Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

Finjan reveals that web add-ons can increase web threats

Finjan Software : 17 September, 2007  (Technical Article)
Inadequate security models for 3rd party web add-ons increase vulnerability
Finjan has announced that seemingly innocent Widgets (or Gadgets) are exposing computer users to a whole host of attacks. The findings are one of a number uncovered by Finjan's Malicious Code Research Center (MCRC) and reported in the which reveals that the cool add-ons that add functions to websites contain code that is vulnerable to exploits by hackers and criminals. Finjan has found that widgets are vulnerable to a breadth of attacks and can be used to endanger a user's PC as part of an attacker's weapon arsenal. Finjan's research also suggests that new attacks that exploit the insecurities of widgets and gadgets are imminent, and that a revised security model should be explored in order to keep users protected from such attacks. All types of widget environments (OS, 3rd party applications, and web widgets) were found to be plagued with inadequate security models that allowed malicious widgets to run. In addition, Finjan have found vulnerable widgets that were already available (some in the default installation) in the widget environment. These findings have already prompted Microsoft and Yahoo to issue security advisories and patches and an overhaul of the security models currently used to host these widgets and gadgets online as well as in operating systems that provide them.

"As Widgets become common in most modern computing environments - from operating system to web portals, their significance from a security standpoint rises." According to Finjan CTO Yuval Ben-Itzhak, "Vulnerabilities in widgets and gadgets enable attackers to gain control of user machines, and thus should be developed with security in mind. This attack vector could have a major impact on the industry, immediately exposing corporations to a vast array of new security considerations that need to be dealt with. Organizations require security solutions capable of coping with such a changing environment with the ability to analyze code in real time, and detect malicious code appearing in innovative attack vectors to provide adequate protection."

Since major portals such as iGoogle, and Yahoo! all offer personalized portals that utilize widgets, the growing popularity of these cool add-ons is likely to result in their increased use as an attack vector. Adequate protection from this new attack vector is dependent upon a major overhaul of the security model of these environments by the vendors. In the meantime, users are advised to adhere to the following best practices:

Tips on what you should do to avoid Widget infections:.

1 Refrain from using non-trusted 3rd party widgets. Widgets and gadgets should be treated as full blown applications, and the use of unknown and untrusted widgets is highly discouraged.

2 Use caution when using interactive widgets. Widgets that rely on external feeds such as RSS, weather information, external application data, etc., may be susceptible to attacks that exploit this trust by piggybacking a malicious payload on such data.

3 Organizations should enforce a strict policy for their users on using widgets and widget engines. Since these are not considered business critical applications, or even productivity enhancers in some cases, the use of widgets and gadgets by corporate users should be limited. Additionally, blocking widget and gadget file types could be enforced at the gateway in order to prevent the downloading of such mini-applications to the corporate network.

To give an idea of the number of widgets and gadgets available there are 3720 available on , 3197 on and 3959 on, many of these applications are already being used by millions of people based on information on iGoogle.

All the vulnerabilities described below have been fixed by the corresponding vendors after being discreetly notified by Finjan.

Windows Vista Contacts Widget Vulnerability The Windows Vista operating system comes pre-installed with the "Vista Sidebar" as a basic component (for all flavours of the OS). The Sidebar contains a few existing widgets that can be used out-of-the-box. One of these widgets is the Contacts widget, that enables easy access to contacts stored in the Windows Contacts application (native component of Vista). Finjan researchers discovered a vulnerability in the contacts widget, which enables an attacker to run arbitrary code on the attacked machine by providing a malformed (albeit fully usable and with a completely innocent appearance) contact detail object. This contact, simply by being displayed in the Contacts Widget, would run arbitrary code on the local machine without any user interaction or verification. RSS reader vulnerability is the new and improved portal from Microsoft it enables the user to have a personalized environment which can be customized to display recent headlines (RSS feed), brief summary of hotmail inbox, local weather forecast, etc. The RSS reader widget contained a vulnerability that allowed an attacker to access privileged information from the user account, while impersonating the user and taking control of its browser. The vulnerability resulted from unsanitized data feeds that could contain scripting commands in the items provided by the RSS.

Yahoo! Widgets Contacts vulnerability Yahoo! provides a widget engine that can be installed as a 3rd party application and provide widget functionality for operating systems that do not support this functionality natively. The Contacts widget in the Yahoo! widgets engine contained a vulnerability that allowed an attacker to run arbitrary code if a contact contained unsanitized scripting commands

The Web Security Trends Report (Q3 2007) also explores new developments in financially-focused crimeware with detailed coverage of an actual Trojan that meticulously and evasively targets financial institutions in order to gain access to user accounts and perform financial fraud. In addition, the report sounds the alarm on the proliferation of crimeware toolkits as the leading attack vector on the web -- elaborating on the predictions about crimeware toolkits in Finjan's previous Q2 Report.

"Our latest quarterly Web Security Trends Report continues our ongoing efforts of delivering you-heard-it-here-first information regarding emerging trends in the web security industry," said Finjan CTO Yuval Ben-Itzhak. "We are pleased to share MCRC's important findings during 3Q 2007 with the greater IT community, including real-world examples of malicious code and suggestions as to how businesses and other organizations can protect themselves from the latest web threats."

The Finjan report also discusses the prevalence of web attacks employing highly sophisticated Trojan, keylogger, and rootkit crimeware that targets financial institutions. "Financial gain is the driving force behind the explosive growth of cybercrime," said Ben-Itzhak. "Increasingly, crimeware has a single goal -- to turn data into money. Crimeware is used to steal valuable business data that can be monetized in the burgeoning cybercrime market. Hackers are focusing their efforts on stealing sensitive corporate, customer, financial and employee data, which can then be sold online to criminal elements."

The report provides a detailed analysis of one flavour of Trojan that enabled cybercriminals to gain access to online bank accounts. Abusing the "conditioned" trust that users place in the SSL encrypted connection to their financial providers, the attack was able to hijack the communication, impersonate the bank and perform an attack similar to a phishing scam. The attack harvested additional information from the users, while sending it back to the attack server on a covert encrypted channel.

Said Ben-Itzhak, "This new strain of finely crafted crimeware is more evasive and duplicitous than traditional phishing schemes. These attacks go unnoticed by standard security solutions. Users are unaware that they are being hit as the entire online experience, including the SSL certificate, is identical in every way to that of their particular bank. Truly effective protection in today's dynamic web environment requires the analysis of every piece of code in real-time, regardless of its origin, context, and appearance."

Finjan's Q3 Web Security Trends Report provides a follow-up to the predictions in the previous Q2 report, issued in June 2007, on the availability of ready-made crimeware toolkits. These toolkits heighten the effectiveness of crimeware attacks and increase infection rates by providing update mechanisms, utilizing sophisticated anti-forensic attack techniques, and managing affiliation attack networks. Consistent with this trend, Finjan's current research shows that these toolkits have proliferated to the point where they have already become the favourite attack method for cybercriminals'.

"While users can minimize these threats by taking special care in the sites they browse to, it's important to note that there are legitimate and trusted sites which have been compromised with snippets of malicious code," Ben-Itzhak said. "Database-driven web security products that classify sites in advance are not of use here, as the malicious code may come and go, and the site itself may have a legitimate classification. In addition, it is critically important that organizations deploy the latest updates and security patches, as older vulnerabilities are frequently used in these attacks."
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo