Bugtraq mailing list archives
Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API
From: Tim Brown <tmb () 65535 com>
Date: Sun, 16 Sep 2007 16:09:26 +0100
Firstly, "the sky isn't falling, the risks posed by the gadget API already existed elsewhere in Windows generally, but this is another new attack surface without any legacy dependencies". This is my general view on the gadget API. On Sunday 16 September 2007 13:34:32 Thierry Zoller wrote:
PG> No, this is an entirely new level of attack, "New level of attack", what makes you believe that?
As I previously stated, unlike Peter I don't consider this a new level of attack, I'm just a bit surprised that the threat model wasn't examined by Microsoft a little more closely before they decided to include the gadget API. Unlike other APIs that Microsoft have released there was no legacy requirement to include all of the new functionality highlighted in my paper. Moreover, irrespective of the design decisions how did at least 3 Microsoft gadgets get through SDL without input validation being tested and the vulnerabilities.
PG> because it's moved the dancing PG> bunnies problem onto the Windows desktop. Huh ? What is different to let's say the southpark worm we saw years ago? Or any other normal binary that promised to be a screensaver or similar ?
Because it's not just about downloading rogue gadgets. I don't want to overhype the gadget API - it's just another attack surface after all - but if you look at all the PoCs so far, the greater risk comes from malware being injected into 'trusted' gadgets.
PG> Given what an incredible attack vector they are What is incredible in this attack vector ? What is actually new ? What is the differnce with the "User downloads screensaver and get's owned" attack vector ?
Allowing gadgets - trusted or otherwise - to download and execute arbitrary parts of the internet becomes a tad more dangerous when you explicitly allow them access to APIs for reading and write arbitrary files (subject to Vista ACLs) and executing arbitrary binaries. The process of securing IE has largely been to remove and mitigate such vectors by which this can occur, so why reintroduce them in non-legacy code. Finally, why on earth does the trust model for gadgets consist of full trust and nothing more. Why not allow gadgets to state in their manifest that for example they don't need to execute things, won't make use of ActiveX controls and will only connect to a specific host? Tim -- Tim Brown <mailto:tmb () 65535 com>
Current thread:
- Next generation malware: Windows Vista's gadget API Tim Brown (Sep 13)
- Re: Next generation malware: Windows Vista's gadget API Todd Manning (Sep 13)
- RE: Next generation malware: Windows Vista's gadget API avivra (Sep 17)
- RE: Next generation malware: Windows Vista's gadget API Roger A. Grimes (Sep 14)
- RE: Next generation malware: Windows Vista's gadget API Peter Gutmann (Sep 17)
- Re: Next generation malware: Windows Vista's gadget API Tim Brown (Sep 17)
- Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API Thierry Zoller (Sep 17)
- Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API Tim Brown (Sep 17)
- RE: [Full-disclosure] Next generation malware: Windows Vista's gadget API Strykar (Sep 19)
- Re: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API Peter Gutmann (Sep 17)
- RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API Roger A. Grimes (Sep 17)
- Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API Tim Brown (Sep 17)
- RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API Peter Gutmann (Sep 18)
- RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API Ed Patterson (Sep 18)
- RE: Next generation malware: Windows Vista's gadget API Peter Gutmann (Sep 17)
- Re: Next generation malware: Windows Vista's gadget API Todd Manning (Sep 13)