RE: [Full-disclosure] Next generation malware: Windows Vista's gadget API

To: "'Tim Brown'" <tmb@xxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: [Full-disclosure] Next generation malware: Windows Vista's gadget API
From: "Strykar" <str@xxxxxxxxxxxxxxx>
Date: Mon, 17 Sep 2007 23:04:28 +0530
Cc: <full-disclosure@xxxxxxxxxxxxxxxxx>
In-reply-to: <200709161609.27471.tmb@xxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <096A04F511B7FD4995AE55F13824B833213056@contoso> <E1IWXBE-0006Lp-Tz@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <636015672.20070916143432@xxxxxxxxx> <200709161609.27471.tmb@xxxxxxxxx>
Thread-index: Acf5T5yyerxn8AW8QEulSChHxMNq7QAABZWA

> 
> Firstly, "the sky isn't falling, the risks posed by the gadget API
> already
> existed elsewhere in Windows generally, but this is another new attack
> surface without any legacy dependencies".  This is my general view on
> the
> gadget API.
> 

Yahoo widgets.

 
> Finally, why on earth does the trust model for gadgets consist of full
> trust
> and nothing more.  Why not allow gadgets to state in their manifest
> that for
> example they don't need to execute things, won't make use of ActiveX
> controls
> and will only connect to a specific host?
> 

Or have the OS force a restrained environment for them to run within.
The usability and convenience offered by them isn't worth the opportunities
they proffer.

References:
- RE: Next generation malware: Windows Vista's gadget API
  - From: Roger A. Grimes
- RE: Next generation malware: Windows Vista's gadget API
  - From: Peter Gutmann
- Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API
  - From: Thierry Zoller
- Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API
  - From: Tim Brown

Prev by Date: Update? Question on BID 19000
Next by Date: RE: Panda Antivirus 2008 Local Privileg Escalation (UPS they did it again)
Previous by thread: Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API
Next by thread: Re: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API
Index(es):
- Date
- Thread