[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API
From: Todd Manning <fdlist@xxxxxxxxxxxxxxxxxx>
Date: Thu, 13 Sep 2007 12:46:34 -0500

On Sep 13, 2007, at 04:16 AM, Tim Brown wrote:

> A paper has just been released on the Windows Vista's gadget API.  The
> abstract is as follows:
>
> Windows has had the ability to embed HTML into it’s user interface  
> for many
> years. Right back to and including Windows NT 4.0, it has been  
> possible to
> embed HTML into the task bar, but the OS has always maintained a  
> sandbox,
> from which the HTML has been unable to escape. All this changes  
> with Windows
> Vista. This paper seeks to inform system administrators, users and the
> wider community on both potential attack vectors using gadgets and the
> mitigations provided by Windows Vista.
>
> The full paper can be found at http://www.portcullis-security.com/ 
> 165.php.
>
>

Good paper; Since this is out there I figure I'll forward the much  
shorter article I wrote that details an attack against the contact  
gadget, which was patched last month.

https://strikecenter.bpointsys.com/articles/2007/08/26/vista-gadget- 
patches-in-ms07-048
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Next generation malware: Windows Vista's gadget API
  - From: Tim Brown

Prev by Date: Re: [Full-disclosure] Another 0day to sell.
Next by Date: Re: [Full-disclosure] Another 0day to sell.
Previous by thread: [Full-disclosure] Next generation malware: Windows Vista's gadget API
Next by thread: Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API
Index(es):
- Date
- Thread