Security Tango - Keep Your Computer Clean

Widget-crazy? You are sadly at risk.
Fri 21 Sep 2007 4:30 PM

Widgets are those fun, graphic programs that bring all kinds of nifty toys to your desktop. Most Linux GUI desktops have them, OS X has them, Vista has them, and lots of Web sites have them. And they're great, big security holes. Patches to these things have appeared by the dozens (yes, even for you Mac folks), but they're still security risks.

Finjan, a security company based in San Jose, CA, says that the only thing that will stop the problem is a new security model. According to Finjan, "All types of widget environments ... were found to be plagued with inadequate security models that allowed malicious widgets to run. In addition, we have found vulnerable widgets that were already available (some in the default installation) in the widget environment. These examples clearly show that the design and development of these mini-applications was missing some security considerations." And Finjan's no Johnny-Come-Lately to this; Microsoft credits the security firm for its work behind the MS07-048 patch.

The problem is that widgets are loosely based on Web models, such as HTML-like presentation and rendering and JavaScript-like APIs. Not surprisingly, the types of vulnerabilities they bring to a system are similar to those found on the Web. However, widget and gadget engines magnify the threat, since they share a much deeper connectivity with the underlying operating system.

Vista's Contacts widget has been fixed, but their RSS feed widget (indeed, every operating system's and Web site's RSS feed widget) is vulnerable to malicious code in the feed. iGoogle, Live.com, Amazon, and Yahoo! all have the same widget problems.

Every widget represents a potential security threat. Businesses should block widgets at the gateway. Let's face it, these things aren't mission critical, or even useful for business productivity in most cases. This attack vector could have a major impact on businesses, and even home users will be vulnerable.

In fact, given the recent trend of the bad guys to try to take over home machines (since they're typically less protected), I'd argue that home machines are even more likely to be attacked.

My suggestion? Until the various companies (Microsoft, Apple, Yahoo!, Amazon, Google, etc.) can all prove their widgets have been designed with security in mind, dump 'em. Just don't run them. Yes, their cute. Yes, they're cuddly, Yes, they're fun. Dump them. When it comes to making a choice between fun and secure, be an adult.

Back to the blog

All blog contents are published under

, including

The Ask Nick!™ The Ask Nick!™ Security Security Tango™ Tango™ Sponsored by Sponsored by

Tango Links: Home Let's Dance! Good Passwords Nick's Blog Get the CD Definitions Security News Blame, Credits, etc. Windows Links: *Anti-Virus:* McAfee Security Symantec (Norton) CA's eTrust Grisoft's AVG avast! Panda Software *Anti-Malware:* SuperAntiSpyware Malwarebytes *Firewalls:* ZoneAlarm McAfee Firewall Norton Firewall	Widget-crazy? You are sadly at risk. Fri 21 Sep 2007 4:30 PM Widgets are those fun, graphic programs that bring all kinds of nifty toys to your desktop. Most Linux GUI desktops have them, OS X has them, Vista has them, and lots of Web sites have them. And they're great, big security holes. Patches to these things have appeared by the dozens (yes, even for you Mac folks), but they're still security risks. Finjan, a security company based in San Jose, CA, says that the only thing that will stop the problem is a new security model. According to Finjan, "All types of widget environments ... were found to be plagued with inadequate security models that allowed malicious widgets to run. In addition, we have found vulnerable widgets that were already available (some in the default installation) in the widget environment. These examples clearly show that the design and development of these mini-applications was missing some security considerations." And Finjan's no Johnny-Come-Lately to this; Microsoft credits the security firm for its work behind the MS07-048 patch. The problem is that widgets are loosely based on Web models, such as HTML-like presentation and rendering and JavaScript-like APIs. Not surprisingly, the types of vulnerabilities they bring to a system are similar to those found on the Web. However, widget and gadget engines magnify the threat, since they share a much deeper connectivity with the underlying operating system. Vista's Contacts widget has been fixed, but their RSS feed widget (indeed, every operating system's and Web site's RSS feed widget) is vulnerable to malicious code in the feed. iGoogle, Live.com, Amazon, and Yahoo! all have the same widget problems. Every widget represents a potential security threat. Businesses should block widgets at the gateway. Let's face it, these things aren't mission critical, or even useful for business productivity in most cases. This attack vector could have a major impact on businesses, and even home users will be vulnerable. In fact, given the recent trend of the bad guys to try to take over home machines (since they're typically less protected), I'd argue that home machines are even more likely to be attacked. My suggestion? Until the various companies (Microsoft, Apple, Yahoo!, Amazon, Google, etc.) can all prove their widgets have been designed with security in mind, dump 'em. Just don't run them. Yes, their cute. Yes, they're cuddly, Yes, they're fun. Dump them. When it comes to making a choice between fun and secure, be an adult. Back to the blog All blog contents are published under , including
Text, "Security Tango," and logo Copyright © 2010 Nick Francesco Hosting provided by CLSS Enterprises, the greatest host on Earth This page has been accessed 352,258* times.*