I have been following a number of blog and forum entries on the security flaw that was reported in the Google Toolbar with an input validation vulnerablity, in which the 'About' section of the toolbar does not properly filter Html content. This will allow a local user to create HTML that, when loaded by the target user, will invoke the About page and execute arbitrary scripting code in the context of the page.
Note the keywords 'local user' in the above statement. There is no possiblity that this code could be injected by a remote user or website. The 'proof of concept' provided uses a res: file protocol which can only be invoked from the Local Computer Zone of Internet Explorer. In other words, if somebody has access to your computer locally and maliciously interjects this code into your Googlebar About page -- then you are in trouble. Chances are if they get that far, you are in a lot worse trouble than just the Googlebar, eh?
When security scares like this pop up, and being that this one involves Google, the headlines and brief paragraphs tend to make it sound a lot worse than it is. Let me be one of the first to dispel the rumors that may be already starting to fly around the net now. There is no problem with your Googlebar people.
No comments:
Post a Comment