Vuln Dev
RE: Next generation malware: Windows Vista's gadget API Sep 14 2007 07:56PM
Roger A. Grimes (roger banneretcs com) (1 replies)
RE: Next generation malware: Windows Vista's gadget API Sep 15 2007 12:55PM
pgut001 cs auckland ac nz (Peter Gutmann) (1 replies)
(The original article was cross-posted to a lot of lists, maybe the discussion
could be moved to vuln-dev only, unless everyone wants to see all of this
stuff).

"Roger A. Grimes" <roger (at) banneretcs (dot) com [email concealed]> writes:

>Yes, this is a "new" attack vector, but it is always game over anyway if I
>can get you to run my untrusted program. In my testing, installing any Vista
>sidebar gadget results in a minimum of 3 warnings, each saying that the code
>being installed could be harmful, before it is installed. 5 warnings if the
>gadget is unsigned.

No, this is an entirely new level of attack, because it's moved the dancing
bunnies problem onto the Windows desktop. The level of warnings is
irrelevant, you could have a hundred or a thousand warnings and users would
still click through all of them to see the dancing bunnies. I first saw this
issue covered at the AVAR conference last year (before Vista had even been
released), there's only the abstract online at
http://www.aavar.org/avar2006/Program/ericchien.html, but it gives a good idea
of what the anti-virus guys are concerned about here. Microsoft's coverage of
gadget security at the time,
http://blogs.msdn.com/sidebar/archive/2006/08/31/733880.aspx, didn't inspire
any more trust in the design.

>It's something to be aware of, because malicious hackers will exploit them,

Given what an incredible attack vector they are (it's pretty much an open
invitation to get malware onto PCs), I'm amazed there haven't been any serious
exploits yet. I guess the relatively low uptake of Vista (compared to the XP
installed base) has meant that they're not a significant target for the
malware industry just yet, since it's still more profitable to do a drive-by
iframe exploit and hit all OSes than to mount a Vista-only attack.

Peter.

[ reply ]
Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API Sep 16 2007 12:34PM
Thierry Zoller (Thierry Zoller lu) (2 replies)
Re: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API Sep 17 2007 06:47AM
pgut001 cs auckland ac nz (Peter Gutmann)


 

Privacy Statement
Copyright 2010, SecurityFocus