Attacks that exploit widgets and gadgets are imminent, says Finjan

Finjan’s Malicious Code Research Center (MCRC) reveals that the cool add-ons that provide functions to websites may also contain code that is vulnerable to exploits by hackers and criminals. The company says it has found that widgets are vulnerable to a breadth of attacks and can be used to endanger a user’s PC. Finjan’s research also suggests that new attacks that exploit the insecurities of widgets and gadgets are imminent – and that “a revised security model should be explored in order to keep users protected from such attacks”. Finjan CTO Yuval Ben-Itzhak explains that all types of widget environments (OS, 3rd party applications, and web widgets) are “plagued with inadequate security models” that allowed malicious widgets to run. He also says that vulnerable widgets are already available, some in the default installation. Its findings have already prompted Microsoft and Yahoo to issue security advisories and patches and an overhaul of the security models currently used to host these widgets and gadgets online as well as in operating systems that provide them. “As widgets become common in most modern computing environments – from operating systems to web portals – their significance from a security standpoint rises,” says Ben-Itzhak, “Vulnerabilities in widgets and gadgets enable attackers to gain control of user machines, and thus should be developed with security in mind. “This attack vector could have a major impact on the industry, immediately exposing corporations to a vast array of new security considerations that need to be dealt with. Organisations require security solutions capable of coping with such a changing environment with the ability to analyze code in real time, and detect malicious code appearing in innovative attack vectors to provide adequate protection.”