WebApp Sec mailing list archives
RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API
From: Ed Patterson <epatterson () DirectApps com>
Date: Tue, 18 Sep 2007 10:21:34 -0700
Sirs, The lack of a defense vector doesn't translate magically to a new attack vector. The absence of common security mitigating controls is referred to as a vulnerability. Really all old attack vectors apply. The secure design model for this type of application should be a sandboxed by zone. The vulnerability is that the code is implicitly trusted no sandbox implemented and of course it will be difficult to hold evil gadget creators to task due to the transparent lack of any accountability by everyone. Fingers are already flying. The issue is all about an un-sandboxed application where standard best practices use and vast prior experience should have dictated it should have been sand boxed. This is a divestiture away from signed controls and towards 3rd party security programs. So once again we have no sandbox mitigating controls coupled with a firm lack of accountability per gadget means breached operating systems. Those who have additional security programs largely make up the difference and those who don't will always be wondering why and how the vendor let them get pwned.
(As you say, I think we'll have to agree to disagree on this one. Let's wait until the phishers discover it and then revisit the topic :-).
I think bot herders will have a field day collecting new devices with this. Ed -----Original Message----- From: pgut001 [mailto:pgut001 () cs auckland ac nz] Sent: Tuesday, September 18, 2007 6:30 AM To: pgut001 () cs auckland ac nz; roger () banneretcs com; Thierry () Zoller lu Cc: bugtraq () securityfocus com; tmb () 65535 com; vuln-dev () securityfocus com; webappsec () securityfocus com Subject: RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API "Roger A. Grimes" <roger () banneretcs com> writes:
I'm sorry, we'll have to agree to disagree. I don't see the new attack vector here. I, the attacker, have to make you download my malicious trojan program, which you install on your computer.
It's not so much the attack vector, it's the usability issue. This makes it just too easy to convince users to download and execute untrusted content.
But if you're worried that your users will click past 3 to 5 warning messages to install untrusted gadgets (which they will), then completely control them using group policy.
On Joe Sixpack's PC in his den? (As you say, I think we'll have to agree to disagree on this one. Let's wait until the phishers discover it and then revisit the topic :-). Peter ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack Attacks Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe --------------------------------------------------------------------------
Current thread:
- Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API Tim Brown (Sep 18)
- <Possible follow-ups>
- RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API Ed Patterson (Sep 18)