Widgets put firms at risk

Employees who run widgets and gadgets on their desktop could compromise network security

Employees who run widgets and gadgets on their desktop could be compromising their firm’s network security, according to a new report from security vendor Finjan.

Finjan’s chief technology officer, Yuval Ben-Itzhak, said that widgets and gadgets on user interfaces are vulnerable to attack code.

“In our experience, most of these attacks are after data. The attackers are looking for your online banking details and any other documents they can find, to see what they can sell,” Ben-Itzhak said.

In its report, Finjan outlined three widget-based attacks targeting Yahoo’s Contacts widget, Microsoft’s Live.com RSS reader widget and the Vista sidebar contacts widget.

Ben-Itzhak said Finjan has seen an increase in the use of these applications to deliver malicious code. “We believe that this is an emerging trend similar to the increase in online advertising we flagged up in January and which is now being seen in some of the online banner adverts,” he said.

The Finjan report includes advice to help firms deal with employees who may be weakening their network security. It recommends that IT managers should think of widgets as full-blown applications and not allow users to install non-trusted third-party widgets.

The report suggests that firms enforce a strict user policy for widgets and widget engines, and also consider blocking widget and gadget file types at the gateway.
However, Ben-Itzhak advised against a blanket ban. “Users like widgets and gadgets, so I don’t think a complete block would play well in enterprises,” he said.