Bugtraq mailing list archives
RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API
From: Ed Patterson <epatterson () DirectApps com>
Date: Tue, 18 Sep 2007 10:21:34 -0700
Sirs, The lack of a defense vector doesn't translate magically to a new attack vector. The absence of common security mitigating controls is referred to as a vulnerability. Really all old attack vectors apply. The secure design model for this type of application should be a sandboxed by zone. The vulnerability is that the code is implicitly trusted no sandbox implemented and of course it will be difficult to hold evil gadget creators to task due to the transparent lack of any accountability by everyone. Fingers are already flying. The issue is all about an un-sandboxed application where standard best practices use and vast prior experience should have dictated it should have been sand boxed. This is a divestiture away from signed controls and towards 3rd party security programs. So once again we have no sandbox mitigating controls coupled with a firm lack of accountability per gadget means breached operating systems. Those who have additional security programs largely make up the difference and those who don't will always be wondering why and how the vendor let them get pwned.
(As you say, I think we'll have to agree to disagree on this one. Let's wait until the phishers discover it and then revisit the topic :-).
I think bot herders will have a field day collecting new devices with this. Ed -----Original Message----- From: pgut001 [mailto:pgut001 () cs auckland ac nz] Sent: Tuesday, September 18, 2007 6:30 AM To: pgut001 () cs auckland ac nz; roger () banneretcs com; Thierry () Zoller lu Cc: bugtraq () securityfocus com; tmb () 65535 com; vuln-dev () securityfocus com; webappsec () securityfocus com Subject: RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API "Roger A. Grimes" <roger () banneretcs com> writes:
I'm sorry, we'll have to agree to disagree. I don't see the new attack vector here. I, the attacker, have to make you download my malicious trojan program, which you install on your computer.
It's not so much the attack vector, it's the usability issue. This makes it just too easy to convince users to download and execute untrusted content.
But if you're worried that your users will click past 3 to 5 warning messages to install untrusted gadgets (which they will), then completely control them using group policy.
On Joe Sixpack's PC in his den? (As you say, I think we'll have to agree to disagree on this one. Let's wait until the phishers discover it and then revisit the topic :-). Peter
Current thread:
- RE: Next generation malware: Windows Vista's gadget API, (continued)
- RE: Next generation malware: Windows Vista's gadget API Roger A. Grimes (Sep 14)
- RE: Next generation malware: Windows Vista's gadget API Peter Gutmann (Sep 17)
- Re: Next generation malware: Windows Vista's gadget API Tim Brown (Sep 17)
- Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API Thierry Zoller (Sep 17)
- Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API Tim Brown (Sep 17)
- RE: [Full-disclosure] Next generation malware: Windows Vista's gadget API Strykar (Sep 19)
- Re: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API Peter Gutmann (Sep 17)
- RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API Roger A. Grimes (Sep 17)
- Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API Tim Brown (Sep 17)
- RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API Peter Gutmann (Sep 18)
- RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API Ed Patterson (Sep 18)
- RE: Next generation malware: Windows Vista's gadget API Peter Gutmann (Sep 17)
- RE: Next generation malware: Windows Vista's gadget API Roger A. Grimes (Sep 14)