An Israeli security firm has discovered a security vulnerability in Google's Internet Explorer toolbar that could allow an attacker to run malicious code on a user's PC, read private files, and carry out other intrusions.
According to GreyMagic Software, a flaw in the Google Toolbar version 1.1.58 and earlier allows an attacker to embed code in any Web page that fools the toolbar into executing the attacker's commands. These commands can include altering the toolbar's parameters, which allows the attacker to hijack searches, alter the appearance of the toolbar or uninstall it completely. It also, more dangerously, allows the attacker to execute code on the user's PC.
Google issued a new version of the toolbar fixing the problem, via its automatic update feature, on Wednesday. As of Friday, the current version of the toolbar is 1.1.60.
GreyMagic's exploits centre around the fact that the toolbar uses simple URLs to control the software's features or execute scripts. Changes to the toolbar settings are made via a URL such as "http://toolbar.google.com/command?(changes here)", and scripts can be executed at "http://toolbar.google.com/command?script=(any script)".
The toolbar only allows changes to take place if the document being viewed in the browser is in the google.com domain, or is viewing any location using a special "resource" protocol, meant for accessing system resources on the local computer. (Resource protocol addresses take the form "res://(address)".)
However, GreyMagic demonstrated that this restriction could be easily circumvented by opening a "res://" or google.com page, and then using a script to change the URL to the desired malicious address.
All a Google Toolbar user would have to do would be to visit a particular URL -- which could be distributed through an email, for example -- and a script embedded in the page could read files on the user's hard disk, alter the configuration of the toolbar to hijack searches or execute malicious commands. Since the commands can be executed in the "My Computer" security zone, they do not have many restrictions.
GreyMagic said that several demonstrations of such exploits are available on its Web site.
