<<< Date Index >>>     <<< Thread Index >>>

RE: [Full-disclosure] Next generation malware: Windows Vista's gadget API



> 
> Firstly, "the sky isn't falling, the risks posed by the gadget API
> already
> existed elsewhere in Windows generally, but this is another new attack
> surface without any legacy dependencies".  This is my general view on
> the
> gadget API.
> 

Yahoo widgets.

 
> Finally, why on earth does the trust model for gadgets consist of full
> trust
> and nothing more.  Why not allow gadgets to state in their manifest
> that for
> example they don't need to execute things, won't make use of ActiveX
> controls
> and will only connect to a specific host?
> 

Or have the OS force a restrained environment for them to run within.
The usability and convenience offered by them isn't worth the opportunities
they proffer.