Microsoft has always had links to external applications. That isn't new. IE protected mode doesn't protect you as much as you assume. IE-PM protects you from drive by downloads. If you download any program manually it is executed in normal user mode (medium integrity) or in elevated mode (high integrity) with admin rights if elevated. This is the same for any program downloaded in IE and run by the user, or for a Sidebar gadget. IE-PM protects you from the stuff the browser downloads when you surf to a web site, but not from anything you intentionally install. I'm sorry, we'll have to agree to disagree. I don't see the new attack vector here. I, the attacker, have to make you download my malicious trojan program, which you install on your computer. I see a new piece of software that might entice users to download more programs, but that's it. The only increased risk you have is that Sidebar is installed by default on every desktop, which makes it more coveted by hackers. But if you're worried that your users will click past 3 to 5 warning messages to install untrusted gadgets (which they will), then completely control them using group policy. You can control exactly which gadgets are allowed, or disallow them all together. Roger ******************************************************************* *Roger A. Grimes, Senior Security Consultant *Microsoft Application Consulting and Engineering (ACE) Services *http://blogs.msdn.com/ace_team/default.aspx *CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada... *email: roger@xxxxxxxxxxxxxx or rogrim@xxxxxxxxxxxxx *Author of Windows Vista Security: Security Vista Against Malicious Attacks (Wiley) *http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470 101555 ******************************************************************* -----Original Message----- From: pgut001 [mailto:pgut001@xxxxxxxxxxxxxxxxx] Sent: Monday, September 17, 2007 2:48 AM To: Thierry@xxxxxxxxx Cc: bugtraq@xxxxxxxxxxxxxxxxx; Roger A. Grimes; tmb@xxxxxxxxx; vuln-dev@xxxxxxxxxxxxxxxxx; webappsec@xxxxxxxxxxxxxxxxx Subject: Re: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API Thierry Zoller <Thierry@xxxxxxxxx> writes: >PG> No, this is an entirely new level of attack, >"New level of attack", what makes you believe that? Because previously you had to spam users and convince them to go to some random web site and download who knows what (or follow a link in the spam, or whatever). The Vista sidebar changes this to clicking on a "Get more gadgets online" link on the desktop to go to a microsoft.com site (which then goes to a live.com site, but it's still Microsoft). The sole requirements for submitting a gadget seem to be a Windows Live ID: Unverified submission. Only install applications from developers you trust. This is a third-party application, and it could access your computer's files, show you objectionable content, or change its behavior at any time. and you've got things there like: http://gallery.live.com/liveItemDetail.aspx?li=8214ecc3-bf7e-4502-9702-9 cf7cfe8aa99&bt=1&pl=1 (not picking on this particular whatever-it-is by whoever-it-is, just using it as an example). So you've got a desktop link to a (to the typical user) Microsoft web site containing who knows what created by who knows who that, when run, gets full rights on your system: Gadgets are mini-applications. Although an individual gadget may only have a single need . such as reading files and information from the computer, accessing information from one or more domains, or only displaying buttons and information for a utility . the full set of gadgets mix and match needs in a huge variety of ways. In aggregate, gadgets have the same set of needs as other code. - http://blogs.msdn.com/sidebar/archive/2006/08/31/733880.aspx In gadget.xml, there's a /gadget/hosts/host/permissions tag. All the samples I've looked at have "Full" as the value in this tag. Are there other legal values? -> "Full" is indeed the only value supported for the Windows Vista Sidebar. We have documentation on the syntax of the manifest that should be ready shortly to explain all elements, attributes and allowed values. The entire security model for the Sidebar seems to be "We'll display lots of dialogs that users have to mechanically click through before they get to see the dancing bunnies". There's no real security present that I can see, just a lot of dialog boxes to click past. In fact the blog specifically mentions things like: Internet Explorer Protected Mode Protected Mode is not applicable to gadgets as they are code present on the local computer and interact with files and APIs on the local computer. >PG> because it's moved the dancing >PG> bunnies problem onto the Windows desktop. >Huh ? What is different to let's say the southpark worm we saw years >ago? Or any other normal binary that promised to be a screensaver or similar ? They don't have a link on the Windows desktop to a legitimate Microsoft site to download the malware. >PG> The level of warnings is >PG> irrelevant >Euhm ok, so in your logic the program shouldn't run at all ? The logic is that the program should be heavily sandboxed, run in Explorer protected mode, or have similar measures applied. >PG> Given what an incredible attack vector they are >What is incredible in this attack vector ? What is actually new ? What >is the differnce with the "User downloads screensaver and get's owned" >attack vector? See above. Peter.
