Full Disclosure mailing list archives
Re: Next generation malware: Windows Vista's gadget API
From: "Eric Chien" <ecchien () gmail com>
Date: Mon, 17 Sep 2007 07:03:14 -0700
"Roger A. Grimes" <roger () banneretcs com> writes:
still click through all of them to see the dancing bunnies. I first saw this issue covered at the AVAR conference last year (before Vista had even been released), there's only the abstract online at http://www.aavar.org/avar2006/Program/ericchien.html, but it gives a good idea of what the anti-virus guys are concerned about here. Microsoft's coverage of gadget security at the time, http://blogs.msdn.com/sidebar/archive/2006/08/31/733880.aspx, didn't inspire any more trust in the design.
The biggest takeaway from my talk regarding gadgets and Vista was that these were "normal" applications and despite Vista's new security model, these gadgets could do anything traditional threats can do today without causing any UAC prompts. For example, a traditional threat today on Vista will likely invoke a UAC prompt* (e.g. Run regkey) when attempting to stay persistent across reboots, but an installed gadget won't invoke UAC at all and automatically remains persistent. Furthermore, other malicious actions including those necessary to be an infostealer, a worm, a backdoor, and a classic virus did not trigger UAC either. That being said, there was a 'do you want to install this unsigned gadget?' prompt. Be aware, this was done pre Vista release (RC1 I think). Things may have changed since. A secondary concern is gadgets main language of choice is Javascript. Easy to understand, easy to modify, easy for novices to take existing threats and roll new variants. We saw it with Loveletter back in the day and I see it constantly on message boards ('how do I compile xyz-bot? I get an error, unable to link foobar') Finally, these issues are not limited to Microsoft and Vista. I demo'd similar things for Yahoo and Google some of which had what I would consider even more serious problems at the time. ...Eric * Yes, one could design something to avoid UAC and UAC according to MS is not a http://www.networkworld.com/news/2007/021407-microsoft-uac-not-a-security.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Next generation malware: Windows Vista's gadget API Tim Brown (Sep 13)
- Re: Next generation malware: Windows Vista's gadget API Todd Manning (Sep 13)
- Message not available
- Re: Next generation malware: Windows Vista's gadget API avivra (Sep 14)
- Re: Next generation malware: Windows Vista's gadget API Roger A. Grimes (Sep 16)
- Re: Next generation malware: Windows Vista's gadget API Peter Gutmann (Sep 16)
- Re: Next generation malware: Windows Vista's gadget API Tim Brown (Sep 15)
- Re: Next generation malware: Windows Vista's gadget API Thierry Zoller (Sep 16)
- Re: Next generation malware: Windows Vista's gadget API Tim Brown (Sep 16)
- Re: Next generation malware: Windows Vista's gadget API Strykar (Sep 17)
- Message not available
- Message not available
- Re: Next generation malware: Windows Vista's gadget API Tim Brown (Sep 17)
- Re: Next generation malware: Windows Vista's gadget API Peter Gutmann (Sep 16)
- Re: Next generation malware: Windows Vista's gadget API Eric Chien (Sep 17)