[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <E1IXAOQ-0004bv-8t@wintermute01.cs.auckland.ac.nz>
Date: Mon, 17 Sep 2007 18:47:38 +1200
From: pgut001@...auckland.ac.nz (Peter Gutmann)
To: Thierry@...ler.lu
Cc: bugtraq@...urityfocus.com, roger@...neretcs.com, tmb@...35.com,
vuln-dev@...urityfocus.com, webappsec@...urityfocus.com
Subject: Re: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API
Thierry Zoller <Thierry@...ler.lu> writes:
>PG> No, this is an entirely new level of attack,
>"New level of attack", what makes you believe that?
Because previously you had to spam users and convince them to go to some
random web site and download who knows what (or follow a link in the spam, or
whatever). The Vista sidebar changes this to clicking on a "Get more gadgets
online" link on the desktop to go to a microsoft.com site (which then goes to
a live.com site, but it's still Microsoft). The sole requirements for
submitting a gadget seem to be a Windows Live ID:
Unverified submission.
Only install applications from developers you trust. This is a third-party
application, and it could access your computer's files, show you
objectionable content, or change its behavior at any time.
and you've got things there like:
http://gallery.live.com/liveItemDetail.aspx?li=8214ecc3-bf7e-4502-9702-9cf7cfe8aa99&bt=1&pl=1
(not picking on this particular whatever-it-is by whoever-it-is, just using it
as an example). So you've got a desktop link to a (to the typical user)
Microsoft web site containing who knows what created by who knows who that,
when run, gets full rights on your system:
Gadgets are mini-applications. Although an individual gadget may only have a
single need . such as reading files and information from the computer,
accessing information from one or more domains, or only displaying buttons
and information for a utility . the full set of gadgets mix and match needs
in a huge variety of ways. In aggregate, gadgets have the same set of needs
as other code.
- http://blogs.msdn.com/sidebar/archive/2006/08/31/733880.aspx
In gadget.xml, there's a /gadget/hosts/host/permissions tag. All the samples
I've looked at have "Full" as the value in this tag. Are there other legal
values?
->
"Full" is indeed the only value supported for the Windows Vista Sidebar. We
have documentation on the syntax of the manifest that should be ready
shortly to explain all elements, attributes and allowed values.
The entire security model for the Sidebar seems to be "We'll display lots of
dialogs that users have to mechanically click through before they get to see
the dancing bunnies". There's no real security present that I can see, just a
lot of dialog boxes to click past. In fact the blog specifically mentions
things like:
Internet Explorer Protected Mode
Protected Mode is not applicable to gadgets as they are code present on the
local computer and interact with files and APIs on the local computer.
>PG> because it's moved the dancing
>PG> bunnies problem onto the Windows desktop.
>Huh ? What is different to let's say the southpark worm we saw years ago? Or
>any other normal binary that promised to be a screensaver or similar ?
They don't have a link on the Windows desktop to a legitimate Microsoft site
to download the malware.
>PG> The level of warnings is
>PG> irrelevant
>Euhm ok, so in your logic the program shouldn't run at all ?
The logic is that the program should be heavily sandboxed, run in Explorer
protected mode, or have similar measures applied.
>PG> Given what an incredible attack vector they are
>What is incredible in this attack vector ? What is actually new ? What is the
>differnce with the "User downloads screensaver and get's owned" attack
>vector?
See above.
Peter.
Powered by blists - more mailing lists