Watchfire just released a whitepaper on Overtaking Google Desktop which is a thought-provoking read. It essentially exploits the mechanism by which Google Desktop hooks the browser in order to inject links to the local Google Desktop instance when the user performs a typical online Google search. There are a couple of gating factors to making this attack viable -- the initial attack vector requires an exploitable XSS vulnerability in google.com, and the victim must have Google Desktop's browser integration feature enabled. An added twist is that a successful attack essentially gets cached by Google Desktop (since it is based on an advanced search preference) and could persist indefinitely. Really nice work by the Watchfire research team.
More important than the vulnerability itself is the fact that this further blurs the boundaries between web-based and desktop-based attacks. What other pieces of desktop software might potentially be manipulating browser content to provide some level of seamless browser integration? Any standalone application that wants to introduce functionality that integrates with their website (or others) could fall into this category -- RSS readers, news readers, BitTorrent clients, instant messaging applications, etc. Local HTTP servers in desktop applications are not too uncommon and will become more prevalent as the web browser becomes the primary user interface for everyday tasks.
Should web browsers really permit arbitrary desktop applications to manipulate the content of pages, without explicit permission from the user? Providing a way to disable this behavior would be one step toward re-establishing boundaries in the interest of security.