Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API

(The original article was cross-posted to a lot of lists, maybe the discussion
could be moved to vuln-dev only, unless everyone wants to see all of this
stuff).

"Roger A. Grimes" <roger@xxxxxxxxxxxxxx> writes:

Yes, this is a "new" attack vector, but it is always game over anyway if I
can get you to run my untrusted program. In my testing, installing any Vista
sidebar gadget results in a minimum of 3 warnings, each saying that the code
being installed could be harmful, before it is installed. 5 warnings if the
gadget is unsigned.

No, this is an entirely new level of attack, because it's moved the dancing
bunnies problem onto the Windows desktop. The level of warnings is
irrelevant, you could have a hundred or a thousand warnings and users would
still click through all of them to see the dancing bunnies. I first saw this
issue covered at the AVAR conference last year (before Vista had even been
released), there's only the abstract online at
http://www.aavar.org/avar2006/Program/ericchien.html, but it gives a good idea
of what the anti-virus guys are concerned about here. Microsoft's coverage of
gadget security at the time,
http://blogs.msdn.com/sidebar/archive/2006/08/31/733880.aspx, didn't inspire
any more trust in the design.

It's something to be aware of, because malicious hackers will exploit them,

Given what an incredible attack vector they are (it's pretty much an open
invitation to get malware onto PCs), I'm amazed there haven't been any serious
exploits yet. I guess the relatively low uptake of Vista (compared to the XP
installed base) has meant that they're not a significant target for the
malware industry just yet, since it's still more profitable to do a drive-by
iframe exploit and hit all OSes than to mount a Vista-only attack.

Peter.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • RE: Next generation malware: Windows Vistas gadget API
    ... In my testing, installing any Vista ... sidebar gadget results in a minimum of 3 warnings, ... gadget is unsigned. ... No, this is an entirely new level of attack, because it's moved the dancing ...
    (Bugtraq)
  • RE: Next generation malware: Windows Vistas gadget API
    ... In my testing, installing any Vista ... sidebar gadget results in a minimum of 3 warnings, ... gadget is unsigned. ... No, this is an entirely new level of attack, because it's moved the dancing ...
    (Vuln-Dev)
  • Re: Battle of Ardenne Conspiracy
    ... >misinterpreted or disregarded at SHAEF intelligence HQ. ... job was not to tell individual army commanders how to fight, ... The attack took army group commander Bradley and army commander ... >received the warnings at all. ...
    (soc.history.war.world-war-ii)
  • Re: WTC packed with explosives - blown to smithereens - 73 scientists
    ... passport on an internal US flight knowing he's going to his death? ... The attack in 1993 did very little damage, it was seen as an unsuccessful ... that terrorists were plotting U.S. attacks. ... Dr. Nancy Nicolson and I received at least three warnings ...
    (uk.media.tv.misc)
  • Re: WTC packed with explosives - blown to smithereens - 73 scientists
    ... passport on an internal US flight knowing he's going to his death? ... The attack in 1993 did very little damage, it was seen as an unsuccessful ... that terrorists were plotting U.S. attacks. ... Dr. Nancy Nicolson and I received at least three warnings ...
    (uk.media.tv.misc)