Risk
8/25/2010
05:03 PM
Connect Directly
RSS
E-Mail
50%
50%

Careful With That Third-Party Web Widget

Smaller businesses are more likely to use third-party Web applications on their websites -- and they are less likely to scan such code

Small- and midsized businesses use a lot of third-party Web applications: It saves them money and allows them to embed expertise that they might not otherwise have. But it can also open up their business and their customers to attack.

The recent Network Solutions incident shows how this practice can go very wrong: Ten days ago, the Internet domain provider learned that a Web-services widget that it had placed on at least 120,000 parked Web pages was infecting visitors with malware. The firm reportedly downloaded the widget, known as the Small Business Success Index, on third-party online directory WidgetBox.

As more businesses continue to use third-party code in their websites and import content from other sites, the security of their visitors increasingly relies on others.

"Over the past five years, Web 2.0 has taken the world by storm," says Neil Daswani, chief technology officer of Web scanning firm Dasient. "As a website administrator, your security is actually dependent on a bunch of third parties, so you should make sure to monitor all your code and widgets."

Network Solutions is not the only Internet company to inadvertently host malicious code on its website. A year ago, The New York Times infected an unknown number of visitors with a rogue program after fraudsters posed as a legitimate advertiser and submitted a virus-laden ad to the news service. Other websites -- such as Snapple.com, BusinessWeek and Fox News -- have had to deal with similar problems, Daswani notes.

The impact on a business hosting rogue code on its website can be dramatic and long-term. If Google flags a site as malicious because it's hosting rogue code, traffic can drop by as much as 95 percent, Daswani says. "We have received feedback from customers that even when the resolve the issue and their site is un-blacklisted, there still is an impact on their traffic," he says.

Solving this issue is not easy. There is no standard or accepted way to certify that code is safe and secure, says Andy Chou, chief scientist for code scanning firm Coverity. "In other industries, there are certifications for certain quality measurements of the products," Chou says. "There are lots of ways in other industries to show the consumer what they are getting. In software, there is nothing like that -- the users have to test it themselves."

Companies should scan programs for malicious software or Trojan horses on a regular basis, security experts say. Developers can use a static scanner to scan source code for security vulnerabilities. Run-time scanners and antivirus scanners can be used to detect malicious activity in widgets and programs before they are posted to a website.

However, the sites should be checked frequently as well, says Wayne Huang, chief technology officer of site-scanning firm Armorize. "A combination is a good approach," Huang says. "Source-code scanning has its limitations, but so does honey-client-type Web scanning."

Security experts don't expect more companies to regularly scan their sites until a larger number suffer from issues similar to Network Solutions.

"This is an area that people are only now waking up to," says Coverity’s Chou. "From our experience with software development organizations, all of them have substantial portions of their resources built by third parties ... Anywhere where software is used, it is put together from different sources."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.