Printer Friendly

Widgets open the door to hackers.

Byline: By Steve Pain Technology Editor

Seemingly innocent widgets - otherwise known as gadgets - are exposing computer users to a whole host of potential hacker attacks, says specialist firm Finjan.

The findings are one of a number uncovered by Finjan's Malicious Code Research Centre (MCRC), whose report reveals the cool add-ons that add functions to websites contain code that is vulnerable to exploitation by hackers and criminals.

Finjan says it has found widgets are vulnerable to a breadth of attacks and can be used to endanger a user's PC as part of an attacker's weapon arsenal.

Research also suggests new attacks that exploit the insecurities of widgets and gadgets are imminent, and a revised security model should be explored in order to keep users protected.

All types of widget environments - OS, third party applications and web widgets - were found to be plagued with inadequate security models that allowed malicious widgets to run.

In addition, Finjan found vulnerable widgets that were already available - some in default installations.

These findings have already prompted Microsoft and Yahoo to issue security advisories and patches and an overhaul of the security models used to host these widgets and gadgets online, as well as in the operating systems that provide them.

"As widgets become common in most modern computing environments - from operating system to web portals, their significance from a security standpoint rises," said Finjan's chief technology officer, Yuval Ben-Itzhak.

"Vulnerabilities in widgets and gadgets enable attackers to gain control of user machines, and thus should be developed with security in mind.

"This attack vector could have a major impact on the industry, immediately exposing corporations to a vast array of new security considerations that need to be dealt with. Organisations require security solutions capable of coping with such a changing environment with the ability to analyse code in real time, and detect malicious code appearing in innovative attack vectors to provide adequate protection," he added.

Finjan also said that since major portals such as iGoogle, Live.com and Yahoo! all offer personalised portals that utilise widgets, the growing popularity of these cool add-ons is likely to result in their increased use as an attack method.

It added that adequate protection from this new attack is dependent upon a major overhaul of the security model of these environments by the vendors.

In the meantime, it has advised users to following a number of best practices:

Refrain from using non-trusted third party widgets. Widgets and gadgets should be treated as full blown applications, and the use of unknown and untrusted widgets is highly discouraged.

Use caution when using interactive widgets. Widgets that rely on external feeds such as RSS, weather information, external application data, etc., may be susceptible to attacks that exploit this trust by piggybacking a malicious payload on such data.

Organisations should enforce a strict policy for their users on using widgets and widget engines. Since these are not considered business critical applications, or even productivity enhancers in some cases, the use of widgets and gadgets by corporate users should be limited.

Additionally, blocking widget and gadget file types could be enforced at the gateway in order to prevent the downloading of such mini-applications to the corporate network.

To give an idea of the number of widgets and gadgets available there are 3720 available on google.com, 3197 on apple.com and 3959 on Facebook. Many of these applications are already being used by millions of people.

"Financial gain is the driving force behind the explosive growth of cybercrime," said Mr Ben-Itzhak

"Increasingly, crimeware has a single goal - to turn data into money.

"Crimeware is used to steal valuable business data that can be turned into money in the burgeoning cybercrime market.

"Hackers are focusing their efforts on stealing sensitive corporate, customer, financial and employee data, which can then be sold online to criminal elements."

As widgets become common in most modern computing environments, their significance from a security standpoint rises

Yuval Ben-Itzhak

stevepain@mrn.co.uk
COPYRIGHT 2007 Birmingham Post & Mail Ltd
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2007 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Business
Publication:The Birmingham Post (England)
Date:Sep 18, 2007
Words:661
Previous Article:Home improvements firm to replace fleet with 40 LDV vans; AUTOMOTIVE.
Next Article:John Lewis orders up an online contract extension.


Related Articles
Plea to firms on 'ethical hackers' CRIME: Warning over the cost of unsecured wireless networks.

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters