contents

software
 
Finjan: New Attacks That Exploit Widgets and Gadgets Are Imminent

Finjan announces that seemingly innocent Widgets (or Gadgets) are exposing computer users to a whole host of attacks. The findings are one of a number uncovered by Finjan's Malicious Code Research Center (MCRC) and reported in the Web Security Trends Report (Q3 2007) (click here) which reveals that the cool add-ons that add functions to websites contain code that is vulnerable to exploits by hackers and criminals.

Finjan has found that widgets are vulnerable to a breadth of attacks and can be used to endanger a user's PC as part of an attacker's weapon arsenal. Finjan's research also suggests that new attacks that exploit the insecurities of widgets and gadgets are imminent, and that a revised security model should be explored in order to keep users protected from such attacks. All types of widget environments (OS, 3rd party applications, and web widgets) were found to be plagued with inadequate security models that allowed malicious widgets to run. In addition, Finjan have found vulnerable widgets that were already available (some in the default installation) in the widget environment. These findings have already prompted Microsoft and Yahoo to issue security advisories and patches and an overhaul of the security models currently used to host these widgets and gadgets online as well as in operating systems that provide them.

"As Widgets become common in most modern computing environments – from operating system to web portals, their significance from a security standpoint rises", According to Finjan CTO Yuval Ben-Itzhak. "Vulnerabilities in widgets and gadgets enable attackers to gain control of user machines, and thus should be developed with security in mind. This attack vector could have a major impact on the industry, immediately exposing corporations to a vast array of new security considerations that need to be dealt with. Organizations require security solutions capable of coping with such a changing environment with the ability to analyze code in real time, and detect malicious code appearing in innovative attack vectors to provide adequate protection."

Since major portals such as iGoogle, Live.com and Yahoo! all offer personalized portals that utilize widgets, the growing popularity of these cool add-ons is likely to result in their increased use as an attack vector. Adequate protection from this new attack vector is dependent upon a major overhaul of the security model of these environments by the vendors. In the meantime, users are advised to adhere to the following best practices:

Tips on what you should do to avoid Widget infections

a. Refrain from using non-trusted 3rd party widgets. Widgets and gadgets should be treated as full blown applications, and the use of unknown and untrusted widgets is highly discouraged.
b. Use caution when using interactive widgets. Widgets that rely on external feeds such as RSS, weather information, external application data, etc., may be susceptible to attacks that exploit this trust by piggybacking a malicious payload on such data.
c. Organizations should enforce a strict policy for their users on using widgets and widget engines. Since these are not considered business critical applications, or even productivity enhancers in some cases, the use of widgets and gadgets by corporate users should be limited. Additionally, blocking widget and gadget file types could be enforced at the gateway in order to prevent the downloading of such mini-applications to the corporate network.

To give an idea of the number of widgets and gadgets available there are 3720 available on google.com, 3197 on apple.com and 3959 on Facebook.com, many of these applications are already being used by millions of people based on information oniGoogle.

All the vulnerabilities described below have been fixed by the corresponding vendors after being discreetly notified by Finjan.

Windows Vista Contacts Widget Vulnerability
The Windows Vista operating system comes pre-installed with the "Vista Sidebar" as a basic component (for all flavours of the OS). The Sidebar contains a few existing widgets that can be used out-of-the-box. One of these widgets is the Contacts widget, that enables easy access to contacts stored in the Windows Contacts application (native component of Vista). Finjan researchers discovered a vulnerability in the contacts widget, which enables an attacker to run arbitrary code on the attacked machine by providing a malformed (albeit fully usable and with a completely innocent appearance) contact detail object. This contact, simply by being displayed in the Contacts Widget, would run arbitrary code on the local machine without any user interaction or verification.

Live.com RSS reader vulnerability
Live.com is the new and improved portal from Microsoft it enables the user to have a personalized environment which can be customized to display recent headlines (RSS feed), brief summary of hotmail inbox, local weather forecast, etc. The Live.com RSS reader widget contained a vulnerability that allowed an attacker to access privileged information from the user account, while impersonating the user and taking control of its browser. The vulnerability resulted from unsanitized data feeds that could contain scripting commands in the items provided by the RSS.

Yahoo! Widgets Contacts vulnerability
Yahoo! provides a widget engine that can be installed as a 3rd party application and provide widget functionality for operating systems that do not support this functionality natively. The Contacts widget in the Yahoo! widgets engine contained a vulnerability that allowed an attacker to run arbitrary code if a contact contained unsanitized scripting commands.

The Web Security Trends Report (Q3 2007) also explores new developments in financially-focused crimeware with detailed coverage of an actual Trojan that meticulously and evasively targets financial institutions in order to gain access to user accounts and perform financial fraud. In addition, the report sounds the alarm on the proliferation of crimeware toolkits as the leading attack vector on the web - elaborating on the predictions about crimeware toolkits in Finjan's previous Q2 Report.

The Finjan report also discusses the prevalence of web attacks employing highly sophisticated Trojan, keylogger, and rootkit crimeware that targets financial institutions. "Financial gain is the driving force behind the explosive growth of cybercrime", said Ben-Itzhak. "Increasingly, crimeware has a single goal - to turn data into money. Crimeware is used to steal valuable business data that can be monetized in the burgeoning cybercrime market. Hackers are focusing their efforts on stealing sensitive corporate, customer, financial and employee data, which can then be sold online to criminal elements."

The report provides a detailed analysis of one flavour of Trojan that enabled cybercriminals to gain access to online bank accounts. Abusing the "conditioned" trust that users place in the SSL encrypted connection to their financial providers, the attack was able to hijack the communication, impersonate the bank and perform an attack similar to a phishing scam. The attack harvested additional information from the users, while sending it back to the attack server on a covert encrypted channel.

Ben-Itzhak says, "This new strain of finely crafted crimeware is more evasive and duplicitous than traditional phishing schemes. These attacks go unnoticed by standard security solutions. Users are unaware that they are being hit as the entire online experience, including the SSL certificate, is identical in every way to that of their particular bank. Truly effective protection in today's dynamic web environment requires the analysis of every piece of code in real-time, regardless of its origin, context, and appearance."

Finjan's Q3 Web Security Tre



write your comments about the article :: © 2007 Networking News :: home page