RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API
Sirs,
The lack of a defense vector doesn't translate magically to a new attack
vector. The absence of common security mitigating controls is referred to as a
vulnerability. Really all old attack vectors apply.
The secure design model for this type of application should be a sandboxed by
zone. The vulnerability is that the code is implicitly trusted no sandbox
implemented and of course it will be difficult to hold evil gadget creators to
task due to the transparent lack of any accountability by everyone. Fingers are
already flying.
The issue is all about an un-sandboxed application where standard best
practices use and vast prior experience should have dictated it should have
been sand boxed. This is a divestiture away from signed controls and towards
3rd party security programs.
So once again we have no sandbox mitigating controls coupled with a firm lack
of accountability per gadget means breached operating systems. Those who have
additional security programs largely make up the difference and those who don't
will always be wondering why and how the vendor let them get pwned.
>(As you say, I think we'll have to agree to disagree on this one. Let's wait
>until the phishers discover it and then revisit the topic :-).
I think bot herders will have a field day collecting new devices with this.
Ed
-----Original Message-----
From: pgut001 [mailto:pgut001@xxxxxxxxxxxxxxxxx]
Sent: Tuesday, September 18, 2007 6:30 AM
To: pgut001@xxxxxxxxxxxxxxxxx; roger@xxxxxxxxxxxxxx; Thierry@xxxxxxxxx
Cc: bugtraq@xxxxxxxxxxxxxxxxx; tmb@xxxxxxxxx; vuln-dev@xxxxxxxxxxxxxxxxx;
webappsec@xxxxxxxxxxxxxxxxx
Subject: RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's
gadget API
"Roger A. Grimes" <roger@xxxxxxxxxxxxxx> writes:
>I'm sorry, we'll have to agree to disagree. I don't see the new attack vector
>here. I, the attacker, have to make you download my malicious trojan program,
>which you install on your computer.
It's not so much the attack vector, it's the usability issue. This makes it
just too easy to convince users to download and execute untrusted content.
>But if you're worried that your users will click past 3 to 5 warning messages
>to install untrusted gadgets (which they will), then completely control them
>using group policy.
On Joe Sixpack's PC in his den?
(As you say, I think we'll have to agree to disagree on this one. Let's wait
until the phishers discover it and then revisit the topic :-).
Peter