Full Disclosure mailing list archives
Re: Next generation malware: Windows Vista's gadget API
From: "Eric Chien" <ecchien () gmail com>
Date: Mon, 17 Sep 2007 07:03:14 -0700
"Roger A. Grimes" <roger () banneretcs com> writes:
still click through all of them to see the dancing bunnies. I first saw this issue covered at the AVAR conference last year (before Vista had even been released), there's only the abstract online at http://www.aavar.org/avar2006/Program/ericchien.html, but it gives a good idea of what the anti-virus guys are concerned about here. Microsoft's coverage of gadget security at the time, http://blogs.msdn.com/sidebar/archive/2006/08/31/733880.aspx, didn't inspire any more trust in the design.
The biggest takeaway from my talk regarding gadgets and Vista was that these
were "normal" applications and despite Vista's new security model, these
gadgets could do anything traditional threats can do today without causing
any UAC prompts. For example, a traditional threat today on Vista will
likely invoke a UAC prompt* (e.g. Run regkey) when attempting to stay
persistent across reboots, but an installed gadget won't invoke UAC at all
and automatically remains persistent. Furthermore, other malicious actions
including those necessary to be an infostealer, a worm, a backdoor, and a
classic virus did not trigger UAC either. That being said, there was a 'do
you want to install this unsigned gadget?' prompt. Be aware, this was done
pre Vista release (RC1 I think). Things may have changed since.
A secondary concern is gadgets main language of choice is Javascript. Easy
to understand, easy to modify, easy for novices to take existing threats and
roll new variants. We saw it with Loveletter back in the day and I see it
constantly on message boards ('how do I compile xyz-bot? I get an error,
unable to link foobar')
Finally, these issues are not limited to Microsoft and Vista. I demo'd
similar things for Yahoo and Google some of which had what I would consider
even more serious problems at the time.
...Eric
* Yes, one could design something to avoid UAC and UAC according to MS is
not a
http://www.networkworld.com/news/2007/021407-microsoft-uac-not-a-security.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Next generation malware: Windows Vista's gadget API Tim Brown (Sep 13)
- Re: Next generation malware: Windows Vista's gadget API Todd Manning (Sep 13)
- Message not available
- Re: Next generation malware: Windows Vista's gadget API avivra (Sep 14)
- Re: Next generation malware: Windows Vista's gadget API Roger A. Grimes (Sep 16)
- Re: Next generation malware: Windows Vista's gadget API Peter Gutmann (Sep 16)
- Re: Next generation malware: Windows Vista's gadget API Tim Brown (Sep 15)
- Re: Next generation malware: Windows Vista's gadget API Thierry Zoller (Sep 16)
- Re: Next generation malware: Windows Vista's gadget API Tim Brown (Sep 16)
- Re: Next generation malware: Windows Vista's gadget API Strykar (Sep 17)
- Message not available
- Message not available
- Re: Next generation malware: Windows Vista's gadget API Tim Brown (Sep 17)
- Re: Next generation malware: Windows Vista's gadget API Peter Gutmann (Sep 16)
- Re: Next generation malware: Windows Vista's gadget API Eric Chien (Sep 17)