Finjan: Attackers wild about widgets |
 |
By Bill Brenner, Senior News Writer
19 Sep 2007 | SearchSecurity.com |
|
|
Cyberspace faces a growing threat from attackers who are able to compromise computers through flaws in widgets, add-on tools that allow users to do more with their various Web applications.
|
|
|
|
|
It's all part of the Web 2.0 threat, where people share their favorite content. There's just no guarantee the content is clean.
Yuval Ben-Itzhak,
chief technology officer, Finjan
|
|
|
|
|
|
|
|
|
|
That warning comes in a new report from San Jose, Calif.-based security firm Finjan Inc. about Web security trends. The report, prepared by Finjan's Malicious Code Research Center (MCRC), claims that widgets are packed with flaws the digital underground will easily learn to find and exploit.
"Since major portals such as iGoogle, Live.com and Yahoo! all offer personalized portals that utilize widgets, the growing popularity of these cool add-ons is likely to result in their increased use as an attack vector," Finjan said in the report. "New attacks that exploit the insecurities of widgets and gadgets are imminent, and a revised security model should be explored in order to keep users protected from such attacks."
Finjan found in its research that widget environments from operating systems to third-party applications are plagued with inadequate security models that allow malicious widgets to run. The firm also found vulnerable widgets in programs from the likes of Microsoft, Yahoo and MySpace. In fact, the company said, Microsoft and Yahoo have already released security advisories and patches to address some of the problems it found.
"As Widgets become common in most modern computing environments -- from operating system to web portals, their significance from a security standpoint rises," said Yuval Ben-Itzhak, chief technology officer of Finjan in an interview Monday. "Vulnerabilities in widgets and gadgets enable attackers to gain control of user machines, and thus should be developed with security in mind."
He said the widgets problem is part of a larger trend where enterprises and home users are rapidly embracing Web 2.0 technology with no thought about the security implications. SPI Dynamics researcher Billy Hoffman has made similar warnings about the use of Web sites that rely on Asynchronous JavaScript and XML (Ajax).
"These tools were designed to be cool rather than secure," Ben-Itzhak said. "It's all part of the Web 2.0 threat, where people share their favorite content. There's just no guarantee the content is clean."
He said the risk is particularly serious in the business world, where companies are either using widgets as part of in-house programs or offering them to customers. IT shops should try wherever possible to minimize the use of third-party widgets and stick with those provided by bigger vendors like Microsoft or Google because such organizations are more likely to find and patch problems in their widgets. It's also important for IT pros to inspect the content a widget is using.
"These gadgets must retrieve content from a remote server, and you can scan the content to make sure it's harmless," he said.
In a recent commentary for SearchSecurity.com, similar widget warnings were made by security expert Michael Cobb, founder and managing director of Cobweb Applications Ltd.
"For system administrators, I would seriously consider whether to allow the use of these gadgets," he wrote. "I haven't yet seen any that provide must-have functionality."
Some organizations use them to provide constant updates to employees on enterprise data, such as sales levels or support call waiting times, he noted. While such gadgets certainly offer some benefits, Cobb said he would want to know whether the gadget displays reliable data, doesn't burden the network and is compliant with e-discovery regulations.
|
|
|
|
