RE: Next generation malware: Windows Vista's gadget API

(The original article was cross-posted to a lot of lists, maybe the discussion  could be moved to vuln-dev only, unless everyone wants to see all of this  stuff).

"Roger A. Grimes" <roger@banneretcs.com> writes:

>Yes, this is a "new" attack vector, but it is always game over anyway if I
>can get you to run my untrusted program. In my testing, installing any Vista
>sidebar gadget results in a minimum of 3 warnings, each saying that the code
>being installed could be harmful, before it is installed. 5 warnings if the
>gadget is unsigned.

No, this is an entirely new level of attack, because it's moved the dancing bunnies problem onto the Windows desktop. The level of warnings is irrelevant, you could have a hundred or a thousand warnings and users would still click through all of them to see the dancing bunnies. I first saw this issue covered at the AVAR conference last year (before Vista had even been released), there's only the abstract online at http://www.aavar.org/avar2006/Program/ericchien.html, but it gives a good idea of what the anti-virus guys are concerned about here. Microsoft's coverage of gadget security at the time,
http://blogs.msdn.com/sidebar/archive/2006/08/31/733880.aspx, didn't inspire any more trust in the design.

>It's something to be aware of, because malicious hackers will exploit them,

Given what an incredible attack vector they are (it's pretty much an open invitation to get malware onto PCs), I'm amazed there haven't been any serious exploits yet. I guess the relatively low uptake of Vista (compared to the XP installed base) has meant that they're not a significant target for the malware industry just yet, since it's still more profitable to do a drive-by iframe exploit and hit all OSes than to mount a Vista-only attack.

Peter. Received on Mon Sep 17 12:30:57 2007