Safe And Secure

Widgets : Easy, fun, high risk

What is widget?

In short, widget is small application that ease users to follow their favorite blog using RSS feed, monitor stocks, view news, check weather forecast, make desktop more attractive.

 

Type of Widgets:

There are two type; the desktop type and web widgets. Desktop widgets are application that runs on desktop. By default, Windows Vista already had installed desktop widgets. This is known as gadgets, it appears in Windows Vista’s sidebar. This would be an ease for Vista’s users since they can follow the feeds subscribe using Internet Explorer.

 

Web widget is another type that can be installed in any webpage or blog, with ease. Users can utilize Web Widgets to enhance a number of web-based hosts, or drop targets. Categories of drop targets include social networks, blogs, and personal homepages.

Security Issues

Recently, it is known that widgets are highly vulnerable to malware attacks. For one reason, widgets are built using Javascript and AJAX technology, making them exposed to cross-site scripting attacks. The developers also don’t concern a lot about the security of these apps. Just like browser, client e-mail and messenger program, widgets could possibly being hijacked, monitor users activity and creating botnets. Hence, savvy cyber criminals sees widget as a choice to execute malware and hijacker attacks.

In August, a vulnerability was identified that enabled a remote attacker to run codes on victims’ computer without his permission. For example, if a user add RSS feed from malicious websites, add malicious contact file, in the gadget, the attacker had a chance to run malicious program in that system. Because of this, Microsoft security update was released to addresses the vulnerability by improving validation code within Feed Headlines and Contact.

 

For Yahoo! Widgets, a vulnerability was discovered in version 4.0.3 that also allow attacker to run malicious codes in user’s PC. The flaws is caused by an error within ActiveX control that could cause a stack-based buffer overflow. Users can fix this problem by downloading the latest update to version 4.0.5. If not, the vulnerability will still exist.

Be careful, think twice before widget.

It is a good idea to run stay away from untrusted sources of widgets. Then, users should always takes malware prevention steps and having a good security software installed.

Researchers spot rootkits on more Sony USB drives

August 30, 2007 (Computerworld) — A second line of USB drives sold by Sony Electronics Inc. that uses rootkit tactics to hide files has been identified, and the devices’ software remains on the Web, a researcher said today.

Hackers using just one of the package’s files can mask their attack code from some security scanners, said Mikko Hypponen, chief research officer at Helsinki, Finland-based F-Secure Corp. “This new rootkit [which can still be downloaded] can be used by any malware author to hide any folder.”

On Monday, F-Secure announced that the fingerprint-reader software included with Sony’s MicroVault USM-F flash drives stores files in a hidden directory that could be used by hackers to cloak their malicious code. F-Secure noted that the USM-F models were difficult, but not impossible to find. Sony has since confirmed that the line has been discontinued.

But its replacement, the USM512FL, is widely available, and shares the rootkit-like techniques of its predecessor. “They have the same functionality in the latest as well,” said Hypponen.

Sony has removed the download links for the USM-F and USM512FL software from its MicroVault support site, but Computerworld was easily able to locate a live link — and download the software — by searching through Google’s cache.

Since F-Secure disclosed Sony’s newest rootkit snafu, several other research teams have confirmed the company’s findings. On Tuesday, McAfee Inc. analysts agreed that hackers could use one of the executable files in the USB drive software to hide any folder, and all the files in that folder, from the prying eyes of security scanners. “Alternately, [attackers] could simply hide their malicious creations in the default installation directory itself,” McAfee researchers Aditya Kapoor and Seth Purdy said in a post to the Avert Labs’ blog.

Kapoor and Purdy also identified FineArt Technology Co., a Taiwanese developer, as the makers of the fingerprint-reading MicroVault software. On its Web site, FineArt touts Fingerprint Disk, a suite of tools for authenticating fingerprint-access and encrypting files and folders. FineArt could not be reached Thursday because of time zone differences.

“[Their] apparent intent was to cloak sensitive files related to the fingerprint verification feature included on the USB drives,” said Kapoor and Purdy. “However, in this case the authors apparently did not keep the security implications in mind.”

U.K.-based Sophos PLC also confirmed the presence of rootkit technologies in the FineArt-created software bundled with the MicroVault drives.

Sony, meanwhile, was still looking into the claims as of late Wednesday, said spokesman Tom Di Nome, who had little to share. “We are still investigating this and are taking the issue very seriously,” he said.

These latest rootkit charges are not the first to be leveled against Sony. Nearly two years ago, security researchers spotted rootkit-like cloaking technologies used by the copy-protection software that Sony BMG Music Entertainment installed on PCs when customers played the label’s audio CDs. The Federal Trade Commission later alleged that Sony had violated federal law and settled with the company earlier this year. Before that, Sony paid out nearly $6 million to settle cases with the U.S.

The concern now is that attackers will use the FineArt/Sony files — which can still be downloaded from Sony’s Web site — to add invisibility to their exploits.

But in a blog posting this morning, F-Secure’s Hypponen stressed that while the MicroVault and Sony BMG cases are similar, this newest security breakdown is not as flagrant. “The fingerprint driver does not hide its folder as ‘deeply’ as does the XCP [the rootkit-style software developed by Fortium Technologies Ltd. for use by Sony BMG] folder,” said Hypponen. “The MicroVault software probably wouldn’t hide malware as effectively from [some] real-time antivirus scanners.”
computerworld.com

New Intel Processor Fights Rootkits, Virtualization Threats

But experts say new features still aren’t true anti-rootkit technologies

By Kelly Jackson Higgins
Senior Editor, Dark Reading

Intel today rolled out a new desktop processor for business machines with hardware-based security features that it says can help prevent stealth malware attacks and better secure virtual machines.

The new vPro 2007 Platform, which was code-named Weybridge by Intel, also comes with an upgraded feature that better tracks and logs network traffic for malicious patterns, as well as support for 802.1x and Cisco NAC platforms so that if the operating system is down, you can still manage the endpoints because network security credentials are stored in hardware. Intel’s new vPro platform also comes with new built-in management and energy-efficiency features.

Mike Ferrin-Jones, Intel’s director of digital office platform marketing, says attackers increasingly are writing stealthier malware that evades detection by software-based tools, and some that even disable them: “That gives them free rein over the system.” That has held some enterprises back from going with virtualization technology, he says.

Intel’s new processor — via its so-called Trusted Execution Technology (TXT) and Intel Virtualization Technology for Directed I/O features — can better protect virtualized software from these kinds of attacks by detecting any changes to the virtual machine monitor; restricting memory access by unauthorized software or hardware; and protecting virtual machines from memory-snooping software, according to the company.

Stealth malware expert Joanna Rutkowska, founder of Invisible Things Lab, says Intel’s new Trusted Execution Technology (TXT) and Intel Virtualization Technology for Directed I/O features sound like a step in the right direction for protecting against stealth malware attacks, as are AMD’s SKINIT and External Access Protection features, which were released last year.

“I don’t believe we can address some problems like kernel rootkits and especially virtualization-based rootkits, without help from the hardware vendors,” she says.

Rutkowska says based on what she could surmise from the press materials provided to her, Intel’s Virtualization for Directed I/O appears “to let you create more secure hypervisors and deploy secure micro kernel-based OSes, she says.

Still, these technologies aren’t true anti-rootkit technologies, she says. “They are, rather, technologies that [for example] would allow [you] to build better OSes, not prone that much to rootkit infections as the OSes we have today [are].”

The key, Rutkowska says, is for OS and software vendors to use Intel’s new hardware-based security, as well as AMD’s in its new Barcelona processors. “It’s all in the hands of software and OS vendors now,” she says. “If they don’t redesign their products to make use of those new technologies in a proper way, those new technologies will be pretty useless.”

Intel’s Ferrin-Jones says hardware-based security in the new platform, based on Intel’s Core 2 Duo processor and Q35 Express chipset, help where software-based security cannot. “Most security applications run inside the OS,” he says. “For the systems to be protected and secured, those apps have to be up and running, as does the OS.” Features such as “remote wakeup” capabilities aren’t secure or available if the OS goes down.

Meanwhile, major computer makers and resellers are now selling desktops with the new vPro processor, according to Intel, including Dell, HP, and Lenovo, and the company says 350 organizations have already deployed it.

Intel is also currently working with virtual machine monitor and security software vendors to enable their products to work with the new platform, Ferrin-Jones says.

source: http://www.darkreading.com