[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20b0c9a00709170703h2cc2f9bbha637f786e6de04b6@mail.gmail.com>
Date: Mon, 17 Sep 2007 07:03:14 -0700
From: "Eric Chien" <ecchien@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
vuln-dev@...urityfocus.com, webappsec@...urityfocus.com
Subject: Re: Next generation malware: Windows Vista's
gadget API
"Roger A. Grimes" <roger@...neretcs.com> writes:
>
> still click through all of them to see the dancing bunnies. I first saw
> this
> issue covered at the AVAR conference last year (before Vista had even been
> released), there's only the abstract online at
> http://www.aavar.org/avar2006/Program/ericchien.html, but it gives a good
> idea
> of what the anti-virus guys are concerned about here. Microsoft's
> coverage of
> gadget security at the time,
> http://blogs.msdn.com/sidebar/archive/2006/08/31/733880.aspx, didn't
> inspire
> any more trust in the design.
The biggest takeaway from my talk regarding gadgets and Vista was that these
were "normal" applications and despite Vista's new security model, these
gadgets could do anything traditional threats can do today without causing
any UAC prompts. For example, a traditional threat today on Vista will
likely invoke a UAC prompt* (e.g. Run regkey) when attempting to stay
persistent across reboots, but an installed gadget won't invoke UAC at all
and automatically remains persistent. Furthermore, other malicious actions
including those necessary to be an infostealer, a worm, a backdoor, and a
classic virus did not trigger UAC either. That being said, there was a 'do
you want to install this unsigned gadget?' prompt. Be aware, this was done
pre Vista release (RC1 I think). Things may have changed since.
A secondary concern is gadgets main language of choice is Javascript. Easy
to understand, easy to modify, easy for novices to take existing threats and
roll new variants. We saw it with Loveletter back in the day and I see it
constantly on message boards ('how do I compile xyz-bot? I get an error,
unable to link foobar')
Finally, these issues are not limited to Microsoft and Vista. I demo'd
similar things for Yahoo and Google some of which had what I would consider
even more serious problems at the time.
...Eric
* Yes, one could design something to avoid UAC and UAC according to MS is
not a
http://www.networkworld.com/news/2007/021407-microsoft-uac-not-a-security.html
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists