It has been always said that the advent of Web 2.0 has heralded a new phase in computing experience and security. That is, while Web 2.0 sites and applications enable users to experience a highly interactive and user-friendly platforms, they may also make users susceptible to threats from attackers.
Take for instance the case of widgets, aka “the next small thing”. These little interactive virtual tools — clocks, calculators, stock tickers, etc. — can be downloaded by users into to their desktops for easy access, or can be used to enhance Web sites/pages (most common of which are the plethora of social networking sites and blogs). One of the popular go-to source for these programs is Yahoo! Widgets, which has more than 4,000 widgets in their catalogue.
Recently, however, Yahoo! has issued a security advisory prompting users to download an update for their widgets. This is because a vulnerability was discovered in the ActiveX control of the software package that comes with the widgets. When successfully exploited, this vulnerability could allow remote users to execute a malicious code on an affected machine. Imagine, therefore, what the impact this vulnerability will be as soon as an exploit code is made available for cybercriminals to use (I’m pretty much certain one is available now as of writing). Given the “share-able” nature of widgets, all it takes is one malicious user to set up a site with an exploited widget on it. With a little help of some social engineering to trick users into going to that site, an infection series can immediately take place!
Compound that with 4,000 widgets and thouands — make that millions — of users using them… well, the numbers speak for themselves.
Granted, there’s always a risk involved when developing programs. The discovery of the flaw should serve as a lesson to those wanting to join the widget wagon. That is, usability is key but security should also be considered, given the current threat landscape. Kudos to Yahoo! for promptly addressing the issue. Otherwise — and I know this sounds passe — their widgets will prove small but terrible.
Additional text by Jercyl Lerin