A series of security holes in the Google Toolbar, an application offered by the popular search engine that adds easily accessible search features to Web browsers, could allow an attacker to read files, reroute searches and execute scripts on an affected PC, according to a security alert released yesterday by GreyMagic Software.
GreyMagic identified a total of nine vulnerabilities ranging from minor - a Web site operator being able to tell what keys a user is pressing in the Google search field - to serious - the scripting vulnerability. Among the less serious flaws found is the search bar keylogging described above, enabling the "Page Rank" and "Category" features that could reveal user information, clearing the toolbar's history or even uninstalling the application.
More seriously, by using a specific Uniform Resource Locator (URL), attackers could reroute searches through their own Web sites, allowing them to log information about users, the security group said. By using other URLs containing scripts, an attacker can read files on the affected PC or execute scripts in the same security context that Web pages are viewed.
The flaws were all patched by Google's automatic update to the toolbar, released on Wednesday, meaning that many Google Toolbar users should already be protected against the holes, GreyMagic said.
News Source: Computer Weekly 360
Download: Google toolbar (v1.1.60-big)
View: GreyMagic Advisory - Exploiting the Google toolbar
GreyMagic identified a total of nine vulnerabilities ranging from minor - a Web site operator being able to tell what keys a user is pressing in the Google search field - to serious - the scripting vulnerability. Among the less serious flaws found is the search bar keylogging described above, enabling the "Page Rank" and "Category" features that could reveal user information, clearing the toolbar's history or even uninstalling the application.
More seriously, by using a specific Uniform Resource Locator (URL), attackers could reroute searches through their own Web sites, allowing them to log information about users, the security group said. By using other URLs containing scripts, an attacker can read files on the affected PC or execute scripts in the same security context that Web pages are viewed.
The flaws were all patched by Google's automatic update to the toolbar, released on Wednesday, meaning that many Google Toolbar users should already be protected against the holes, GreyMagic said.
News Source: Computer Weekly 360 Download: Google toolbar (v1.1.60-big) View: GreyMagic Advisory - Exploiting the Google toolbar
MICROSOFT SAYS IT'S OLDER AND WISER
A Microsoft official said there were "lessons that can be learned" from the FTC action and that the company would improve its description and disclosure of Passport's features.
"We've learned from the dialogue with the FTC and we will work to meet the high bar they are setting," said Microsoft General Counsel Brad Smith.
Tracking information collected by Passport would only be used for customer service needs and would be purged after 10 days in most cases, he said.
Activists who asked the FTC last summer to examine Passport said the settlement was the most significant victory for online privacy to date.
"Frankly, we're pleased," said Marc Rotenberg, executive director of the Electronic Privacy Information Center, which led the consumer coalition. "In some areas the FTC went further than we anticipated."
Jason Catlett, president of privacy consulting firm Junkbusters Corp., said the most significant aspect was that the FTC decided to investigate in the first place.
"Finding that Microsoft has bad security is like shooting at a sitting duck," Catlett said. "What is significant is not that they hit the duck, but that they took the shot."
Microsoft, hit by break-ins to its network and criticism over its security, made "trustworthy computing" its top priority earlier this year after chairman Bill Gates called for more emphasis on security.
Smith said the company built Passport on what it thought was the most secure technology available at the time.
The Association for Competitive Technology, a technology group that has supported Microsoft in the past, said the agreement seemed excessive but would set new standards for the entire industry.
Passport faces pressure on other fronts. European Union authorities have taken at a hard look at the service, concerned that it does not comply with privacy laws and tell users how their personal information is used.
A group of high-tech firms calling itself the Liberty Alliance, led by Sun Microsystems Inc is planning a similar identity service.
Most Passport users signed up involuntarily when they set up a free Hotmail account, or bought the new Windows XP operating system, and few are active users, said Gartner analyst Avivah Litan. The settlement could help Microsoft by building trust in the system, she said.
"Consumers use Passport right now because they have to," Litan said.
One FTC source said Microsoft was eager to settle the case because it did not want further problems with Passport, which is at the core of the company's .NET initiate to move to Internet-based services.
"They caved," the source said.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.