SAN JOSE, California, September 17 /PRNewswire/ --

- Web Security Trends Report (Q3 2007) Continues Finjan's Tradition of
Delivering 'You-Heard-It-Here-First' Information on Web Security

Finjan Inc., a leader in secure web gateway products, today announced
that seemingly innocent Widgets (or Gadgets) are exposing computer users to a
whole host of attacks. The findings are one of a number uncovered by Finjan's
Malicious Code Research Center (MCRC) and reported in the Web Security Trends
Report (Q3 2007) (http://finjan.com/content.aspx?id=827) which reveals that
the cool add-ons that add functions to websites contain code that is
vulnerable to exploits by hackers and criminals. Finjan has found that
widgets are vulnerable to a breadth of attacks and can be used to endanger a
user's PC as part of an attacker's weapon arsenal. Finjan's research also
suggests that new attacks that exploit the insecurities of widgets and
gadgets are imminent, and that a revised security model should be explored in
order to keep users protected from such attacks. All types of widget
environments (OS, 3rd party applications, and web widgets) were found to be
plagued with inadequate security models that allowed malicious widgets to
run. In addition, Finjan have found vulnerable widgets that were already
available (some in the default installation) in the widget environment. These
findings have already prompted Microsoft and Yahoo to issue security
advisories and patches and an overhaul of the security models currently used
to host these widgets and gadgets online as well as in operating systems that
provide them.

"As Widgets become common in most modern computing environments - from
operating system to web portals, their significance from a security
standpoint rises." According to Finjan CTO Yuval Ben-Itzhak, "Vulnerabilities
in widgets and gadgets enable attackers to gain control of user machines, and
thus should be developed with security in mind. This attack vector could have
a major impact on the industry, immediately exposing corporations to a vast
array of new security considerations that need to be dealt with.
Organizations require security solutions capable of coping with such a
changing environment with the ability to analyze code in real time, and
detect malicious code appearing in innovative attack vectors to provide
adequate protection."

Since major portals such as iGoogle, Live.com and Yahoo! all offer
personalized portals that utilize widgets, the growing popularity of these
cool add-ons is likely to result in their increased use as an attack vector.
Adequate protection from this new attack vector is dependent upon a major
overhaul of the security model of these environments by the vendors. In the
meantime, users are advised to adhere to the following best practices:

Tips on what you should do to avoid Widget infections

a. Refrain from using non-trusted 3rd party widgets. Widgets and gadgets
should be treated as full blown applications, and the use of unknown and
untrusted widgets is highly discouraged.

b. Use caution when using interactive widgets. Widgets that rely on
external feeds such as RSS, weather information, external application data,
etc., may be susceptible to attacks that exploit this trust by piggybacking a
malicious payload on such data.

c. Organizations should enforce a strict policy for their users on using
widgets and widget engines. Since these are not considered business critical
applications, or even productivity enhancers in some cases, the use of
widgets and gadgets by corporate users should be limited. Additionally,
blocking widget and gadget file types could be enforced at the gateway in
order to prevent the downloading of such mini-applications to the corporate
network.

To give an idea of the number of widgets and gadgets available there are
3720 available on google.com, 3197 on apple.com and 3959 on Facebook.com,
many of these applications are already being used by millions of people based
on information on iGoogle http://www.google.com/ig/directory?cat=all

All the vulnerabilities described below have been fixed by the
corresponding vendors after being discreetly notified by Finjan.

Windows Vista Contacts Widget Vulnerability

The Windows Vista operating system comes pre-installed with the "Vista
Sidebar" as a basic component (for all flavors of the OS). The Sidebar
contains a few existing widgets that can be used out-of-the-box. One of these
widgets is the Contacts widget, that enables easy access to contacts stored
in the Windows Contacts application (native component of Vista). Finjan
researchers discovered a vulnerability in the contacts widget, which enables
an attacker to run arbitrary code on the attacked machine by providing a
malformed (albeit fully usable and with a completely innocent appearance)
contact detail object. This contact, simply by being displayed in the
Contacts Widget, would run arbitrary code on the local machine without any
user interaction or verification.

Live.com RSS reader vulnerability

Live.com is the new and improved portal from Microsoft it enables the
user to have a personalized environment which can be customized to display
recent headlines (RSS feed), brief summary of hotmail inbox, local weather
forecast, etc. The Live.com RSS reader widget contained a vulnerability that
allowed an attacker to access privileged information from the user account,
while impersonating the user and taking control of its browser. The
vulnerability resulted from unsanitized data feeds that could contain
scripting commands in the items provided by the RSS.

Yahoo! Widgets Contacts vulnerability

Yahoo! provides a widget engine that can be installed as a 3rd party
application and provide widget functionality for operating systems that do
not support this functionality natively. The Contacts widget in the Yahoo!
widgets engine contained a vulnerability that allowed an attacker to run
arbitrary code if a contact contained unsanitized scripting commands

The Web Security Trends Report (Q3 2007)
(http://finjan.com/content.aspx?id=827) also explores new developments in
financially-focused crimeware with detailed coverage of an actual Trojan that
meticulously and evasively targets financial institutions in order to gain
access to user accounts and perform financial fraud. In addition, the report
sounds the alarm on the proliferation of crimeware toolkits as the leading
attack vector on the web -- elaborating on the predictions about crimeware
toolkits in Finjan's previous Q2 Report 
(http://finjan.com/content.aspx?id=827)

"Our latest quarterly Web Security Trends Report continues our ongoing
efforts of delivering you-heard-it-here-first information regarding emerging
trends in the web security industry," said Finjan CTO Yuval Ben-Itzhak. "We
are pleased to share MCRC's important findings during 3Q 2007 with the
greater IT community, including real-world examples of malicious code and
suggestions as to how businesses and other organizations can protect
themselves from the latest web threats."

New Developments in Financially-Focused Crimeware

The Finjan report also discusses the prevalence of web attacks employing
highly sophisticated Trojan, keylogger, and rootkit crimeware that targets
financial institutions. "Financial gain is the driving force behind the
explosive growth of cybercrime," said Ben-Itzhak. "Increasingly, crimeware
has a single goal -- to turn data into money. Crimeware is used to steal
valuable business data that can be monetized in the burgeoning cybercrime
market. Hackers are focusing their efforts on stealing sensitive corporate,
customer, financial and employee data, which can then be sold online to
criminal elements."

The report provides a detailed analysis of one flavor of Trojan that
enabled cybercriminals to gain access to online bank accounts. Abusing the
"conditioned" trust that users place in the SSL encrypted connection to their
financial providers, the attack was able to hijack the communication,
impersonate the bank and perform an attack similar to a phishing scam. The
attack harvested additional information from the users, while sending it back
to the attack server on a covert encrypted channel.

Said Ben-Itzhak, "This new strain of finely crafted crimeware is more
evasive and duplicitous than traditional phishing schemes. These attacks go
unnoticed by standard security solutions. Users are unaware that they are
being hit as the entire online experience, including the SSL certificate, is
identical in every way to that of their particular bank. Truly effective
protection in today's dynamic web environment requires the analysis of every
piece of code in real-time, regardless of its origin, context, and
appearance."

Crimeware Toolkits Proliferate as the Leading Web Attack Vector on the
Web

Finjan's Q3 Web Security Trends Report provides a follow-up to the
predictions in the previous Q2 report, issued in June 2007, on the
availability of ready-made crimeware toolkits. These toolkits heighten the
effectiveness of crimeware attacks and increase infection rates by providing
update mechanisms, utilizing sophisticated anti-forensic attack techniques,
and managing affiliation attack networks. Consistent with this trend,
Finjan's current research shows that these toolkits have proliferated to the
point where they have already become the favorite attack method for
cybercriminals.

"While users can minimize these threats by taking special care in the
sites they browse to, it's important to note that there are legitimate and
trusted sites which have been compromised with snippets of malicious code,"
Ben-Itzhak said. "Database-driven web security products that classify sites
in advance are not of use here, as the malicious code may come and go, and
the site itself may have a legitimate classification. In addition, it is
critically important that organizations deploy the latest updates and
security patches, as older vulnerabilities are frequently used in these
attacks."

About MCRC

Malicious Code Research Center (MCRC) is the leading research department
at Finjan, dedicated to the research and detection of security
vulnerabilities in Internet applications, as well as other popular programs.
MCRC's goal is to stay steps ahead of hackers attempting to exploit open
platforms and technologies to develop malicious code such as Spyware,
Trojans, Phishing attacks, worms and viruses. MCRC shares its research
efforts with many of the world's leading software vendors to help patch their
security holes. MCRC is a driving force behind the development of next
generation security technologies used in Finjan's proactive web security
solutions. For more information, visit our MCRC subsite
(http://www.finjan.com/SecurityLab.aspx?id=547)

About Finjan

Finjan is a global provider of secure web gateway solutions for the
enterprise market. Our real-time, appliance-based web security solutions
deliver the most effective shield against web-borne threats, freeing
enterprises to harness the web for maximum commercial results. Finjan's
real-time web security solutions utilize patented real-time content
inspection technology to repel all types of threats arriving via the web,
such as spyware, phishing, Trojans, obfuscated code and other malicious code,
securing businesses against unknown and emerging threats, as well as known
malware. Finjan's security solutions have received industry awards and
recognition from leading analyst houses and publications, including IDC,
Butler Group, SC Magazine, eWEEK, CRN, ITPro, PCPro, ITWeek, Network
Computing, and Information Security. With Finjan's award-winning and widely
used solutions, businesses can focus on implementing web strategies to
realize their full organizational and commercial potential. For more
information about Finjan, please visit http://www.finjan.com.

(c) Copyright 1996-2007. Finjan Software Inc. and its affiliates and
subsidiaries. All rights reserved. All text and figures included in this
publication are the exclusive property of Finjan and are for your personal
and non-commercial use. You may not modify, copy, distribute, transmit,
display, perform, reproduce, publish, license, create derivative works from,
transfer, use or sell any part of its content in any way without the express
permission in writing from Finjan. Information in this document is subject to
change without notice and does not present a commitment or representation on
the part of Finjan. The Finjan technology and/or products and/or software
described and/or referenced to in this material are protected by registered
and/or pending patents including U.S. Patents No. 6092194, 6154844, 6167520,
6480962, 6209103, 6298446, 6353892, 6804780, 6922693, 6944822, 6993662,
6965968, 7058822, 7076469, 7155743, 7155744, 7185358 and may be protected by
other U.S. Patents, foreign patents, or pending applications.

Finjan, Finjan logo, Vital Security, Vulnerability Anti.dote and
Window-of-Vulnerability are trademarks or registered trademarks of Finjan
Inc., and/or its affiliates and subsidiaries. All other trademarks are the
trademarks of their respective owners.

Media Contacts
    United States
    Jan Wiedrick-Kozlowski
    Activa PR
    Tel. +1-585-392-7878
    jan@activapr.com

    UK
    Neil Stinchcombe
    Eskenzi PR Ltd.
    Tel: +44-208-449-1007
    neil@eskenzipr.com