Google Desktop tweaked to block attackers

Adjustment should protect PCs from attackers exploiting an unpatched flaw in Internet Explorer.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
Google has made an adjustment to its desktop search tool to foil attacks that take advantage of an unpatched vulnerability in Microsoft's ubiquitous Internet Explorer Web browser.

The IE bug was disclosed late last week by Matan Gillon, a security researcher in Israel. He found a way to steal information from unwitting Google Desktop users by exploiting the Web browser flaw.

"We did make an adjustment to the product to help protect users," Google representative Sonya Boralv said Tuesday. "We made the adjustment on our end. Users don't need to download a patch or take any action."

The bug in IE allows an attacker to retrieve private user data or execute operations on the user's behalf from remote domains, Gillon wrote in his description of the attack method. He crafted a Web page which, when viewed in IE on a computer with Google Desktop installed, used the search tool and returned results for the query "password."

A test of the proof-of-concept page created by Gillon confirmed on Tuesday that the attack no longer works.

Microsoft on Friday said it was investigating the IE bug. The company has said it might issue a security update or an advisory on the problem.