Firstly, "the sky isn't falling, the risks posed by the gadget API already existed elsewhere in Windows generally, but this is another new attack surface without any legacy dependencies". This is my general view on the gadget API. On Sunday 16 September 2007 13:34:32 Thierry Zoller wrote: > PG> No, this is an entirely new level of attack, > "New level of attack", what makes you believe that? As I previously stated, unlike Peter I don't consider this a new level of attack, I'm just a bit surprised that the threat model wasn't examined by Microsoft a little more closely before they decided to include the gadget API. Unlike other APIs that Microsoft have released there was no legacy requirement to include all of the new functionality highlighted in my paper. Moreover, irrespective of the design decisions how did at least 3 Microsoft gadgets get through SDL without input validation being tested and the vulnerabilities. > PG> because it's moved the dancing > PG> bunnies problem onto the Windows desktop. > Huh ? What is different to let's say the southpark worm we saw years > ago? Or any other normal binary that promised to be a screensaver or > similar ? Because it's not just about downloading rogue gadgets. I don't want to overhype the gadget API - it's just another attack surface after all - but if you look at all the PoCs so far, the greater risk comes from malware being injected into 'trusted' gadgets. > PG> Given what an incredible attack vector they are > What is incredible in this attack vector ? What is actually new ? > What is the differnce with the "User downloads screensaver and get's > owned" attack vector ? Allowing gadgets - trusted or otherwise - to download and execute arbitrary parts of the internet becomes a tad more dangerous when you explicitly allow them access to APIs for reading and write arbitrary files (subject to Vista ACLs) and executing arbitrary binaries. The process of securing IE has largely been to remove and mitigate such vectors by which this can occur, so why reintroduce them in non-legacy code. Finally, why on earth does the trust model for gadgets consist of full trust and nothing more. Why not allow gadgets to state in their manifest that for example they don't need to execute things, won't make use of ActiveX controls and will only connect to a specific host? Tim -- Tim Brown <mailto:tmb@xxxxxxxxx>
