RE: Next generation malware: Windows Vista's gadget API

To: "Tim Brown" <tmb@xxxxxxxxx>, <vuln-dev@xxxxxxxxxxxxxxxxx>, <webappsec@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <news@xxxxxxxxxxxxxx>
Subject: RE: Next generation malware: Windows Vista's gadget API
From: "Roger A. Grimes" <roger@xxxxxxxxxxxxxx>
Date: Fri, 14 Sep 2007 15:56:19 -0400
In-reply-to: <200709131016.38814.tmb@xxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <200709131016.38814.tmb@xxxxxxxxx>
Thread-index: Acf2Hh8bsaUCLV+URXGR1Bb04I2itAA6rkHQ
Thread-topic: Next generation malware: Windows Vista's gadget API

Yes, this is a "new" attack vector, but it is always game over anyway if
I can get you to run my untrusted program.  In my testing, installing
any Vista sidebar gadget results in a minimum of 3 warnings, each saying
that the code being installed could be harmful, before it is installed.
5 warnings if the gadget is unsigned. 

It's something to be aware of, because malicious hackers will exploit
them, and many end-users will ignore any warning, but not the most
worrisome problem on my plate.  Secondly, I can completely control the
install of any gadgets in my environment using Active Directory group
policies to a granular level.

Roger

*******************************************************************
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services  
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger@xxxxxxxxxxxxxx or rogrim@xxxxxxxxxxxxx
*Author of Windows Vista Security: Security Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*******************************************************************



-----Original Message-----
From: Tim Brown [mailto:tmb@xxxxxxxxx] 
Sent: Thursday, September 13, 2007 5:17 AM
To: vuln-dev@xxxxxxxxxxxxxxxxx; webappsec@xxxxxxxxxxxxxxxxx;
full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx;
news@xxxxxxxxxxxxxx
Subject: Next generation malware: Windows Vista's gadget API

A paper has just been released on the Windows Vista's gadget API.  The
abstract is as follows:

Windows has had the ability to embed HTML into it's user interface for
many years. Right back to and including Windows NT 4.0, it has been
possible to embed HTML into the task bar, but the OS has always
maintained a sandbox, from which the HTML has been unable to escape. All
this changes with Windows Vista. This paper seeks to inform system
administrators, users and the wider community on both potential attack
vectors using gadgets and the mitigations provided by Windows Vista.

The full paper can be found at
http://www.portcullis-security.com/165.php.

Cheers,
Tim
--
Tim Brown
<mailto:tmb@xxxxxxxxx>

Follow-Ups:
- RE: Next generation malware: Windows Vista's gadget API
  - From: Peter Gutmann

References:
- Next generation malware: Windows Vista's gadget API
  - From: Tim Brown

Prev by Date: rPSA-2007-0184-1 samba samba-swat
Next by Date: [ GLSA 200709-05 ] RealPlayer: Buffer overflow
Previous by thread: RE: Next generation malware: Windows Vista's gadget API
Next by thread: RE: Next generation malware: Windows Vista's gadget API
Index(es):
- Date
- Thread