The latest target for the malware criminal element is those popular widget-driven applications, both desktop and browser-based, thanks to their explosion in popularity and relatively insecure model.
Security firm Finjan issued a recent report that found that widgets (or gadgets) are exposing computer users to a whole host of attacks because they were designed as these cool little innocuous applets without any real security model but have all the power of a full-blown app.
Worse, this vulnerability is not limited to Yahoo Widgets or the Windows Vista sidebar applets. Finjan also found sample exploit code to insert malicious widgets into Microsoft’s Live.com and Google’s iGoogle pages.
“It’s an environment that’s designed to look really cool and provide some basic functionality, but no one thought about basic security,” said Iftach Amit, director of security research at Finjan’s malicious code research center. “There are inherent problems in the security model of those widget engines.”
There’s a lot of widgets out there. Finjan found 3,720 widgets available on Google.com, 3,197 on Apple.com and 3,959 on Facebook.com. The companies offer their own but they also host thousands of third-party widgets for users to install and there’s no guarantee they will catch a widget with malicious code in it.
The problem is widgets are full-blown apps that the hosting environment, whether it’s iGoogle or Yahoo Widgets, doesn’t take into account and they should be restricted or scrutinized a lot more than they are now, said Amit. “They should not access the file system or access the network if they do not need to,” he said.
Already Microsoft and Yahoo have had to make fixes to their widgets and Google is also updating its Desktop and portal pages. Microsoft had to fix the Vista Sidebar after Finjan found a vulnerability in the contacts widget. It also had to fix a problem in the RSS reader used on Live.com.
Finjan also found a problem in Yahoo Widgets Contacts and one in iGoogle that installed itself without user approval or knowledge. It could then access their contents, GMail mailbox and browser history. Yahoo was unavailable for comment, while Google said this:
“They are fixing the vulnerability pretty quickly, but I can’t say what they are doing with the security model. It’s more than just fixing a widget that has been coded badly,” Amit said.
It’s a matter of following a World Wide Web Consortium (W3C) object model for security involving objects and widgets. Only two companies have embraced the W3C object model, according to Amit: Apple and Opera.
The Opera browser uses the W3C widget policy on security and policies. Firefox and Microsoft’s Internet Explorer don’t have a widget environment so there is no comparison, although in its most recent security report, Symantec found that browser plug-ins are also becoming popular malware targets.
Mac OS is more secure since it was one of the participants in the W3C committee that developed the object security recommendations and Apple’s security policy is based on an Apple object model that already exists in Mac OS X.
With some malware issues, it’s often a case of not opening an e-mail from an unknown source. A widget presents a much tougher proposition because it basically means not using the product altogether. But that’s exactly what Amit recommends until the security model in these products improves.
“If you really don’t need it, don’t use it. I know it looks nifty but you have to remember it’s a full-fledged app, and like any app it does have its security problems,” he said.