lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20b0c9a00709170703h2cc2f9bbha637f786e6de04b6@mail.gmail.com>
Date: Mon, 17 Sep 2007 07:03:14 -0700
From: "Eric Chien" <ecchien@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk, 
	vuln-dev@...urityfocus.com, webappsec@...urityfocus.com
Subject: Re: Next generation malware: Windows Vista's
	gadget API

"Roger A. Grimes" <roger@...neretcs.com> writes:

>
> still click through all of them to see the dancing bunnies.  I first saw
> this
> issue covered at the AVAR conference last year (before Vista had even been
> released), there's only the abstract online at
> http://www.aavar.org/avar2006/Program/ericchien.html, but it gives a good
> idea
> of what the anti-virus guys are concerned about here.  Microsoft's
> coverage of
> gadget security at the time,
> http://blogs.msdn.com/sidebar/archive/2006/08/31/733880.aspx, didn't
> inspire
> any more trust in the design.


The biggest takeaway from my talk regarding gadgets and Vista was that these
were "normal" applications and despite Vista's new security model, these
gadgets could do anything traditional threats can do today without causing
any UAC prompts.  For example, a traditional threat today on Vista will
likely invoke a UAC prompt* (e.g. Run regkey) when attempting to stay
persistent across reboots, but an installed gadget won't invoke UAC at all
and automatically remains persistent.  Furthermore, other malicious actions
including those necessary to be an infostealer, a worm, a backdoor, and a
classic virus did not trigger UAC either.  That being said, there was a 'do
you want to install this unsigned gadget?' prompt.  Be aware, this was done
pre Vista release (RC1 I think).  Things may have changed since.

A secondary concern is gadgets main language of choice is Javascript. Easy
to understand, easy to modify, easy for novices to take existing threats and
roll new variants.  We saw it with Loveletter back in the day and I see it
constantly on message boards ('how do I compile xyz-bot? I get an error,
unable to link foobar')

Finally, these issues are not limited to Microsoft and Vista.  I demo'd
similar things for Yahoo and Google some of which had what I would consider
even more serious problems at the time.

...Eric

* Yes, one could design something to avoid UAC and UAC according to MS is
not a
http://www.networkworld.com/news/2007/021407-microsoft-uac-not-a-security.html

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ