[Full-disclosure] Next generation malware: Windows Vista's gadget API
Todd Manning
fdlist at digitaloffense.net
Thu Sep 13 18:46:34 BST 2007
On Sep 13, 2007, at 04:16 AM, Tim Brown wrote:
> A paper has just been released on the Windows Vista's gadget API. The
> abstract is as follows:
>
> Windows has had the ability to embed HTML into it’s user interface
> for many
> years. Right back to and including Windows NT 4.0, it has been
> possible to
> embed HTML into the task bar, but the OS has always maintained a
> sandbox,
> from which the HTML has been unable to escape. All this changes
> with Windows
> Vista. This paper seeks to inform system administrators, users and the
> wider community on both potential attack vectors using gadgets and the
> mitigations provided by Windows Vista.
>
> The full paper can be found at http://www.portcullis-security.com/
> 165.php.
>
>
Good paper; Since this is out there I figure I'll forward the much
shorter article I wrote that details an attack against the contact
gadget, which was patched last month.
https://strikecenter.bpointsys.com/articles/2007/08/26/vista-gadget-
patches-in-ms07-048
Full-Disclosure is hosted and sponsored by Secunia.