lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Sep 2007 10:21:34 -0700
From: Ed Patterson <epatterson@...ectApps.com>
To: pgut001 <pgut001@...auckland.ac.nz>,
	"roger@...neretcs.com" <roger@...neretcs.com>,
	"Thierry@...ler.lu" <Thierry@...ler.lu>
Cc: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"tmb@...35.com" <tmb@...35.com>,
	"vuln-dev@...urityfocus.com" <vuln-dev@...urityfocus.com>,
	"webappsec@...urityfocus.com" <webappsec@...urityfocus.com>
Subject: RE: Re[2]: [Full-disclosure] Next generation malware: Windows
 Vista's gadget API

Sirs,
The lack of a defense vector doesn't translate magically to a new attack vector. The absence of common security mitigating controls is referred to as a vulnerability. Really all old attack vectors apply.

The secure design model for this type of application should be a sandboxed by zone. The vulnerability is that the code is implicitly trusted no sandbox implemented and of course it will be difficult to hold evil gadget creators to task due to the transparent lack of any accountability by everyone. Fingers are already flying.

The issue is all about an un-sandboxed application where standard best practices use and vast prior experience should have dictated it should have been sand boxed. This is a divestiture away from signed controls and towards 3rd party security programs.

So once again we have no sandbox mitigating controls coupled with a firm lack of accountability per gadget means breached operating systems. Those who have additional security programs largely make up the difference and those who don't will always be wondering why and how the vendor let them get pwned.
>(As you say, I think we'll have to agree to disagree on this one.  Let's wait
>until the phishers discover it and then revisit the topic :-).

I think bot herders will have a field day collecting new devices with this.

Ed

-----Original Message-----
From: pgut001 [mailto:pgut001@...auckland.ac.nz]
Sent: Tuesday, September 18, 2007 6:30 AM
To: pgut001@...auckland.ac.nz; roger@...neretcs.com; Thierry@...ler.lu
Cc: bugtraq@...urityfocus.com; tmb@...35.com; vuln-dev@...urityfocus.com; webappsec@...urityfocus.com
Subject: RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API

"Roger A. Grimes" <roger@...neretcs.com> writes:

>I'm sorry, we'll have to agree to disagree. I don't see the new attack vector
>here. I, the attacker, have to make you download my malicious trojan program,
>which you install on your computer.

It's not so much the attack vector, it's the usability issue.  This makes it
just too easy to convince users to download and execute untrusted content.

>But if you're worried that your users will click past 3 to 5 warning messages
>to install untrusted gadgets (which they will), then completely control them
>using group policy.

On Joe Sixpack's PC in his den?

(As you say, I think we'll have to agree to disagree on this one.  Let's wait
until the phishers discover it and then revisit the topic :-).

Peter


Powered by blists - more mailing lists