Desktop security compromised
Published on March 23, 2005 By lilstarfish In DesktopX
Hi all!

Just found this rather nasty bug(?)in a widget that comes with DesktopX 3.

Thought people should know about it in order to take appropriate meassures.

When trying to find ways to correct this bug in the Silica Calendar widget;
https://www.wincustomize.com/Forums.aspx?ForumID=37&AID=69040#537182
I checked around on my system trying to find where widgets put temp files,
I also checked in my Temporary Internet Files folder
(usually located at C:\Documents and Settings\*your user name*\Local Settings\Temporary Internet Files).

Imagine my surprise finding that it was full of cached files even though
I use Firefox as my main browser. The date of some of the cached files went back
several days. This confounded me since I have IE's security settings set so that
when IE is closed all files in the Temporary Internet Files folder are deleted
(in IE go to Tools > Internet Options... > Advanced tab > scroll down to the bottom,
check Empty Temporary Internet Files folder when browser is closed).

I spotted some files that I saw was related to weather and currency and since I run
Silica Calendar.exe, CurrencyGlass.exe and AeroWeather.exe as widgets set to start
when windows start I figured one or all were to blame.

After elimination testing how the Temporary Internet Files were handled I found
that the CurrencyGlass.exe widget is the widget to blame.
Somehow there is a function in the script that prevent the Internet Explorer cache
to be deleted when the widget is running.

I also tried the other currency widget; Currency.exe and that also has the
same troublesome bug.

Try it yourself by running it together with IE, browse around on some web pages
and refresh the folder since it doesn't refresh by itself.

Can Stardock fix this bug or should I delete the currency widgets?

Comments
on Mar 23, 2005
How is this a security issue?

Not sure if this is a bug. Because these widgets uses the IE Control which is running on the IE Platform not from Internet Exlorer. Internet Explorer it self is a program that runs on the IE Platform. Because of this, settings in IE won't apply to all other applications using the IE Platform.
on Mar 23, 2005
"How is this a security issue?"

As explained in my post above;

Having the currency widget set to run at startup of windows
blocks IE from flushing the Temporary Internet Files folder.

This means that all files that Internet Explorer loads/caches
when browsing web pages etc. are not deleted when Internet Explorer
is closed.
on Mar 23, 2005
If a widget uses the IE control it will cache the content. My advise is that you consider the widgets you use. I cannot see how the content downloaded from finance.yahoo.com represents a security risk (believe me - I know the widget - the Silica object was based on one of mine!). If you are using Firefox as your main browser these will be the only cached files so unless you are overly concerned about protecting your currency conversions I don't see how there's a huge problem.

This is not a DX issue, but rather an implication of using the Web Browser control and you will probably find that there are many applications that use this.
on Mar 23, 2005
"I cannot see how the content downloaded from finance.yahoo.com represents a security risk"

Those files are not the problem.

If you read above, ALL files that Internet Explorer caches
when browsing the web etc. are blocked from being flushed.

This is a BIG security issue if you use Internet Explorer
in a big corporation or in a company where you are serious
about that people outside can not retrieve any information
through basic trojan attacks etc. Or by people internally.

And since most companies have not migrated to Firefox but
still use IE, running widgets that behaves like that is
a BIG no go.

Internet Explorer's cached files are one of the first folders
checked for "useful" information if you want to find information
about the habits of a person or company.

This is why so many "cache cleaning" applications has popped
up during the past years.

This is not an "attack" on anyones widgets but a heads up that
this security flaw exists and should be attended to or at least
a warning provided with widgets showing this behaviour.