SAN JOSE, Ca. – People who install or use widgets are opening themselves up to major security vulnerabilities, according to Finjan’s 2007 third quarter Web Security Trends Report.
Widgets and gadgets are popular applications that are provided by either operating system manufacturers like Microsoft Vista out of the box or as small applications from the likes of Yahoo! and Google that focus on a single task such as reading RSS feeds, providing a desktop calendar and watch and battery monitoring.
For example, there are approximately 3,720 widgets and gadgets available on Google and many of these applications are being used by millions of people.
“These widgets have become popular today on the Web and although they were designed to provide cool functionality to users, there was no security behind them,” said Yuval Ben-Itzhak, CTO of Finjan, a provider of secure Web gateway products. “Hackers can use these small applications to infect users with malicious codes.”
If left unprotected, Ben-Itzhak said that hackers will use the flaws to install malicious code that steals data like credit card numbers and social security numbers that are then sent back to hackers to sell online.
Some of the vulnerabilities that Finjan discovered and that have since been patched include one in the Contacts Widget of Vista, which enabled an attacker to run arbitrary code on the attacked machine by providing a malformed contact detail object. This contact, simply by being displayed in the Contacts Widget, would run arbitrary code on the local machine without any user interaction or verification. This allowed an attacker to gain full control of a person’s desktop to install things like Trojans or use as a botnet. The Live.com RSS reader widget contained a vulnerability that allowed an attacker to access privileged information from the user account, while impersonating the user and taking control of its browser.
Ben-Itzak said that organizations require security solutions capable of coping with such a changing environment with the ability to analyze code in real time, and detect malicious code appearing in innovative attack vectors. He suggested that companies use solutions that have real-time content inspection to provide adequate protection instead of relying on anti-virus and URL filtering.
As well, Ben-Itzhak recommended that organizations use widgets and gadgets that are from large vendors like Google, Microsoft and Yahoo!
“If there are vulnerabilities,” he added. “At least you can be sure they will release a patch unlike third party vendors where there is no guarantee of a patch, so users remain at risk.”
As well, organizations should use caution when using interactive widgets. Widgets that rely on external feeds such as RSS, weather information and external applications may be susceptible to attacks that exploit this trust by piggybacking a malicious payload on such data.
In addition, companies should enforce a strict policy for their users on using widgets and widget engines. Since these are not considered business critical applications, or even productivity enhancers in some cases, the use of widgets and gadgets by corporate users should be limited.
This column was written by Vanessa Ho of ConnectIT
a>>
