For nearly a month, users of the Google Desktop application were exposed to a vulnerability that allowed remote hackers to snoop through private computer files.
The vulnerability was launched by malicious JavaScript code, enabling hackers to gain access to Office files, e-mails and chat logs.
Google updated its desktop application with a patch that bars the execution of malicious scripts to protect users from future attacks. The search giant is asking users to download the latest version of Google Desktop.
“We have received no reports that this vulnerability was exploited,” Google spokesman Barry Schnitt told internetnews.com.
While the current dark clouds seem to have passed, the tight coupling between the desktop and Google.com has created “the perfect storm” for future security headaches, according to Danny Allen, security director for Waltham, Mass.-based Watchfire.
Watchfire discovered in January hackers could use a cross-site scripting attack to re-enable remote access to private files turned off by Google Desktop users. Users who clicked on a phishing e-mail or visited a malicious Web site would unknowingly trigger the script, Allen told internetnews.com.
Gartner research analyst John Pescatore told internetnews.com the vulnerability posed particular problems for businesses because software “can both expose desktop information to the broader Internet” and mix external information with internal sensitive data.
The Google Desktop flaw is just the latest security vulnerability the search company has had to deal with. In January, Google fixed a Gmail flaw that could have exposed e-mail users’ contact lists to attackers.
That security hole followed a scare over Google’s AdWords program that could have triggered cross-site scripting (XSS), defacement, hijacked pages or other attacks against Google Adwords advertisers.