Finjan Inc has published its latest Web Security Trends report which contains everything you would expect, plus something you probably would not: your widgets are out to get you.

Widgets, or desktop gadgets if you prefer, are exposing users to a whole host of not so delightful security exploits. Finjan's Malicious Code Research Center (MCRC) discovered that these super cool add-ons can be hot stuff when it comes to security, often containing code that is vulnerable to exploits by hackers and criminals. Finjan's research also suggests that new attacks that exploit the insecurities of widgets and gadgets are imminent. So perhaps it is time a revised security model is implemented to keep users protected from such attacks.

"As Widgets become common in most modern computing environments - from operating system to web portals, their significance from a security standpoint rises." According to Finjan CTO Yuval Ben-Itzhak, "Vulnerabilities in widgets and gadgets enable attackers to gain control of user machines, and thus should be developed with security in mind. This attack vector could have a major impact on the industry, immediately exposing corporations to a vast array of new security considerations that need to be dealt with. Organizations require security solutions capable of coping with such a changing environment with the ability to analyze code in real time, and detect malicious code appearing in innovative attack vectors to provide adequate protection."

Finjan is suggesting a host of measures to protect yourself from widget attack, including refraining from using non-trusted 3rd party widgets and using caution with interactive widgets. But it could have saved some energy by cutting to the chase and just running with the last item on the list:

"Organizations should enforce a strict policy for their users on using widgets and widget engines. Since these are not considered business critical applications, or even productivity enhancers in some cases, the use of widgets and gadgets by corporate users should be limited. Additionally, blocking widget and gadget file types could be enforced at the gateway in order to prevent the downloading of such mini-applications to the corporate network."

Amen to that brother!

If you remain unconvinced about the problems that widgets bring to the security table, read on. All the vulnerabilities described below have been fixed by the corresponding vendors after being discreetly notified by Finjan.

Windows Vista Contacts Widget Vulnerability The Windows Vista operating system comes pre-installed with the "Vista Sidebar" as a basic component (for all flavours of the OS). The Sidebar contains a few existing widgets that can be used out-of-the-box. One of these widgets is the Contacts widget, that enables easy access to contacts stored in the Windows Contacts application (native component of Vista). Finjan researchers discovered a vulnerability in the contacts widget, which enables an attacker to run arbitrary code on the attacked machine by providing a malformed (albeit fully usable and with a completely innocent appearance) contact detail object. This contact, simply by being displayed in the Contacts Widget, would run arbitrary code on the local machine without any user interaction or verification. RSS reader vulnerability is the new and improved portal from Microsoft it enables the user to have a personalized environment which can be customized to display recent headlines (RSS feed), brief summary of hotmail inbox, local weather forecast, etc. The RSS reader widget contained a vulnerability that allowed an attacker to access privileged information from the user account, while impersonating the user and taking control of its browser. The vulnerability resulted from unsanitized data feeds that could contain scripting commands in the items provided by the RSS.

Yahoo! Widgets Contacts vulnerability Yahoo! provides a widget engine that can be installed as a 3rd party application and provide widget functionality for operating systems that do not support this functionality natively. The Contacts widget in the Yahoo! widgets engine contained a vulnerability that allowed an attacker to run arbitrary code if a contact contained unsanitized scripting commands.

For anybody still interested in making gadgets/widgets after reading this, here is a good read by a couple guys from Microsoft about how they're handled. Mostly common sense stuff though, but I remembered it after seeing this...