2007-09-16 16:29:56
By Tim Brown
Firstly, "the sky isn't falling, the risks posed by the gadget API already existed elsewhere in Windows generally, but this is another new attack surface without any legacy dependencies". This is my general view on the gadget API.
Pete said:
No, this is an entirely new level of attack
Thierry said:
"New level of attack", what makes you believe that?
As I previously stated, unlike Peter I don't consider this a new level of attack, I'm just a bit surprised that the threat model wasn't examined by Microsoft a little more closely before they decided to include the gadget API. Unlike other APIs that Microsoft have released there was no legacy requirement to include all of the new functionality highlighted in my paper. Moreover, irrespective of the design decisions how did at least 3 Microsoft gadgets get through SDL without input validation being tested and the vulnerabilities identified.
Pete said:
because it's moved the dancing bunnies problem onto the Windows desktop.
Thierry said:
Huh ? What is different to let's say the southpark worm we saw years ago? Or any other normal binary that promised to be a screensaver or similar ?
Because it's not just about downloading rogue gadgets. I don't want to overhype the gadget API - it's just another attack surface after all - but if you look at all the PoCs so far, the greater risk comes from malware being injected into 'trusted' gadgets.
Pete said:
Given what an incredible attack vector they are
Thierry said:
What is incredible in this attack vector ? What is actually new ? What is the differnce with the "User downloads screensaver and get's owned" attack vector ?
Allowing gadgets - trusted or otherwise - to download and execute arbitrary parts of the internet becomes a tad more dangerous when you explicitly allow them access to APIs for reading and write arbitrary files (subject to Vista ACLs) and executing arbitrary binaries. The process of securing IE has largely been to remove and mitigate such vectors by which this can occur, so why reintroduce them in non-legacy code.
Finally, why on earth does the trust model for gadgets consist of full trust and nothing more. Why not allow gadgets to state in their manifest that for example they don't need to execute things, won't make use of ActiveX controls and will only connect to a specific host?
Mood: Lazy
Music: Nothing playing right now
You are unknown, comment