Risk
8/25/2010
05:03 PM
50%
50%

Careful With That Third-Party Web Widget

Smaller businesses are more likely to use third-party Web applications on their websites -- and they are less likely to scan such code

Small- and midsized businesses use a lot of third-party Web applications: It saves them money and allows them to embed expertise that they might not otherwise have. But it can also open up their business and their customers to attack.

The recent Network Solutions incident shows how this practice can go very wrong: Ten days ago, the Internet domain provider learned that a Web-services widget that it had placed on at least 120,000 parked Web pages was infecting visitors with malware. The firm reportedly downloaded the widget, known as the Small Business Success Index, on third-party online directory WidgetBox.

As more businesses continue to use third-party code in their websites and import content from other sites, the security of their visitors increasingly relies on others.

"Over the past five years, Web 2.0 has taken the world by storm," says Neil Daswani, chief technology officer of Web scanning firm Dasient. "As a website administrator, your security is actually dependent on a bunch of third parties, so you should make sure to monitor all your code and widgets."

Network Solutions is not the only Internet company to inadvertently host malicious code on its website. A year ago, The New York Times infected an unknown number of visitors with a rogue program after fraudsters posed as a legitimate advertiser and submitted a virus-laden ad to the news service. Other websites -- such as Snapple.com, BusinessWeek and Fox News -- have had to deal with similar problems, Daswani notes.

The impact on a business hosting rogue code on its website can be dramatic and long-term. If Google flags a site as malicious because it's hosting rogue code, traffic can drop by as much as 95 percent, Daswani says. "We have received feedback from customers that even when the resolve the issue and their site is un-blacklisted, there still is an impact on their traffic," he says.

Solving this issue is not easy. There is no standard or accepted way to certify that code is safe and secure, says Andy Chou, chief scientist for code scanning firm Coverity. "In other industries, there are certifications for certain quality measurements of the products," Chou says. "There are lots of ways in other industries to show the consumer what they are getting. In software, there is nothing like that -- the users have to test it themselves."

Companies should scan programs for malicious software or Trojan horses on a regular basis, security experts say. Developers can use a static scanner to scan source code for security vulnerabilities. Run-time scanners and antivirus scanners can be used to detect malicious activity in widgets and programs before they are posted to a website.

However, the sites should be checked frequently as well, says Wayne Huang, chief technology officer of site-scanning firm Armorize. "A combination is a good approach," Huang says. "Source-code scanning has its limitations, but so does honey-client-type Web scanning."

Security experts don't expect more companies to regularly scan their sites until a larger number suffer from issues similar to Network Solutions.

"This is an area that people are only now waking up to," says Coverity’s Chou. "From our experience with software development organizations, all of them have substantial portions of their resources built by third parties ... Anywhere where software is used, it is put together from different sources."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2808
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Bionic in Android before 4.1.1 incorrectly uses time and PID information during the generation of random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a rel...

CVE-2014-9713
Published: 2015-04-01
The default slapd configuration in the Debian openldap package 2.4.23-3 through 2.4.39-1.1 allows remote authenticated users to modify the user's permissions and other user attributes via unspecified vectors.

CVE-2015-0259
Published: 2015-04-01
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.

CVE-2015-0800
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Mozilla Firefox (aka Fennec) before 37.0 on Android does not properly generate random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a related issue to CVE-2...

CVE-2015-0801
Published: 2015-04-01
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.