lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <E1IWXBE-0006Lp-Tz@wintermute01.cs.auckland.ac.nz>
Date: Sun, 16 Sep 2007 00:55:24 +1200
From: pgut001@...auckland.ac.nz (Peter Gutmann)
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
	news@...uriteam.com, roger@...neretcs.com, tmb@...35.com,
	vuln-dev@...urityfocus.com, webappsec@...urityfocus.com
Subject: RE: Next generation malware: Windows Vista's gadget API

(The original article was cross-posted to a lot of lists, maybe the discussion
 could be moved to vuln-dev only, unless everyone wants to see all of this
 stuff).

"Roger A. Grimes" <roger@...neretcs.com> writes:

>Yes, this is a "new" attack vector, but it is always game over anyway if I
>can get you to run my untrusted program.  In my testing, installing any Vista
>sidebar gadget results in a minimum of 3 warnings, each saying that the code
>being installed could be harmful, before it is installed. 5 warnings if the
>gadget is unsigned.

No, this is an entirely new level of attack, because it's moved the dancing
bunnies problem onto the Windows desktop.  The level of warnings is
irrelevant, you could have a hundred or a thousand warnings and users would
still click through all of them to see the dancing bunnies.  I first saw this
issue covered at the AVAR conference last year (before Vista had even been
released), there's only the abstract online at
http://www.aavar.org/avar2006/Program/ericchien.html, but it gives a good idea
of what the anti-virus guys are concerned about here.  Microsoft's coverage of
gadget security at the time,
http://blogs.msdn.com/sidebar/archive/2006/08/31/733880.aspx, didn't inspire
any more trust in the design.

>It's something to be aware of, because malicious hackers will exploit them,

Given what an incredible attack vector they are (it's pretty much an open
invitation to get malware onto PCs), I'm amazed there haven't been any serious
exploits yet.  I guess the relatively low uptake of Vista (compared to the XP
installed base) has meant that they're not a significant target for the
malware industry just yet, since it's still more profitable to do a drive-by
iframe exploit and hit all OSes than to mount a Vista-only attack.

Peter.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ