Widgets : Easy, fun, high risk
What is widget?
In short, widget is small application that ease users to follow their favorite blog using RSS feed, monitor stocks, view news, check weather forecast, make desktop more attractive.
Type of Widgets:
There are two type; the desktop type and web widgets. Desktop widgets are application that runs on desktop. By default, Windows Vista already had installed desktop widgets. This is known as gadgets, it appears in Windows Vista’s sidebar. This would be an ease for Vista’s users since they can follow the feeds subscribe using Internet Explorer.
Web widget is another type that can be installed in any webpage or blog, with ease. Users can utilize Web Widgets to enhance a number of web-based hosts, or drop targets. Categories of drop targets include social networks, blogs, and personal homepages.
Security Issues
Recently, it is known that widgets are highly vulnerable to malware attacks. For one reason, widgets are built using Javascript and AJAX technology, making them exposed to cross-site scripting attacks. The developers also don’t concern a lot about the security of these apps. Just like browser, client e-mail and messenger program, widgets could possibly being hijacked, monitor users activity and creating botnets. Hence, savvy cyber criminals sees widget as a choice to execute malware and hijacker attacks.
In August, a vulnerability was identified that enabled a remote attacker to run codes on victims’ computer without his permission. For example, if a user add RSS feed from malicious websites, add malicious contact file, in the gadget, the attacker had a chance to run malicious program in that system. Because of this, Microsoft security update was released to addresses the vulnerability by improving validation code within Feed Headlines and Contact.
For Yahoo! Widgets, a vulnerability was discovered in version 4.0.3 that also allow attacker to run malicious codes in user’s PC. The flaws is caused by an error within ActiveX control that could cause a stack-based buffer overflow. Users can fix this problem by downloading the latest update to version 4.0.5. If not, the vulnerability will still exist.
Be careful, think twice before widget.
It is a good idea to run stay away from untrusted sources of widgets. Then, users should always takes malware prevention steps and having a good security software installed.