Google addressed the problem by providing a fix directly to
clients that had purchased the Google Mini. The search appliance
sells for $3,000, but recently has been offered as a free extra
to purchasers of Google's high-end enterprise search appliances.
Researcher H D Moore at Metasploit provided some notes on the
company's web site detailing some of their work with Google
on the flaw:
security team responded immediately to our report and were
generally very helpful throughout the disclosure process.
After a fix was developed, they offered to send us a Mini
to verify that all issues had been addressed. Prior to shipping
the appliance, they asked for an NDA and a license agreement
to be signed and sent back.
The NDA and license agreement both included clauses that restricted
reverse engineering and other facets of security research.
The NDA prohibited the publication of any information deemed
confidential by Google without a prior written agreement.
For any use other than security research, these conditions
would not be an issue, however as they were written, any vulnerabilities
discovered after the documents were signed could be considered
confidential and restricted. We declined to sign the documents
and Google placed a demo unit online for verification instead.