Re: Next generation malware: Windows Vista's gadget API

[Tim Brown <tmb () 65535 com>]

On Saturday 15 September 2007 13:55:24 Peter Gutmann wrote:
> (The original article was cross-posted to a lot of lists, maybe the
> discussion could be moved to vuln-dev only, unless everyone wants to see
> all of this stuff).

I shall respond in turn to the interesting points from all responses.

Peter wrote:
> I first saw
> this issue covered at the AVAR conference last year (before Vista had even
> been released), there's only the abstract online at
> http://www.aavar.org/avar2006/Program/ericchien.html, but it gives a good
> idea of what the anti-virus guys are concerned about here.

Eric's talk seems to be a good start on risk analysis of gadgets generically.   
The design of Vista gadgets seems particularly troubling since it seemed to 
have several design flaws which were the subject of the paper.

> Given what an incredible attack vector they are (it's pretty much an open
> invitation to get malware onto PCs), I'm amazed there haven't been any
> serious exploits yet.  I guess the relatively low uptake of Vista (compared
> to the XP installed base) has meant that they're not a significant target
> for the malware industry just yet, since it's still more profitable to do a
> drive-by iframe exploit and hit all OSes than to mount a Vista-only attack.

Likewise, I was amazed when I got the tip off about gadgets from a developer  
friend at the turn of the year.  We've seen 3 PoC exploits so far, so I'm 
sure the malware community will be taking note. 

Todd wrote:
> Good paper; Since this is out there I figure I'll forward the much  
> shorter article I wrote that details an attack against the contact  
> gadget, which was patched last month.

Thanks, it's pretty interesting to see the various PoC coming out in almost in 
synchronisation with the paper.  I'm glad I'm not the only one concerned by 
the functionality they provide.

Roger wrote:
> Yes, this is a "new" attack vector, but it is always game over anyway if
> I can get you to run my untrusted program.  In my testing, installing
> any Vista sidebar gadget results in a minimum of 3 warnings, each saying
> that the code being installed could be harmful, before it is installed.
> 5 warnings if the gadget is unsigned. 

New, maybe not... it's simply an mashup (to use another buzzword ;)) of 
numerous existing attack vectors.  What's interesting here for me is that the 
gadget API is a new codebase and still we're facing Microsoft making the same 
old mistakes.  Honestly, irrespective of design flaws, how did the already 
reported vulnerable gadgets make it through the SDL.  We're talking about 
basic input validation flaws in a web app after all.  That for me is the 
crux.  It's not just about the dangers of installing rogue gadgets but the 
exploitation of existing gadgets.

> It's something to be aware of, because malicious hackers will exploit
> them, and many end-users will ignore any warning, but not the most
> worrisome problem on my plate.  Secondly, I can completely control the
> install of any gadgets in my environment using Active Directory group
> policies to a granular level.

I would like to think my paper is fair in this regard.  I have provided 
details of Microsoft's mitigations including the AD policy stuff in the 
references section of the paper.

Aviv wrote:
> I don't understand why Microsoft rated this vulnerability as important,
> instead of critical.

As Peter wrote, maybe its the size of the install base ;).  I would guess that 
it's because you'll only end up with user level accounts.  Although I suspect 
haven't counted on ad fraud attacks, hijacking of cookies etc in their risk 
analysis.

Tim
-- 
Tim Brown
<mailto:tmb () 65535 com>