| VID |
28192 |
| Severity |
30 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The Windows host has a version of Google Desktop that is vulnerable to a cross-site scripting vulnerability. Google Desktop is a search application for Microsfot Windows platforms that allows users to easily search for files on the computer. Google Desktop versions prior to 5.0.0701.30540 are vulnerable to a cross-site scripting vulnerability in the under parameter. This vulnerability occurs because the Google Desktop Search engine fails to properly sanitize user input. A remote, unauthenticated attacker may be able to perform any action that the Google Desktop Search engine is capable of performing. This includes executing programs that are already on a vulnerable system, searching and viewing files and exfiltrating sensitive data.
* Note: This check requires an account with administrative privileges which can log into the host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://desktop.google.com/support/bin/answer.py?answer=14280
http://download.watchfire.com/googledesktopdemo/index.htm
http://download.watchfire.com/whitepapers/Overtaking-Google-Desktop.pdf
http://www.securityfocus.com/archive/1/archive/1/460735/100/0/threaded http://www.securityfocus.com/archive/1/archive/1/460928/100/0/threaded
http://www.watchfire.com/resources/Overtaking-Google-Desktop.pdf http://www.kb.cert.org/vuls/id/615857
http://www.securitytracker.com/id?1017686
* Platforms Affected:
Google Desktop versions prior to 5.0.0701.30540
Microsoft Windows Any version |
| Recommendation |
Google Desktop automatically updates itself when a new version of the software is available.
If you haven't been automatically updated yet, you can manually update to the latest version of Google Desktop (5.0.0701.30540 or later), available from the Google Desktop Web site at http://desktop.google.com/?utm_campaign=en&utm_source=en-ha-na-us-google&utm_medium=ha&utm_term=google%20desktop |
| Related URL |
CVE-2007-1085 (CVE) |
| Related URL |
22650 (SecurityFocus) |
| Related URL |
32735 (ISS) |
|
