August 6th, 2007
We take our users’ security seriously here at Yahoo!. Because a big part of what people love about our product are the thousands of Widgets created by independent authors that are available through the Yahoo! Widget Gallery, our commitment to security extends to those Widgets as well. Every Widget in our Gallery goes through automated and manual checks to help ensure that it meets the standards for product safety and security that people have come to expect from Yahoo!. This process is revisited and updated to keep up with the latest threats.
Yesterday, Aviv Raff from Finjan’s Malicious Code Research Center made a presentation on security issues in widgets at the DEFCON conference. As part of his presentation, Aviv disclosed a vulnerability in the Yahoo! Contacts Widget. Thanks to Aviv, we were already aware of this issue and published an updated version of the Yahoo! Contacts Widget to the Yahoo! Widget Gallery on July 31. Our subsequent investigation revealed that the vulnerability Aviv described existed in more than just our Contacts Widget, and we’ve been taking a number of steps over the last several days to address this issue.
When a threat arises, we try to respond quickly. Typically, we first identify all the Widgets that are potentially affected by the security issue, immediately remove them from the Yahoo! Widget Gallery, and notify their authors that a fix is required. A lot of Widget authors may be wondering why we do things in that order and don’t give the authors of the affected Widgets notice before removing them from the Gallery. The answer is that by informing people of the vulnerability (even if those people are the authors) we increase the risk that someone might try to exploit it. We know the suddenness of events like these can be an inconvenience for our authors, for which we apologize. With that said, the safety and security of the platform is important to everyone in the Yahoo! Widgets ecosystem. In dealing with this particular vulnerability, we have tried to make things a little easier for authors by proactively reaching out with instructions on how to fix this issue and build more secure Widgets going forward.
In more serious cases, we next disable the affected Widgets that have already been downloaded from running on our platform. In those cases, of which this is one, we try to give the authors of the affected Widgets a short grace period to get security updates of their Widgets to existing users before the older versions are disabled.
We’ve always worked hard to live up to the trust our users place in Yahoo! Widgets. And it’s an ongoing effort. In future releases of the Yahoo! Widgets platform and Gallery, you will see continued improvements to help ensure the safety and security of our users as well as making events like these less burdensome for authors.
I realize that this is off topic, but since you don’t have a bugtracking website, I wanted to make sure that the actual devs saw this one.
BUG: 4.05 (184) changes IE7 homepage and search when checkboxes are unchecked
I installed the latest version of Widgets (4.05 build 184). Despite the fact that I unchecked the boxes in the setup wizard, it still set my IE homepage and search to yahoo.com. ERRR! FAIL! It’s annoying enough that you try to sneak that by users who aren’t paying attention. It’s WAY MORE annoying when you ignore the user and just do what your marketing morons want anyway.
I can assure you we are not doing that intentionally. We’ve gotten several reports of this and have looked into it each time and we haven’t been able to get to the bottom of it. If you have some specific info that might help us track it down, please use the support link at the top of the page and tell us the info. Thanks.
I dont understand, I cannot access the Hebrew Calendar Widget, or Widget Gallery from my desktop. I keep getting a message it was disabled for security reasons. I am not the author of the widgets, and I already have updated virus protection from Microsoft. How can I get the Hebrew Calendar Widget or Yahoo Widgets Gallery working again???
Joseph, you will have to wait for the author to update it. Virus protection is not related; antivirus programs don’t know about this problem, it’s the widget engine blocking the unsafe widgets.
i was using hardstat 2 widget which has been disabled by yahoo yesterday, i tried to find any info about it on yahoo widgets site but there was no trace of it, so how would i know when the updated version is released? plz send ur reply to my email address too.
I have a calendar, a day planner, jc sticky notes, jumbalaya, picture frame, Yahoo!Mail Checker,Yahoo!Maps, Yahoo!My headlines, Yahoo!Search,Yahoo!Weather, and Yahoo!Widget Gallery. Since I added these to my computer,it has been running a bit quirky, not instantly, however. Most notable is the picture I have chosen,from My Pictures, to go on my desk top, randomly disappears. Could any of the above mentioned widgets be causing such behavior? I have ruled out viruses, worms & trojan horses because I have, and use my virus protection daily (some may say to the point of being slightly OCD about it) Plus, I run my “System Mechanics 6″ daily, cleaning up cookies, malware and such before shutting down my PC and there doesn’t seem to be any problems in that area, so I was thinking it may have something to do with a widget I have chosen to use. Any ideas? Thanks for your time.
I had a worm in my widgets, not found by systems mechanics 6 nor by AVG, but Ashampoo virus remover 2. Be warned.
Leave a Reply