Can Sandboxing Stop Widget Mayhem?
After Finjan came out with a report saying that widgets and gadgets are all plagued with lousy security and stand ready to unleash the next wave of malware onto users' systems, at least one security watcher blamed the lack of sandboxing.
"The secure design model for this type of application should be sandboxed by zone. The vulnerability is that the code is implicitly trusted no sandbox implemented and of course it will be difficult to hold evil gadget creators to task due to the transparent lack of any accountability by everyone," said Ed Patterson on BugTraq.
"The issue is all about an un-sandboxed application where standard best practices use and vast prior experience should have dictated it should have been sand boxed. This is a divestiture away from signed controls and towards third-party security programs. So once again we have no sandbox mitigating controls coupled with a firm lack of accountability per gadget means breached operating systems. Those who have additional security programs largely make up the difference and those who don't will always be wondering why and how the vendor let them get pwned."
Given that Dinis Cruz at OWASP has also been bemoaning (podcast) the state of sandboxing and how he thinks Microsoft and Sun are asleep at the wheel on the issue, I decided to ask Finjan Chief Technology Officer Yuval Ben-Itzhak if sandboxingthat's running software in an isolated environment where it can't mess with your datacould help with the security issues these powerful little applications present.
What he told me is this: How sandboxing relates to the security issues of widgets and gadgets depends on the widgets and gadgets.
Sandboxing is one option for dealing with the gadgets running right on top of operating systems, such as those presented by Vista on startup: calendar, time and contacts, for example. It's not a pleasant option though.
"Sandboxing is one option, but it's very heavy with CPU usage and memory," Ben-Itzhak said.
That model isn't suitable for server-based gadgets, however, like those at iGoogle. They're running in the context of the browser, so they're just like any other Web page you'd visit. Malicious gadgets will exploit you and install a Trojan, and sandboxing won't step in and helpunless you're running your entire browser in a sandbox.
A third type of widget/gadget are application-based, like the type from Yahoo's widget engine. You need to download the widget engine, just like a piece of software sitting on your desktop in your tray. On top of the engine, you download Yahoo widgets. In this case sandboxing would be very limited in protecting you since the Yahoo engine, if vulnerable, will allow you full access to the machine as well, Ben-Itzhak said.
To sum it up, sandboxing is a sound concept, but its value depends on the type of widget/gadget you're relying on, and its resource pull has to be taken into consideration.