| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Sep 2007 18:47:38 +1200 From: pgut001@...auckland.ac.nz (Peter Gutmann) To: Thierry@...ler.lu Cc: bugtraq@...urityfocus.com, roger@...neretcs.com, tmb@...35.com, vuln-dev@...urityfocus.com, webappsec@...urityfocus.com Subject: Re: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API Thierry Zoller <Thierry@...ler.lu> writes: >PG> No, this is an entirely new level of attack, >"New level of attack", what makes you believe that? Because previously you had to spam users and convince them to go to some random web site and download who knows what (or follow a link in the spam, or whatever). The Vista sidebar changes this to clicking on a "Get more gadgets online" link on the desktop to go to a microsoft.com site (which then goes to a live.com site, but it's still Microsoft). The sole requirements for submitting a gadget seem to be a Windows Live ID: Unverified submission. Only install applications from developers you trust. This is a third-party application, and it could access your computer's files, show you objectionable content, or change its behavior at any time. and you've got things there like: http://gallery.live.com/liveItemDetail.aspx?li=8214ecc3-bf7e-4502-9702-9cf7cfe8aa99&bt=1&pl=1 (not picking on this particular whatever-it-is by whoever-it-is, just using it as an example). So you've got a desktop link to a (to the typical user) Microsoft web site containing who knows what created by who knows who that, when run, gets full rights on your system: Gadgets are mini-applications. Although an individual gadget may only have a single need . such as reading files and information from the computer, accessing information from one or more domains, or only displaying buttons and information for a utility . the full set of gadgets mix and match needs in a huge variety of ways. In aggregate, gadgets have the same set of needs as other code. - http://blogs.msdn.com/sidebar/archive/2006/08/31/733880.aspx In gadget.xml, there's a /gadget/hosts/host/permissions tag. All the samples I've looked at have "Full" as the value in this tag. Are there other legal values? -> "Full" is indeed the only value supported for the Windows Vista Sidebar. We have documentation on the syntax of the manifest that should be ready shortly to explain all elements, attributes and allowed values. The entire security model for the Sidebar seems to be "We'll display lots of dialogs that users have to mechanically click through before they get to see the dancing bunnies". There's no real security present that I can see, just a lot of dialog boxes to click past. In fact the blog specifically mentions things like: Internet Explorer Protected Mode Protected Mode is not applicable to gadgets as they are code present on the local computer and interact with files and APIs on the local computer. >PG> because it's moved the dancing >PG> bunnies problem onto the Windows desktop. >Huh ? What is different to let's say the southpark worm we saw years ago? Or >any other normal binary that promised to be a screensaver or similar ? They don't have a link on the Windows desktop to a legitimate Microsoft site to download the malware. >PG> The level of warnings is >PG> irrelevant >Euhm ok, so in your logic the program shouldn't run at all ? The logic is that the program should be heavily sandboxed, run in Explorer protected mode, or have similar measures applied. >PG> Given what an incredible attack vector they are >What is incredible in this attack vector ? What is actually new ? What is the >differnce with the "User downloads screensaver and get's owned" attack >vector? See above. Peter.
Powered by blists - more mailing lists