Local Search Engines – Potential Security Holes – Is it true?

Posted on November 5, 2007. Filed under: Computers, GNU, Google, IBM, Java, Linux, Microsoft, OmniFind, PC, Sun, Technology, Thoughts, Unix, Vista, Windows, poop | Tags: , , , , , , , , , , , , , , , |

I am resurrecting this subject because of a comment I received from someone who called them self “misinformed”. I am going to leave their sarcasm out, but will include the pertinent comments here. Please refer to my November 3rd posting about “Free Security Holes For Your Computer”.

Indeed, you may be misinformed, but you did bring my attention to one part of that post. My saying, have your firewall block port 80 in a broad sense was not totally accurate on my part, and I do apologize for my not catching it first. So, thank you for pointing that out. Since the post was referring to incoming requests, I should not have assumed that everyone was on the same page with me, and I should have explained more clearly for you that the ports listed would need blocking on the “Internet” connection and for inbound request to those ports only. To me, it is common sense not to block the outbound requests. DUH!

Misinformed then commented: “Most Desktop Search programs don’t include the search for system files like .drv, bat and so forth. Have you bothered to test this? What application?”

I did in fact test this. I found that IBM’s OmniFind returned no .drv files in its search, but using Google Desktop I received a partial results page with 57 results pointing to files with the extension “.drv”. This was a partial result because Google Desktop was only 37% completed with it’s indexing of the PC. I didn’t need to see more at that point. Google desktop is no longer on my computer.

Finally, misinformed commented: “Google Desktop uses LOCALHOST to serve results. An outside party can’t access the Google Desktop webserver on your computer.”

It is true that Google Desktop only uses localhost to serve requests. The network settings for Google Desktop are defined in GoogleDesktopNetwork3.dll which points the application to localhost, 127.0.0.1, and port 4664. Even with that bit of information, you have a well suited name for yourself misinformed, and a false sense of security as well. I must refer you to the October 29, 2007 post from CERT which clearly states that an untrusted Java applet can connect to localhost. Sun Microsystems has fixed that minor issue with their latest update, however not everyone does updates when they should. (especially those using dialup service to the Internet) Also, lord help you if you use Microsoft’s Active X controls on internet connections. I’ll consider another post at a later date for my beloved Active X. So, the final answer to the question on top is YES! The potential security risks remain.

The focus point of the original November 3rd post is to bring attention to not allowing personal information to be visible through the locally installed search engine, because it is possible that your personal information may be exposed to others.

Thanks for visiting my pages. It’s beer o’clock! :-)

Make a Comment

Make a Comment: ( None so far )

You must be logged in to post a comment.

Liked it here?
Why not try sites on the blogroll...