Sidebar Gadgets Attacks
Windows Vista includes the “Windows Sidebar”. This new feature allows users to display ‘gadgets’ on the sidebar and on the Windows desktop. Gadgets are small applications containing HTML, XML and JavaScript. They can be very flexible in design and function.
Gadgets are easy to install, to use and can be easily developed by any Vista user. They can enhance efficiency; they can be fun and can look good on a desktop. Windows Vista includes various gadgets by default, such as a calendar, calculator and currency converter. In addition, a large number of organisations have gadgets for download and use, such as London Underground, Amazon, ebay, etc.
Gadgets can be perceived by users as fun and harmless; but their characteristics can make of Gadgets a potential risk for Vista users. They run with the permissions of the logged on user and operate outside of IE’s Protected Mode. Additionally, gadgets will usually communicate with a remote server to obtain information and a rich gadget API which contains some potentially dangerous methods is available.
At the present time there are two main classes of gadget attacks: -
Malicious Gadgets
These are hostile applications you get tricked into running and can compromise your system or capture sensitive information. There is massive scope for a malicious gadget attack:-
- Executing commands on the local system
- Connect back shell
- Password Gathering
- Denial of Service
- Phishing
Insecure Gadgets
These are poorly written gadgets that contain vulnerabilities that could allow remote command execution on the affected system.
Consider a gadget that connects to a remote web server and retrieves information about the latest news. Suppose an attacker compromised the remote server from where the gadget receives information or can alter network traffic between the user and the remote server.
The attacker could change the data returned to the gadget which is usually rendered as HTML/JavaScript. If the code is written insecurely the attacker could inject Gadget API calls, which could enable remote code execution to occur.
Lots of gadgets have popped up from both “Amateurs” and Development Companies. Of the Gadgets that we have tested a large number are vulnerable to the script injection attack.
During this research a large number of gadgets were identified to be vulnerable to script injection attacks. Two widely used gadgets identified to be vulnerable to this type of attack were publicly disclosed as proof of concepts . Information about these two gadgets isssues can be found in the following locations:-
National Rail Live Enquiries Departure Board Gadget
Conclusion
This is the start of the Gadget era and already there are lots of ideas about potential attacks, such as script injection, cross site scripting, worms, parser bugs, tricking users, malicious code, etc. In the majority of these attacks these aren’t new dangers but are another approach for attackers.
At this early stage of gadgets, a large number or gadgets are vulnerable to attacks and a number of dangers exist. This indicates a potential explosion of attacks given the current state of gadget security.
More detailed information about the dangers of gadgets, example attacks, demonstrations and best practices and recommendations can be found in the following white paper:
Considerations for the Secure Rollout of Sidebar Gadgets on Windows Vista [1] [2]
Popularity: 3% [?]
