Jul 06 Published in Windows Sidebar , Gadgets , Development by Andy  

It's been a while since my last post (almost three months!).  I apologize for this, I've been rather busy.

This post is regarding a security issue I discovered when researching methods of displaying third party websites within a frame in the gadget or a flyout window.  If you don't already know, Windows Desktop Gadgets are built on Internet Explorer technology.  They are actually mini Internet Explorer windows and are subject to the same security settings as Internet Explorer.  They run in the Internet security zone, just like websites that haven't been added to the trusted or restricted security zones.

Being in the Internet security zone, gadgets would normally be unable to perform certain tasks, like communicating across domains with web requests, running ActiveX controls or accessing the clipboard without first asking the user.  In order to get around this problem, gadgets force these settings to allow these actions to be performed programmatically with no prompting.  They do this for gadget, settings and flyout windows and any windows hosted within, including frames and inline frames.

Upon discovering this I quickly wrote a web page with a script, which I hosted on a test domain, and a gadget that would load this page in an external frame.  Here's the script I put in the web page:

  1. var Fso = new ActiveXObject ("Scripting.FileSystemObject");
  2. var WshShell = new ActiveXObject ("WScript.Shell");
  3. var FolderPath = WshShell.SpecialFolders("Desktop") + "/hellothere.txt";
  4. document.body.innerHTML += "Creating text file at "+FolderPath+"...";
  5. var File = Fso.OpenTextFile(FolderPath, 2, true);
  6. File.WriteLine("Consider yourself lucky this isn't an executable virus!");
  7. File.Close();
  8. document.body.innerHTML += "You've been hacked! *evil laugh*";

Even if you're not a coder, you might be able to figure out what that script does.  It writes a text file called "hellothere.txt" to the Desktop folder and writes some text to that text file.  While this script is harmless enough, it wouldn't be very difficult to write something more malicious - like a virus for instance.  You would be able to write the virus to a file and then execute it in the same script.

You might think it's fine if the gadget shows what you would consider a trusted site, such as Google, since you would assume they have bigger fish to fry than writing viruses to the few thousand computers using the gadget.  The problem is, you're opening up for man-in-the-middle attacks, whereby a malicious coder could intercept the request to the Google site and return the Google page with a dangerous script injected into it.

If you use a gadget that displays an external webpage somewhere, please alert the developer to this security issue and continue to use at your own risk.


[ Back ]

Trackback(0)

TrackBack URI for this entry

Comments (0)

Subscribe to this comment's feed

Write comment

smaller | bigger
security image
Write the displayed characters

busy

Syndication

RSS Feed

Tag Cloud