The attack, outlined in a paper (PDF) released by the firm, uses a cross-site scripting (XSS) flaw in the Google Desktop application in conjunction with any other XSS flaw in the Google.com domain to install malicious JavaScript on the user's computer. Using the technique, an attacker could create a JavaScript program that Google Desktop repeatedly runs, allowing the attacker to search a victim's computer using terms most likely to dredge up interesting data.

Google released an updated version of Google Desktop that fixes the local cross-site scripting flaw earlier this month, but many users may not have gotten the patch, said Danny Allan, director of security research for Watchfire. Because of the popularity of Google Desktop, there could be a large number of users with vulnerable systems.

"Undoubtedly, there are millions of people at risk today," Allan said.

A Watchfire researcher, Yair Amit, found indications of the vulnerability last October, the firm researched the issue in December and reported it to Google on January 4. The search giant released the updated Google Desktop client on February 1. Many of its users have been automatically updated with the patch, Google spokesman Barry Schnitt said in a statement sent to SecurityFocus.

"In addition, we have (added) another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future," Schnitt said. "We have received no reports that this vulnerability was exploited."

The search giant did not further describe what additional defenses have been added to the program. Schnitt said users should go the Google Desktop site and make sure they have the latest version.

JavaScript paired with one or more cross-site scripting flaws has increasingly become a significant vector for attacking PC users as they browse the Web. Researchers have warned that Web worms using JavaScript, cross-site scripting flaws and technologies such as AJAX will likely become more prevalent in the future. In 2005, a worm--dubbed Samy--spread among MySpace users, adding a user named "Samy" to the victim's friends list. Earlier this year, Adobe acknowledged that its Acrobat document reader also suffered from a cross-site scripting flaw that could be triggered by JavaScript.

As applications and Web sites increasingly incorporate online data services into their architecture--an evolving relationship often referred to as Web 2.0, securing the interrelated infrastructure becomes more difficult.

"Cross-site scripting (attacks) have become more popular in the last two years as more researchers understand their power," Yuval Ben-Itzhak, chief technology officer of Web security firm Finjan, said in an e-mail interview with SecurityFocus. "Web 2.0 is a good platform (in which) to use XSS, but many, many Websites are vulnerable (today) to XSS."

Google Desktop has a number of defenses, including filtering out any connections that do not originate from the user's computer and using pseudo-random 512-bit signatures to obfuscate the names of specific pages and prevent guessing.

To get around these defenses, the attack vector found by Watchfire requires the use of a cross-site scripting flaw affecting the Google.com domain. The company used a flaw it had found to demonstrate the issue to Google, and the search firm subsequently fixed the vulnerability. Using such a flaw, an attacker can run a Javascript program that garner the signature assigned to the user's PC. With that signature, the attacker can create valid URLs and switch the context from Google.com and take control over Google Desktop.

With the preliminaries over, an attacker can now focus on using a feature that allows searching in specific directories on the PC--the under parameter--to execute JavaScript in the context of Google Desktop and make it persistent, Watchfire said in the report. Using a cross-site scripting proxy, an attacker can maintain continued bi-directional communication with the compromised system.

The issues underscore that local programs, such as Google Desktop, that run on a user's PC but integrate closely with the Web or other servers on the Internet raise additional security issues, said Watchfire’s Allan. Developers of sites using such technologies need to be much more careful, he added.

"It underscores the bigger risks that we are seeing today in the more complex client-side execution of online applications," Allan said. "The lines are blurring between offline applications and Web applications and as that blurring continues to grow, we will only be at greater risk."

Google recommends that Google Desktop users download the latest version, which contains a patch for the cross-site scripting issue.

(c) www.securityfocus.com