RE: Next generation malware: Windows Vista's gadget API

Great overview, Todd!
I've just wanted to mention that MS downplayed the vulnerabilities I've found in Vista's Sidebar gadgets.
In my blog post
(http://aviv.raffon.net/2007/08/16/VistaGadgetsGoneWild.aspx), I've demonstrated a scenario where a worm can be propagated by exploiting the vulnerability in the RSS feeds gadget.
I don't understand why Microsoft rated this vulnerability as important, instead of critical.

--Aviv.

-----Original Message-----
From: Todd Manning [mailto:sflist@digitaloffense.net] Sent: Thursday, September 13, 2007 8:47 PM To: bugtraq@securityfocus.com
Subject: Re: Next generation malware: Windows Vista's gadget API

On Sep 13, 2007, at 04:16 AM, Tim Brown wrote:

> A paper has just been released on the Windows Vista's gadget API. The
> abstract is as follows:
>
> Windows has had the ability to embed HTML into it's user interface
> for many
> years. Right back to and including Windows NT 4.0, it has been
> possible to
> embed HTML into the task bar, but the OS has always maintained a
> sandbox,
> from which the HTML has been unable to escape. All this changes
> with Windows
> Vista. This paper seeks to inform system administrators, users and the
> wider community on both potential attack vectors using gadgets and the
> mitigations provided by Windows Vista.
>
> The full paper can be found at http://www.portcullis-security.com/
> 165.php.
>

Good paper; Since this is out there I figure I'll forward the much shorter article I wrote that details an attack against the contact gadget, which was patched last month.

https://strikecenter.bpointsys.com/articles/2007/08/26/vista-gadget- patches-in-ms07-048 Received on Mon Sep 17 12:18:54 2007