Holes found in Google Desktop

Several flaws in the popular Google Desktop software could open PCs up to intruders and possible data theft, a security company has warned.

The search giant has released patches for the issues, which were reported by Watchfire in a paper published yesterday. One of the problems is a cross-site scripting flaw that could let an outsider look through files on a compromised machine.

Google Desktop applies the same technology found in Google's search engine to let users try to find items on their PC and on shared networked computers. The tool indexes and combs through emails, documents and files on the user's PC and stores web pages as part of its approach.

Hackers could use cross-site scripting to manipulate Google Desktop's functionality for their own ends, said Danny Allan, director of security research at Watchfire. The desktop application's integration with Google Search, Google's public internet search application, is a weak spot, he added. It means that the vulnerabilities found by Watchfire could have been exploited without the attack being detected by information protection systems, antivirus software and firewalls, he said.

Such an attack is different from traditional ones, because it relies on JavaScript code, rather than the insertion of binary code, to control Google Desktop. It uses the application remotely to search for confidential information, according to Watchfire's report.

That means that passwords and banking information stored either in computer files or in web page history could be accessed remotely by the attacker, Allan said.

Watchfire notified Google on 4 January of three vulnerabilities and one architectural flaw in the application, Allan said. Google responded to the security company on 1 February and asked for a few weeks before Watchfire went public with the information. The search giant has issued a patch for the problems.

Google said in a statement: "A fix was developed quickly, and users are being automatically updated with the patch. In addition, we have another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future."

The search company recommends that people make sure they are running the most recent version of Google Desktop.

It does not appear that anyone actually took advantage of the vulnerabilities and made attacks on Google Desktop users, both Watchfire and Google said.

However, Google Desktop is still vulnerable to these cross-site scripting attacks, Allan said, because of the "poor architectural decision" to include a link from Google web servers to the Google Desktop user's PC.

Candace Lombardi writes for CNET News.com