Widget Woes

Widgets and gadgets of the desktop variety are becoming a headache. When they are not swallowing up memory they are proving to be the tiny crack through which virus nasties are slipping.

A quick glance to the right of my screen reveals a pot of virtual tulips that needs a virtual watering, a smiley face tracking my CPU usage, rolling news feeds, a weather forecast for London (not my location, but it's a long story), a notepad and the to do list I couldn’t do without. OK I am the kind of widget addict that support teams running out of thumbs to plug the virus dam could do without

It gets worse. Turns out gadget fans may be inviting all sorts of horrors on to their PC that are finding their way on to the network and putting network security at risk. True widget warriors who like to customise their desktops daily may remember that some come with a health warning – “Google has not tested this” etc.

Finjan’s Malicious Code Research Center tracks the latest top priority security threats and has found that widgets and gadgets are vulnerable to a range of attacks. These findings did spark a few security advisories by major vendors who rushed out patches, and an overhaul of the security models used to host these widgets and gadgets online as well as in operating systems.

Finjan found problems with Windows Vista contacts sidebar, Live.com RSS feed and the Yahoo contacts widget. All these vendors have since fixed these problems.

Yahoo told its widget users about a security issue, commonly referred to as a buffer overflow, in an ActiveX control in the Summer. This is part of the software package downloaded with Yahoo! Widgets. Users were asked to download a security patch but those that haven’t remain vulnerable.

A buffer overflow might cause applications to crash but Yahoo points out this could only happen if an attacker is successful in prompting someone to view malicious HTML code, such as by getting a person to visit their web page.

Microsoft has recognised the problem and has guidelines for secure programming best practices for building Windows Vista sidebar gadgets. Its developer network blog points out that, the Windows Vista sidebar hosts gadgets built from HTML, JavaScript, and potentially ActiveX controls, and because gadgets are HTML, they are subject to scary cross-site scripting style bugs allowing script in the sidebar to run arbitrary code on the locally logged-on user’s PC.

It advises us not to trust input and validate and sanitise untrusted input. Obvious you might think but clearly too many of us are ignoring the “not from a trusted source” notices.

Interactive widgets – the really useful ones that rely on external feeds - present the greatest risk offering a free ride to malicious code. It looks as if the time has come to block widget and gadget application file types at the gateway to the business if networks are to be kept secure.