Security holes in Google Toolbar patched
A series of security holes in the Google Inc. Toolbar, an application offered by the popular search engine that adds easily accessible search features to Web browsers, could allow an attacker to read files, reroute searches and execute scripts on an affected PC, according to a security alert released Thursday by GreyMagic Software.
GreyMagic identified a total of nine vulnerabilities ranging from minor -- a Web site operator being able to tell what keys a user is pressing in the Google search field -- to serious -- the scripting vulnerability. The flaws were all patched by Google's automatic update to the toolbar which was released on Wednesday, meaning that many Google Toolbar users should have already had their software updated to protect against the holes, GreyMagic wrote.
GreyMagic found the vulnerabilities in version 1.1.58 of the toolbar. Google is already distributing versions 1.1.59 and 1.1.60 which fix the problems, GreyMagic said.
Among the less serious flaws found is the search bar keylogging described above, enabling the "Page Rank" and "Category" features which could reveal user information, clearing the toolbar's history or even uninstalling the application, the Israeli GreyMagic said.
More seriously, by using a specific URL (Uniform Resource Locator) an attacker could reroute searches through his or her own Web site, allowing the attacker to log information about the user, the security group wrote.
By using other URLs containing scripts, an attacker can read files on the affected PC or execute scripts in the same security context that Web pages are viewed, GreyMagic wrote.
Users can check to see what version of the Google Toolbar they are running by clicking on the Google logo in the Toolbar and selecting "About Google Toolbar." The Google Toolbar can be downloaded from http://toolbar.google.com.
» posted by abennett
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
