[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <E1IWXBE-0006Lp-Tz@wintermute01.cs.auckland.ac.nz>
Date: Sun, 16 Sep 2007 00:55:24 +1200
From: pgut001@...auckland.ac.nz (Peter Gutmann)
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
news@...uriteam.com, roger@...neretcs.com, tmb@...35.com,
vuln-dev@...urityfocus.com, webappsec@...urityfocus.com
Subject: Re: Next generation malware: Windows Vista's
gadget API
(The original article was cross-posted to a lot of lists, maybe the discussion
could be moved to vuln-dev only, unless everyone wants to see all of this
stuff).
"Roger A. Grimes" <roger@...neretcs.com> writes:
>Yes, this is a "new" attack vector, but it is always game over anyway if I
>can get you to run my untrusted program. In my testing, installing any Vista
>sidebar gadget results in a minimum of 3 warnings, each saying that the code
>being installed could be harmful, before it is installed. 5 warnings if the
>gadget is unsigned.
No, this is an entirely new level of attack, because it's moved the dancing
bunnies problem onto the Windows desktop. The level of warnings is
irrelevant, you could have a hundred or a thousand warnings and users would
still click through all of them to see the dancing bunnies. I first saw this
issue covered at the AVAR conference last year (before Vista had even been
released), there's only the abstract online at
http://www.aavar.org/avar2006/Program/ericchien.html, but it gives a good idea
of what the anti-virus guys are concerned about here. Microsoft's coverage of
gadget security at the time,
http://blogs.msdn.com/sidebar/archive/2006/08/31/733880.aspx, didn't inspire
any more trust in the design.
>It's something to be aware of, because malicious hackers will exploit them,
Given what an incredible attack vector they are (it's pretty much an open
invitation to get malware onto PCs), I'm amazed there haven't been any serious
exploits yet. I guess the relatively low uptake of Vista (compared to the XP
installed base) has meant that they're not a significant target for the
malware industry just yet, since it's still more profitable to do a drive-by
iframe exploit and hit all OSes than to mount a Vista-only attack.
Peter.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists