Like I’ve said before, despite several visual and functional similarities, frogans and widgets are not the same thing. I like to imply that we live in a happy universe where frogans and widgets can peacefully coexist. Like Rodney King said, “Can’t we all… just… get along?”

Well, wouldn’t that be nice. But can you really, really trust a widget?

According to the Q3 2007 Web Security Trends Report from the Finjan Malicious Code Research Center (MCRC), you can never be too sure if a widget is as cute and cuddly on the inside as it is on the outside:

“Our findings suggest that new attacks that exploit the insecurities of widgets and gadgets are imminent, and that a revised security model should be explored in order to keep users protected from such attacks.
All types of widget environments (OS, 3rd party applications, and web widgets) were found to be plagued with inadequate security models that allowed malicious widgets to run.”

What? Next, they’re going to tell us not to let them get wet; nor to feed them after midnight!

It’s not as if the writing wasn’t already on the wall. All these proliferating mini-apps, cruising the Info-way to and from your computer, often accessing your system resources and running JavaScript of unbeknown intent. Yikes!

Among other things, the MCRC suggests that organizations limit the internal use of widgets, and even go so far as blocking the downloading widget and gadget file types at corporate network gateways.

Is there any hope for those of us wanting an interactive, online desktop pal without fearing that it might stab us in the back?

Frogans, like widgets, have a knack for being cute and cuddly and for displaying content in a small, unobtrusive format. (For a look at their major differences, see “Frogans vs.Widgets”.)

However, in Frogans Technology development, and apparently unlike with widget engines, end-user security has been a major consideration from the start. While not impossible, a malicious attack from a frogans, is really, really improbable. Here are a few reasons why:

• FSDL (Frogans Slide Description Language) – Written in XML this is the only language in which a frogans can be authored. No Flash, no JavaScript. FSDL provides no references to end-user system resources.
• No disc cache – Frogans slides are loaded into active memory only (and they don’t take up very much of that) – never onto your hard drive.
• Image and FSDL parsing – Here the Frogans Player trades off a bit of speed for iron-clad parsing security.(Given the size limitation requirements for frogans resources, this is a minimal speed issue). The Frogans Player simply rejects corrupt files and corrupt images.
• Fonts – The FSDL specifications (v.3.0) permit only certain typographic fonts to be used in a frogans slide. These fonts are integrated into the Frogans Player which has exclusive access to them. Principally implemented as an access and compatibility feature this is also an insurance against corrupted fonts which could eventually be used in an exploit attempt.
• The frogans address – Each frogans publisher on the Main Frogans Network obtains their frogans address at frogans.com and agrees to the terms therein. This allows STG Interactive to suspend a frogans address (and consequently the frogans concerned) should an FSDL document or an image at that address be used in an attempt to exploit a possible Frogans Player security flaw.
  Moreover, frogans addresses are secured by means of digital signatures.
• We encourage the developer community to go looking for any security flaws they can find in the Frogans Player. Anybody who informs us of one will be cited the release notes of patched Frogans Player upgrades. What more could you ask for? A free frogans address with a cool name like “frogans*DemonHacker”? We’re open to suggestions on that front.
• All the above points apply to all three of the principal platforms for Internet end-users. Linux users won’t be left to fall by the wayside. Mac OS X users won’t be out in the cold. Windows users won’t be left blowing in the wind.

We’re pretty sure that Frogans Technology is going to be a hit in corporate environments because of its clear advantages in terms of security, and what’s good enough for them should well do for the rest of us.

So if you happen to come across a cute and cuddly widget, take heed that looks can be deceiving. On the other hand, your favorite frogans can look like Dracula’s nightmare and still be the perfect pet. I’d like to know what the MCRC will have to say about that.

Tags: fonts, frogans, MCRC, Security, Web security trends, widgets

This entry was posted on Tuesday, October 16th, 2007 at 10:49 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.