Widgets: the next big security threat?

LATEST NEWS

Computerworld is New Zealand's only specialised information systems fortnightly.
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!

Get the latest news from Computerworld delivered via email.
Sign up now

Despite their innocent appearance, gadgets generally have full system access

By Ulrika Hedquist | Auckland | Tuesday, 23 January, 2007

Desktop gadgets and widgets that display system information and other data, like weather forecasts, are becoming so popular they could become the next big security threat, says Eric Chien, security response engineer at Symantec.

Gadgets such as Google gadgets and Yahoo widgets, which typically provide real-time graphical information about current battery status, the weather, stock quotes or the latest headlines, are not plug-ins or “sandboxed applets”, says Chien. Instead, they are fully fledged applications that have the potential to be malicious.

Gadgets are overlaid on the desktop or docked to a toolbar and can be written in scripting languages such as JavaScript or VBScript, says Chien. They can also be written using compiled languages such as C++ or C#.

Despite their innocent appearance, gadgets generally have full system access like any other program and can be used to perform malicious actions, including Trojans, worms and viruses, he says. Some gadget-specific application programming interfaces (APIs) could also provide access to services that would normally require authentication, he says. Gadgets could search the system for specific information, hook the keyboard or browser and then export the information to remote systems, via HTTP, email or instant messaging, he says.

“And because all gadgets support JavaScript, cross-platform infections are possible,” he adds. “A Yahoo gadget could, potentially, infect a Vista gadget, for example.”

Windows Vista will ship with the Sidebar technology, which hosts and supports gadgets, and this may make gadgets a popular avenue of attack, warns Chien. However, while creating malicious gadgets is quite possible, widespread infections from gadgets are not a huge threat yet because the number of gadget framework users is a lot smaller than, for example, the number of Windows users, he says.

David Rayner, Windows client marketing manager at Microsoft New Zealand, says gadgets pose no more or less of a threat than anything else downloaded from the internet.

“We’re committed to making Windows Vista the most secure version of Windows yet,” he says.

He adds that Microsoft hopes to be able to announce some local gadgets at the Vista launch on January 30.

It is easy to open-up gadgets and check the code, says Chien. So, if you know anything about coding, you can easily detect if a gadget is malicious. On the other hand, because most gadgets are written in script languages, it is also quite easy to add to the existing code and modify the gadget. Some frameworks do prevent gadgets from being modified, but gadgets are easily modified in Vista, he says.

Users should only install gadgets that they know come from reputable locations, says Chien. And enterprises need to consider whether gadgets really are necessary.

Chien spoke at the AVAR (Association of Anti-virus Asia Researchers) conference, held in Auckland in December last year.