Software Engineering Institute

Google Desktop Search is a desktop search program that is integrated into the Google search engine. Google Desktop Search indexes the user's local hard drive, and allows the results to be searched from a browser.

The Google Desktop Search program contains a cross-site scripting vulnerability in the under parameter. This vulnerability occurs because the Google Desktop Search engine fails to properly sanitize user input.

Note that this vulnerability may not be exploited remotely without the presence of another vulnerability.

A remote unauthenticated attacker may be able to perform any action that the Google Desktop Search engine is capable of performing. This includes executing programs that are already on a vulnerable system, searching and viewing files and exfiltrating sensitive data.

Upgrade
Google has addressed this issue in the most recent version of the Google Desktop Search. Note that Google updates the Google Desktop Search automatically.

Disable JavaScript

Disable JavaScript in your browser's preferences. Instructions for disabling JavaScript can be found in the Securing Your Web Browser document and the Malicious Web Scripts FAQ. Some Mozilla add-ons can simplify the ability to enable or disable JavaScript, or set up site-specific rules for doing so.