search hole

Google has fixed a flaw that allowed hackers to search the contents of a PC running its desktop search tool.

According to a statement from the web search company on Monday, it has rolled out a fix for the vulnerability that a US computer scientist and two of his students found in the tool in late November.

A Google spokeswoman said: "We were made aware of this vulnerability with the Google Desktop Search software and have since fixed the problem so that all current and future users are secure."

Dan Wallach, an assistant professor of computer science at Rice University, discovered the vulnerability while working with graduate students Seth Fogarty and Seth Nielson. Wallach describes it as a composition flaw - where a security weakness is caused by the interaction of several separate components.

According to The New York Times, which first reported the discovery of the vulnerability, Wallach, Fogarty and Nielson found that the Google desktop tool looks for traffic that appears to be going to Google.com and then inserts results from a user's hard disk for a particular search.

They managed to trick the Google desktop search program into inserting those results into other web pages where an attacker could read them. This would only work after a user had visited an attacker's website, upon which a Java program (as created by the Rice group) would be able to fool the Google desktop software into providing the user's search information. The program was able to do anything with the results, including transmitting them back to the attacking site.

The disclosure of this flaw comes just days after analyst firm Gartner warned businesses to steer clear of Google's desktop search tool until a more robust, enterprise-ready version is released.

Security experts have also warned that virus writers could use desktop search tools to make their malware more efficient.

Dan Ilett and Graeme Wearden write for ZDNet UK.