New attacks that exploit widgets and gadgets are imminent

Seemingly innocent Widgets (or Gadgets) are exposing computer users to a whole host of attacks. The findings are one of a number uncovered by Finjan’s Malicious Code Research Center and reported in the Web Security Trends Report (Q3 2007) which reveals that the cool add-ons that add functions to websites contain code that is vulnerable to exploits by hackers and criminals.

Finjan has found that widgets are vulnerable to a breadth of attacks and can be used to endanger a user’s PC as part of an attacker’s weapon arsenal. Finjan’s research also suggests that new attacks that exploit the insecurities of widgets and gadgets are imminent, and that a revised security model should be explored in order to keep users protected from such attacks. All types of widget environments (OS, 3rd party applications, and web widgets) were found to be plagued with inadequate security models that allowed malicious widgets to run.

In addition, Finjan have found vulnerable widgets that were already available (some in the default installation) in the widget environment. These findings have already prompted Microsoft and Yahoo to issue security advisories and patches and an overhaul of the security models currently used to host these widgets and gadgets online as well as in operating systems that provide them.

Since major portals such as iGoogle, Live.com and Yahoo! all offer personalized portals that utilize widgets, the growing popularity of these cool add-ons is likely to result in their increased use as an attack vector. Adequate protection from this new attack vector is dependent upon a major overhaul of the security model of these environments by the vendors.