CNET科技资讯网12月21日国际报道 Google表示,他们已经打上其桌面搜索工具漏洞补丁。这个漏洞可能让黑客控制受害人的电脑。 Google星期一表示,他们已经打上它的桌面搜索工具的漏洞补丁。11月底,赖斯大学的计算机科学家率先发现了这一漏洞。 Google一位发言人说:“我们已经意识到Google桌面搜索软件存在这一漏洞,目前,我们已经打上了安全补丁,因此现在以及将来的用户的安全可以得到保证。” 据
悉,Google桌面搜索工具存在的这一漏洞属于一个综合性漏洞。它可以截获向外发送信息的方式,寻求访问Google.com的数据流量,然后插入来自
硬盘搜索的结果。黑客可以欺骗Google桌面搜索工具,让它在其它网页中插入来自硬盘的搜索结果,同时读取这些结果。 赖斯大学的研究人员已经开发了能够欺骗Google桌面搜索工具,发动这类攻击的Java软件,该软件能够任意处理搜索结果,包括将它们返回到黑客的网站。黑客要发动攻击,首先要求用户访问攻击者的网站,使用任何浏览器的用户都会受到攻击。 这一漏洞被发现的前一天,Gartner警告自己的业务部门,在更加成熟版本的Google桌面搜索工具出台之前,不要安装这种搜索工具。 安全专家也同时警告说,病毒制作者可以利用桌面搜索工具,令他们的恶意软件更具有危害性。(编辑:孙莹)
Google: We've fixed desktop search tool flawGoogle
says it has fixed a flaw that could have allowed hackers to search the
contents of PCs running the company's desktop search tool. According
to a statement issued Monday by the Web search company, it has rolled
out a fix for the vulnerability. The flaw in the tool was discovered in
late November by a Rice University computer scientist and two of his
students. A
Google representative said, "We were made aware of this vulnerability
with the Google Desktop Search software and have since fixed the
problem so that all current and future users are secure." Dan
Wallach, an assistant professor of computer science at Rice University,
discovered the vulnerability while working with graduate students Seth
Fogarty and Seth Nielson. Wallach describes it as a composition
flaw--where a security weakness is caused by the interaction of several
separate components. According to The New York Times, which
first reported the discovery of the flaw, Wallach, Fogarty and Nielson
found that the Google desktop tool looks for traffic that appears to be
going to Google.com and then inserts results from a user's hard disk
for a particular search. They managed to trick the Google desktop search program
into inserting those results into other Web pages where an attacker
could read them. This would only work after a user had visited an
attacker's Web site, upon which a Java program (as created by the Rice
group) would be able to fool the Google desktop software into providing
the user's search information. The program was able to do anything with
the results, including transmitting them back to the attacking site. The disclosure of this flaw comes just days after research company Gartner warned businesses to steer clear of Google's desktop search tool until a more robust, enterprise-ready version is released. Security experts have also warned that virus writers could use desktop search tools to make their malware more efficient. Dan Ilett and Graeme Wearden of ZDNet UK reported from London.
|