Risk
8/25/2010
05:03 PM
Connect Directly
RSS
E-Mail
50%
50%

Careful With That Third-Party Web Widget

Smaller businesses are more likely to use third-party Web applications on their websites -- and they are less likely to scan such code

Small- and midsized businesses use a lot of third-party Web applications: It saves them money and allows them to embed expertise that they might not otherwise have. But it can also open up their business and their customers to attack.

The recent Network Solutions incident shows how this practice can go very wrong: Ten days ago, the Internet domain provider learned that a Web-services widget that it had placed on at least 120,000 parked Web pages was infecting visitors with malware. The firm reportedly downloaded the widget, known as the Small Business Success Index, on third-party online directory WidgetBox.

As more businesses continue to use third-party code in their websites and import content from other sites, the security of their visitors increasingly relies on others.

"Over the past five years, Web 2.0 has taken the world by storm," says Neil Daswani, chief technology officer of Web scanning firm Dasient. "As a website administrator, your security is actually dependent on a bunch of third parties, so you should make sure to monitor all your code and widgets."

Network Solutions is not the only Internet company to inadvertently host malicious code on its website. A year ago, The New York Times infected an unknown number of visitors with a rogue program after fraudsters posed as a legitimate advertiser and submitted a virus-laden ad to the news service. Other websites -- such as Snapple.com, BusinessWeek and Fox News -- have had to deal with similar problems, Daswani notes.

The impact on a business hosting rogue code on its website can be dramatic and long-term. If Google flags a site as malicious because it's hosting rogue code, traffic can drop by as much as 95 percent, Daswani says. "We have received feedback from customers that even when the resolve the issue and their site is un-blacklisted, there still is an impact on their traffic," he says.

Solving this issue is not easy. There is no standard or accepted way to certify that code is safe and secure, says Andy Chou, chief scientist for code scanning firm Coverity. "In other industries, there are certifications for certain quality measurements of the products," Chou says. "There are lots of ways in other industries to show the consumer what they are getting. In software, there is nothing like that -- the users have to test it themselves."

Companies should scan programs for malicious software or Trojan horses on a regular basis, security experts say. Developers can use a static scanner to scan source code for security vulnerabilities. Run-time scanners and antivirus scanners can be used to detect malicious activity in widgets and programs before they are posted to a website.

However, the sites should be checked frequently as well, says Wayne Huang, chief technology officer of site-scanning firm Armorize. "A combination is a good approach," Huang says. "Source-code scanning has its limitations, but so does honey-client-type Web scanning."

Security experts don't expect more companies to regularly scan their sites until a larger number suffer from issues similar to Network Solutions.

"This is an area that people are only now waking up to," says Coverity’s Chou. "From our experience with software development organizations, all of them have substantial portions of their resources built by third parties ... Anywhere where software is used, it is put together from different sources."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.