RE: Re[2]: [Full-disclosure] Next generation malware: Windows Vista's gadget API

["Roger A. Grimes" <roger () banneretcs com>]

Microsoft has always had links to external applications.  That isn't
new.

IE protected mode doesn't protect you as much as you assume. IE-PM
protects you from drive by downloads. If you download any program
manually it is executed in normal user mode (medium integrity) or in
elevated mode (high integrity) with admin rights if elevated.  This is
the same for any program downloaded in IE and run by the user, or for a
Sidebar gadget.  IE-PM protects you from the stuff the browser downloads
when you surf to a web site, but not from anything you intentionally
install.

I'm sorry, we'll have to agree to disagree. I don't see the new attack
vector here. I, the attacker, have to make you download my malicious
trojan program, which you install on your computer.

I see a new piece of software that might entice users to download more
programs, but that's it. The only increased risk you have is that
Sidebar is installed by default on every desktop, which makes it more
coveted by hackers.  But if you're worried that your users will click
past 3 to 5 warning messages to install untrusted gadgets (which they
will), then completely control them using group policy. You can control
exactly which gadgets are allowed, or disallow them all together. 

Roger

*******************************************************************
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services  
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger () banneretcs com or rogrim () microsoft com
*Author of Windows Vista Security: Security Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*******************************************************************


-----Original Message-----
From: pgut001 [mailto:pgut001 () cs auckland ac nz] 
Sent: Monday, September 17, 2007 2:48 AM
To: Thierry () Zoller lu
Cc: bugtraq () securityfocus com; Roger A. Grimes; tmb () 65535 com;
vuln-dev () securityfocus com; webappsec () securityfocus com
Subject: Re: Re[2]: [Full-disclosure] Next generation malware: Windows
Vista's gadget API

Thierry Zoller <Thierry () Zoller lu> writes:

> PG> No, this is an entirely new level of attack,
> "New level of attack", what makes you believe that?

Because previously you had to spam users and convince them to go to some
random web site and download who knows what (or follow a link in the
spam, or whatever).  The Vista sidebar changes this to clicking on a
"Get more gadgets online" link on the desktop to go to a microsoft.com
site (which then goes to a live.com site, but it's still Microsoft).
The sole requirements for submitting a gadget seem to be a Windows Live
ID:

  Unverified submission.

  Only install applications from developers you trust. This is a
third-party
  application, and it could access your computer's files, show you
  objectionable content, or change its behavior at any time.

and you've got things there like:

http://gallery.live.com/liveItemDetail.aspx?li=8214ecc3-bf7e-4502-9702-9
cf7cfe8aa99&bt=1&pl=1

(not picking on this particular whatever-it-is by whoever-it-is, just
using it as an example).  So you've got a desktop link to a (to the
typical user) Microsoft web site containing who knows what created by
who knows who that, when run, gets full rights on your system:

  Gadgets are mini-applications. Although an individual gadget may only
have a
  single need . such as reading files and information from the computer,
  accessing information from one or more domains, or only displaying
buttons
  and information for a utility . the full set of gadgets mix and match
needs
  in a huge variety of ways. In aggregate, gadgets have the same set of
needs
  as other code.
   - http://blogs.msdn.com/sidebar/archive/2006/08/31/733880.aspx

  In gadget.xml, there's a /gadget/hosts/host/permissions tag. All the
samples
  I've looked at have "Full" as the value in this tag. Are there other
legal
  values?
  ->
  "Full" is indeed the only value supported for the Windows Vista
Sidebar. We
  have documentation on the syntax of the manifest that should be ready
  shortly to explain all elements, attributes and allowed values.

The entire security model for the Sidebar seems to be "We'll display
lots of dialogs that users have to mechanically click through before
they get to see the dancing bunnies".  There's no real security present
that I can see, just a lot of dialog boxes to click past.  In fact the
blog specifically mentions things like:

  Internet Explorer Protected Mode

  Protected Mode is not applicable to gadgets as they are code present
on the
  local computer and interact with files and APIs on the local computer.

> PG> because it's moved the dancing
> PG> bunnies problem onto the Windows desktop.
> Huh ? What is different to let's say the southpark worm we saw years 
> ago? Or any other normal binary that promised to be a screensaver or
similar ?

They don't have a link on the Windows desktop to a legitimate Microsoft
site to download the malware.

> PG> The level of warnings is
> PG> irrelevant
> Euhm ok, so in your logic the program shouldn't run at all ?

The logic is that the program should be heavily sandboxed, run in
Explorer protected mode, or have similar measures applied.

> PG> Given what an incredible attack vector they are
> What is incredible in this attack vector ? What is actually new ? What 
> is the differnce with the  "User downloads screensaver and get's owned"

> attack vector?

See above.

Peter.