Flaw found in Google tool

SAN FRANCISCO — A Rice University computer scientist and two of his students have discovered a potentially serious security flaw in the desktop search tool for personal computers that was recently distributed by Google.

The glitch, which could permit an attacker to secretly search the contents of a personal computer via the Internet, is what computer scientists call a "composition flaw" — a security weakness that emerges when separate components interact. "When you put them together, out jumps a security flaw," said Dan Wallach, an assistant professor of computer science at Rice in Houston, who, along with two graduate students, Seth Fogarty and Seth Nielson, discovered the flaw last month. "These are subtle problems, and it takes a lot of experience to ferret out this kind of flaw," Wallach said.

Google introduced a test version of the desktop search tool on Oct. 14, and it can be downloaded at no cost. The program indexes material on a user's local hard disk and then blends Web search results with local user information like electronic mail, text documents and other files. The search would reveal only small portions of the files.

The way the software tool is designed, a user's queries, but no locally stored information, are distributed via the Internet. But by reading user queries sent to its search service, Google is able to place its AdWords text advertisements next to search results displayed in a user's browser window.

In a statement over the weekend, the company said that it had been notified of the flaw by the computer researchers in late November and had begun distributing a new version of the desktop search engine that repairs the potential security hole. Google's introduction of a desktop search tool has touched off a competition with its closest Web search service competitors, Microsoft and Yahoo.

Microsoft made a test version of its desktop search tool available Dec. 13 as part of its MSN toolbar suite, and Yahoo has said that it will begin testing a similar search tool in January.

The Rice University researchers said that they had not yet examined Microsoft's desktop search program, but noted that the service did not appear to integrate Web and local search results in the same manner as the Google tool.

The researchers said that the Google security weakness lay in the way that Google Desktop was designed to intercept outgoing network connections from the user's computer.