Instant Exploits?
Google announced a number of new technologies as part of their Google Inside Search Launch (http://www.google.com/insidesearch/). One of the more interesting elements is their idea to speed up the Web with something called "Instant Pages." The basic idea is that they are taking their ability to correctly guess what a user is going to search on, and pre-loading the content from the origin server onto your local machine. Apparently, this will only work with the Chrome browser.
On the challenging side, this leads to some interesting exploit scenarios. In the past, search algorithms have been duped to have malicious pages show up in results. In those cases, although they are dangerous, the user still has to click on one of the top results to get infected. In the new scenario, the big question is if a user can be exploited by simply searching, without even clicking on a link.
Though Google has assured in a subsequent interview that they don’t believe this will be an issue due to several aspects of their technology, there still exists an interesting possibility for exploitation of unsuspecting users, as SEO poisoning continues to be an ongoing problem. Remember from our 2010 Threat Report, searching for breaking trends and current news represents a higher risk (22.4% of search results poisoned) than searching for objectionable content (21.8%).
In slightly related news, Google also announced voice recognition to search. It will be interesting to see how the rogue AV camps will also be utilizing this to their advantage in the future.
