Finjan Reveals New Attacks That Exploit Widgets and Gadgets are Imminent
September 2007 by Finjan
Finjan Inc., a specialist in secure web gateway products, announced that seemingly innocent Widgets (or Gadgets) are exposing computer users to a whole host of attacks. The findings are one of a number uncovered by Finjan’s Malicious Code Research Center (MCRC) and reported in the Web Security Trends Report (Q3 2007) which reveals that the cool add-ons that add functions to websites contain code that is vulnerable to exploits by hackers and criminals. Finjan has found that widgets are vulnerable to a breadth of attacks and can be used to endanger a user’s PC as part of an attacker’s weapon arsenal. Finjan’s research also suggests that new attacks that exploit the insecurities of widgets and gadgets are imminent, and that a revised security model should be explored in order to keep users protected from such attacks. All types of widget environments (OS, 3rd party applications, and web widgets) were found to be plagued with inadequate security models that allowed malicious widgets to run. In addition, Finjan have found vulnerable widgets that were already available (some in the default installation) in the widget environment. These findings have already prompted Microsoft and Yahoo to issue security advisories and patches and an overhaul of the security models currently used to host these widgets and gadgets online as well as in operating systems that provide them.
“As Widgets become common in most modern computing environments – from operating system to web portals, their significance from a security standpoint rises.” According to Finjan CTO Yuval Ben-Itzhak, “Vulnerabilities in widgets and gadgets enable attackers to gain control of user machines, and thus should be developed with security in mind. This attack vector could have a major impact on the industry, immediately exposing corporations to a vast array of new security considerations that need to be dealt with. Organizations require security solutions capable of coping with such a changing environment with the ability to analyze code in real time, and detect malicious code appearing in innovative attack vectors to provide adequate protection.”
Since major portals such as iGoogle, Live.com and Yahoo! all offer personalized portals that utilize widgets, the growing popularity of these cool add-ons is likely to result in their increased use as an attack vector. Adequate protection from this new attack vector is dependent upon a major overhaul of the security model of these environments by the vendors. In the meantime, users are advised to adhere to the following best practices:
Tips on what you should do to avoid Widget infections
a. Refrain from using non-trusted 3rd party widgets. Widgets and gadgets should be treated as full blown applications, and the use of unknown and untrusted widgets is highly discouraged.
b. Use caution when using interactive widgets. Widgets that rely on external feeds such as RSS, weather information, external application data, etc., may be susceptible to attacks that exploit this trust by piggybacking a malicious payload on such data.
c. Organizations should enforce a strict policy for their users on using widgets and widget engines. Since these are not considered business critical applications, or even productivity enhancers in some cases, the use of widgets and gadgets by corporate users should be limited. Additionally, blocking widget and gadget file types could be enforced at the gateway in order to prevent the downloading of such mini-applications to the corporate network.
To give an idea of the number of widgets and gadgets available there are 3720 available on google.com , 3197 on apple.com and 3959 on Facebook.com, many of these applications are already being used by millions of people based on information on iGoogle http://www.google.com/ig/directory?cat=all
All the vulnerabilities described below have been fixed by the corresponding vendors after being discreetly notified by Finjan.
Windows Vista Contacts Widget Vulnerability The Windows Vista operating system comes pre-installed with the “Vista Sidebar” as a basic component (for all flavors of the OS). The Sidebar contains a few existing widgets that can be used out-of-the-box. One of these widgets is the Contacts widget, that enables easy access to contacts stored in the Windows Contacts application (native component of Vista). Finjan researchers discovered a vulnerability in the contacts widget, which enables an attacker to run arbitrary code on the attacked machine by providing a malformed (albeit fully usable and with a completely innocent appearance) contact detail object. This contact, simply by being displayed in the Contacts Widget, would run arbitrary code on the local machine without any user interaction or verification.
Live.com RSS reader vulnerability Live.com is the new and improved portal from Microsoft it enables the user to have a personalized environment which can be customized to display recent headlines (RSS feed), brief summary of hotmail inbox, local weather forecast, etc. The Live.com RSS reader widget contained a vulnerability that allowed an attacker to access privileged information from the user account, while impersonating the user and taking control of its browser. The vulnerability resulted from unsanitized data feeds that could contain scripting commands in the items provided by the RSS.
Yahoo! Widgets Contacts vulnerability Yahoo! provides a widget engine that can be installed as a 3rd party application and provide widget functionality for operating systems that do not support this functionality natively. The Contacts widget in the Yahoo! widgets engine contained a vulnerability that allowed an attacker to run arbitrary code if a contact contained unsanitized scripting commands
The Web Security Trends Report (Q3 2007) also explores new developments in financially-focused crimeware with detailed coverage of an actual Trojan that meticulously and evasively targets financial institutions in order to gain access to user accounts and perform financial fraud. In addition, the report sounds the alarm on the proliferation of crimeware toolkits as the leading attack vector on the web — elaborating on the predictions about crimeware toolkits in Finjan’s previous Q2 Report.
“Our latest quarterly Web Security Trends Report continues our ongoing efforts of delivering you-heard-it-here-first information regarding emerging trends in the web security industry,” said Finjan CTO Yuval Ben-Itzhak. “We are pleased to share MCRC’s important findings during 3Q 2007 with the greater IT community, including real-world examples of malicious code and suggestions as to how businesses and other organizations can protect themselves from the latest web threats.”
New Developments in Financially-Focused Crimeware The Finjan report also discusses the prevalence of web attacks employing highly sophisticated Trojan, keylogger, and rootkit crimeware that targets financial institutions. “Financial gain is the driving force behind the explosive growth of cybercrime,” said Ben-Itzhak. “Increasingly, crimeware has a single goal — to turn data into money. Crimeware is used to steal valuable business data that can be monetized in the burgeoning cybercrime market. Hackers are focusing their efforts on stealing sensitive corporate, customer, financial and employee data, which can then be sold online to criminal elements.”
The report provides a detailed analysis of one flavor of Trojan that enabled cybercriminals to gain access to online bank accounts. Abusing the “conditioned” trust that users place in the SSL encrypted connection to their financial providers, the attack was able to hijack the communication, impersonate the bank and perform an attack similar to a phishing scam. The attack harvested additional information from the users, while sending it back to the attack server on a covert encrypted channel.
Said Ben-Itzhak, “This new strain of finely crafted crimeware is more evasive and duplicitous than traditional phishing schemes. These attacks go unnoticed by standard security solutions. Users are unaware that they are being hit as the entire online experience, including the SSL certificate, is identical in every way to that of their particular bank. Truly effective protection in today’s dynamic web environment requires the analysis of every piece of code in real-time, regardless of its origin, context, and appearance.”
Crimeware Toolkits Proliferate as the Leading Web Attack Vector on the Web
Finjan’s Q3 Web Security Trends Report provides a follow-up to the predictions in the previous Q2 report, issued in June 2007, on the availability of ready-made crimeware toolkits. These toolkits heighten the effectiveness of crimeware attacks and increase infection rates by providing update mechanisms, utilizing sophisticated anti-forensic attack techniques, and managing affiliation attack networks. Consistent with this trend, Finjan’s current research shows that these toolkits have proliferated to the point where they have already become the favorite attack method for cybercriminals’.
“While users can minimize these threats by taking special care in the sites they browse to, it’s important to note that there are legitimate and trusted sites which have been compromised with snippets of malicious code,” Ben-Itzhak said. “Database-driven web security products that classify sites in advance are not of use here, as the malicious code may come and go, and the site itself may have a legitimate classification. In addition, it is critically important that organizations deploy the latest updates and security patches, as older vulnerabilities are frequently used in these attacks.”
Malicious Code Research Center (MCRC) is the leading research department at Finjan, dedicated to the research and detection of security vulnerabilities in Internet applications, as well as other popular programs. MCRC’s goal is to stay steps ahead of hackers attempting to exploit open platforms and technologies to develop malicious code such as Spyware, Trojans, Phishing attacks, worms and viruses. MCRC shares its research efforts with many of the world’s leading software vendors to help patch their security holes. MCRC is a driving force behind the development of next generation security technologies used in Finjan’s proactive web security solutions.