Next generation malware: Windows Vista's gadget API

To: vuln-dev@xxxxxxxxxxxxxxxxx, webappsec@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx
Subject: Next generation malware: Windows Vista's gadget API
From: Tim Brown <tmb@xxxxxxxxx>
Date: Thu, 13 Sep 2007 10:16:37 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: KMail/1.9.7

A paper has just been released on the Windows Vista's gadget API.  The 
abstract is as follows:

Windows has had the ability to embed HTML into it’s user interface for many 
years. Right back to and including Windows NT 4.0, it has been possible to 
embed HTML into the task bar, but the OS has always maintained a sandbox, 
from which the HTML has been unable to escape. All this changes with Windows 
Vista. This paper seeks to inform system administrators, users and the
wider community on both potential attack vectors using gadgets and the 
mitigations provided by Windows Vista.

The full paper can be found at http://www.portcullis-security.com/165.php.

Cheers,
Tim
-- 
Tim Brown
<mailto:tmb@xxxxxxxxx>

Follow-Ups:
- RE: Next generation malware: Windows Vista's gadget API
  - From: Roger A. Grimes
- Re: Next generation malware: Windows Vista's gadget API
  - From: Todd Manning

Prev by Date: WinSCP < 4.04 url protocol handler flaw
Next by Date: Re: Next generation malware: Windows Vista's gadget API
Previous by thread: WinSCP < 4.04 url protocol handler flaw
Next by thread: Re: Next generation malware: Windows Vista's gadget API
Index(es):
- Date
- Thread