Vulnerabilities in Gadgets Could Allow Remote Code Execution

[MowGreen]

Microsoft Security Advisory (2719662)
Vulnerabilities in Gadgets Could Allow Remote Code Execution
https://technet.microsoft.com/en-us/security/advisory/2719662

" Microsoft is announcing the availability of an automated Microsoft Fix
it solution that disables the Windows Sidebar and Gadgets on supported
editions of Windows Vista and Windows 7. Disabling the Windows Sidebar
and Gadgets can help protect customers from vulnerabilities that involve
the execution of arbitrary code by the Windows Sidebar when running
insecure Gadgets. In addition, Gadgets installed from untrusted sources
can harm your computer and can access your computer's files, show you
objectionable content, or change their behavior at any time.

An attacker who successfully exploited a Gadget vulnerability could run
arbitrary code in the context of the current user. If the current user
is logged on with administrative user rights, an attacker could take
complete control of the affected system. An attacker could then install
programs; view, change, or delete data; or create new accounts with full
user rights. Users whose accounts are configured to have fewer user
rights on the system could be less impacted than users who operate with
administrative user rights.

Applying the automated Microsoft Fix It solution described in Microsoft
Knowledge Base Article 2719662
( http://support.microsoft.com/kb/2719662 )
disables the Windows Sidebar experience and all Gadget functionality.

Recommendation. Customers who are concerned about vulnerable or
malicious Gadgets should apply the automated Fix It solution as soon as
possible. For more information, see the Suggested Actions section of
this advisory. "


Kill those Vista and Win7 gadgets now!
http://windowssecrets.com/top-story/kill-those-vista-and-win7-gadgets-now/

The presentation on the sidebar and gadgets vulnerability (ies) takes
place @Black Hat by Mickey Shkatov and Toby Kohlenberg next Thursday,
July 26th. As yet, thankfully, few details have been released other then

" We will be talking about the windows gadget platform and what the
nastiness that can be done with it, how are gadgets made, how are they
distributed and more importantly their weaknesses. Gadgets are comprised
of JS, CSS and HTML and are application that the Windows operating
system has embedded by default. As a result there are a number of
interesting attack vectors that are interesting to explore and take
advantage of.

We will be talking about our research into creating malicious gadgets,
misappropriating legitimate gadgets and the sorts of flaws we have found
in published gadgets. "


MowGreen
================
*-343-* FDNY
Never Forgotten
================

 

[John Williamson]

Microsoft Security Advisory (2719662)
Vulnerabilities in Gadgets Could Allow Remote Code Execution
https://technet.microsoft.com/en-us/security/advisory/2719662

" Microsoft is announcing the availability of an automated Microsoft Fix
it solution that disables the Windows Sidebar and Gadgets on supported
editions of Windows Vista and Windows 7. Disabling the Windows Sidebar
and Gadgets can help protect customers from vulnerabilities that involve
the execution of arbitrary code by the Windows Sidebar when running
insecure Gadgets. In addition, Gadgets installed from untrusted sources
can harm your computer and can access your computer's files, show you
objectionable content, or change their behavior at any time.

Going back to XP's looking like a better idea all the time.

 

[John Williamson]

I assume that doesn't apply to Microsoft gadgets such as the weather,
clock, etc but only applies to third party gadgets.

Bet on that? With Microsoft's record? ;-)

 

[Char Jackson]

I assume that doesn't apply to Microsoft gadgets such as the weather,
clock, etc but only applies to third party gadgets.

My assumption is that the warning applies to the entire gadget
platform, including the Microsoft aspects. Stand by for further
clarification, I guess.

 

[Char Jackson]

Going back to XP's looking like a better idea all the time.

As each day passes, going back to XP looks like a worse idea to me. XP
is fading into the sunset, and I'm not big enough or strong enough to
prevent that.

 

[Paul]

I assume that doesn't apply to Microsoft gadgets such as the weather,
clock, etc but only applies to third party gadgets.

It sounds like they're turning off the subsystem, so that no JS, CSS, HTML
wrapped as a gadget, gets to launch. And that means all the gadgets stop working,
because they can no longer launch after the Fixit is applied.

Well, I guess that's a few less square yards of attack surface. I'm feeling
more secure already.

Paul

 

[(PeteCresswell)]

Per Char Jackson:

As each day passes, going back to XP looks like a worse idea to me. XP
is fading into the sunset, and I'm not big enough or strong enough to
prevent that.

If Char says it, that gets my attention.

I was flirting with conversion to 7 quite a few months ago, but
never followed through.

Is anybody currently subscribing to MSDN?

I've been through a couple of subscriptions, but that was way
back when they shipped a bunch of DVDs.

A major selling point with me was the 10-or-so XP licenses that
came with the subscription. I use almost all of them on my
various PCs.

Do they offer the same deal for Windows 7 with the new
download-based MSDN subscriptions?

If so, do those and whatever other licenses persist after the
annual subscription has expired? Or do they go "Poof!" and the
user is locked into subscribing every year from then on?

 

[Dave \Crash\ Dummy]

Going back to XP's looking like a better idea all the time.

Going back to XP won't stop you from installing malware. The
vulnerability is to user installed, third party gadgets, not MS gadgets.
Neither XP nor Windows 7 are immune to idiots.

 

[Char Jackson]

Per Char Jackson:

If Char says it, that gets my attention.

Big mistake. No one listens to me. Not even me.

I was flirting with conversion to 7 quite a few months ago, but
never followed through.

Is anybody currently subscribing to MSDN?

I'm aware of it but never subscribed. I hope someone answers your
questions because I'm interested, as well.

 

[Char Jackson]

Going back to XP won't stop you from installing malware. The
vulnerability is to user installed, third party gadgets, not MS gadgets.
Neither XP nor Windows 7 are immune to idiots.

I mostly skimmed the article, but it sounded to me like the MS gadgets
were equally (or primarily, even) the subject of concern.

 

[Dave \Crash\ Dummy]

I mostly skimmed the article, but it sounded to me like the MS
gadgets were equally (or primarily, even) the subject of concern.

I don't use gadgets, so I don't know how they work, but vulnerable to
what? They would have to be exploited by installed malware or remotely
via an open port.

 

[Gene Wirchenko]

[snip]

As each day passes, going back to XP looks like a worse idea to me. XP
is fading into the sunset, and I'm not big enough or strong enough to
prevent that.

I still use XP on my main box. I expect I will continue to do so
until it dies. I would not try switching my 7 box to XP though.

Sincerely,

Gene Wirchenko

 

[John Williamson]

I don't use gadgets, so I don't know how they work, but vulnerable to
what? They would have to be exploited by installed malware or remotely
via an open port.

I run two gadgets. One tells me the CPU load, the other the HD activity.
They seem to give me this information by calling the same routines used
by Task Manager, so they have access to at least that part of the
Windows API. I've not checked the code to see what other OS routines it
has access to and via which ports. The main problem may be that most
gadgets of this sort have ring 1 access to the OS by default.

 

[Char Jackson]

I don't use gadgets, so I don't know how they work, but vulnerable to
what? They would have to be exploited by installed malware or remotely
via an open port.

I think that's exactly what the concern is about, being easily
exploited by malware.

 

[Joe Morris]

Big mistake. No one listens to me. Not even me.

Windows 7, *if* properly used and configured (including, among several other
options, running with *all* users subject to UAC (NO automatic elevation!),
and preferably with the normally-used account not being an administrator)
has a significantly better security posture than does Windows XP.

Note that you can configure UAC so that if a non-administrator asks that a
process be run elevated, that can be done by entering an administrator's
credentials. You don't have to log off and then log back on as an
administrator.

Even if Windows 7 didn't improve security, as a practical matter XP should
be shut down for good no later than 8 April 2014: that's when Microsoft
stops providing bugfixes for security vulnerabilities.

An upgrade from XP to Windows 7 - especially if that includes transitioning
from 32-bit XP to 64-bit Win7 - is something you do not want to do on a
short schedule. It's quite likely that you will have programs that don't
run and will need to be upgraded or replaced; the same comment applies to
device drivers for a large number of hardware products.

(I suspect that the readership here remenbers the howls of anguish a few
years ago when users with non-current-production scanners discovered that
there were *no* device drivers to be found that would work with Vista - and
much of that was occurring with 32-bit Vista. Consider the chances of that
problem showing up when you jump over Vista and go directly to Win7.)

When my POE began to support 64-bit Windows 7 in mid-2010 my monthly
briefing listed the incompatible software that could not be transitioned
from 32-bit XP - and that list occupied six full slides. It took about a
year before I no longer needed to include anything in the report. (The
number of affected users varied by product, ranging from a couple of hundred
people to one person with a critical application.)

I'm aware of it but never subscribed. I hope someone answers your
questions because I'm interested, as well.

Um...the license you get with MSDN is (as the MSDN name implies) for
*development* and *testing*. Without getting bogged down in a discussion of
what percentage of MSDN subscribers comply with the terms, the license is
explictily not valid for "normal" use of the software.

Also, in response to the massive leakage, most of the product IDs for MSDN
and Technet download products are now limited to five installations,
although if you need more you can call MS.


Unless something's changed while I wasn't looking (wouldn't be the first
time with MS license terms...) the MSDN licenses you are using do not expire
with the subscription - but you cannot get new product IDs.

Joe

 

[Joe Morris]

MowGreen wrote:
Microsoft Security Advisory (2719662) Vulnerabilities in Gadgets
Could Allow Remote Code Execution
https://technet.microsoft.com/en-us/security/advisory/2719662 [...]
Going back to XP's looking like a better idea all the time.

Going back to XP won't stop you from installing malware. The
vulnerability is to user installed, third party gadgets, not MS gadgets.
Neither XP nor Windows 7 are immune to idiots.

I mostly skimmed the article, but it sounded to me like the MS gadgets
were equally (or primarily, even) the subject of concern.

I don't have enough information on that to justify a personal opinion, but
the analyses I've seen of the issue suggest that the problem is primarily
the difficulty of producing secure gadgets and not the MS-supplied gadgets.
Most gadgets talk to the outside world, and (by definition) talk to the
user's desktop...meanging that malware - either deliberately written into
the gadget, or injected into it through a vulnerability - could do all sorts
of "interesting" things without the computer owner's knowledge or consent.

I'll admit that there's some interesting speculation on why Microsoft
abruptly pulled the "Gallery" distribution web pages but with no public
explanation other than posting "we're changing our recommendation: kill the
gadgets!"

And I trust that many of the readers here have already noted the absence of
gadgets (or at least gadgets as we've come to know them) in Windows 8.

Joe

 

[Stan Brown]

Windows 7, *if* properly used and configured (including, among several other
options, running with *all* users subject to UAC (NO automatic elevation!),
...
has a significantly better security posture than does Windows XP.

I agree. "Going back to Windows XP" is about as sensible as going
back to 1970's cars because today's cars are not 100% perfectly
crashproof.

and preferably with the normally-used account not being an administrator)

That was good advice for Windows XP. I don't know about Vista, but
for Windows 7 what's the advantage to the normally-used account not
being an administrator? Sure, you could set up a guest account for
the grandkids, but with UAC enabled even an admin account still has
to give specific permission for program installs and other sensitive
operations. I don't see any problem with a grownup having admin
privileges on one's regular account.

Am I missing something? Can you enlighten me?

 

[Joe Morris]

I agree. "Going back to Windows XP" is about as sensible as going
back to 1970's cars because today's cars are not 100% perfectly
crashproof.

That was good advice for Windows XP. I don't know about Vista, but
for Windows 7 what's the advantage to the normally-used account not
being an administrator? Sure, you could set up a guest account for
the grandkids, but with UAC enabled even an admin account still has
to give specific permission for program installs and other sensitive
operations. I don't see any problem with a grownup having admin
privileges on one's regular account.

Am I missing something? Can you enlighten me?

One issue is human behavior. In a system configured to use consent (i.e.,
just click "OK") to respond to a request for the administrator token a user
who is running on an administrator account is likely to get into the habit
of approving the requests - even if (as I should have included in the
recommendations) the UAC challenge is delivered on the secure desktop.

Adding the requirement that an action that requires the administrator token
be performed while logged in as the (infrequently used) account that has
administrator privileges, or at least requiring that the user provide the
credentials of such an account - and not the credentials used to log onto
the machine in this session - provides the interruption to the user's train
of thought that hopefully triggers the question of just *why* this program
is asking for permission to modify the system.

And of course you can configure UAC to use any of several different levels
of paranoia, and high UAC paranoia levels might for some users deliver an
acceptable level of protection even if other security controls (such as
avoiding the use of administrator accounts for normal operations) are not
used.

Each user needs to identify their appropriate security configuration since
"one size fits all" as usual means that the one size fits nobody. The fact
that you questioned my comment shows that one of my purposes in writing the
posting has been achieved: the issue of account privileges is being
discussed.

Joe

 

[Stan Brown]

One issue is human behavior. In a system configured to use consent (i.e.,
just click "OK") to respond to a request for the administrator token a user
who is running on an administrator account is likely to get into the habit
of approving the requests - even if (as I should have included in the
recommendations) the UAC challenge is delivered on the secure desktop.

Adding the requirement that an action that requires the administrator token
be performed while logged in as the (infrequently used) account that has
administrator privileges, or at least requiring that the user provide the
credentials of such an account - and not the credentials used to log onto
the machine in this session - provides the interruption to the user's train
of thought that hopefully triggers the question of just *why* this program
is asking for permission to modify the system.

Well, maybe.

I suspect that a user who is as feckless as you describe -- and it's
probably the majority of users -- will, about the third time he's
asked for administrator credentials, say "oh, f--- it" and turn off
UAC entirely. There's really no way to save users who feel that
security procedures are "too much trouble".

If it's a choice between "run as administrator, with UAC enabled and
the secure desktop for challenges" and "run as non-administrator,
with UAC turned off", I know which one is safer.

 

[MowGreen]

Microsoft Security Advisory (2719662)
Vulnerabilities in Gadgets Could Allow Remote Code Execution
https://technet.microsoft.com/en-us/security/advisory/2719662

" Microsoft is announcing the availability of an automated Microsoft Fix
it solution that disables the Windows Sidebar and Gadgets on supported
editions of Windows Vista and Windows 7. Disabling the Windows Sidebar
and Gadgets can help protect customers from vulnerabilities that involve
the execution of arbitrary code by the Windows Sidebar when running
insecure Gadgets. In addition, Gadgets installed from untrusted sources
can harm your computer and can access your computer's files, show you
objectionable content, or change their behavior at any time.

An attacker who successfully exploited a Gadget vulnerability could run
arbitrary code in the context of the current user. If the current user
is logged on with administrative user rights, an attacker could take
complete control of the affected system. An attacker could then install
programs; view, change, or delete data; or create new accounts with full
user rights. Users whose accounts are configured to have fewer user
rights on the system could be less impacted than users who operate with
administrative user rights.

Applying the automated Microsoft Fix It solution described in Microsoft
Knowledge Base Article 2719662
( http://support.microsoft.com/kb/2719662 )
disables the Windows Sidebar experience and all Gadget functionality.

Recommendation. Customers who are concerned about vulnerable or
malicious Gadgets should apply the automated Fix It solution as soon as
possible. For more information, see the Suggested Actions section of
this advisory. "


Kill those Vista and Win7 gadgets now!
http://windowssecrets.com/top-story/kill-those-vista-and-win7-gadgets-now/

The presentation on the sidebar and gadgets vulnerability (ies) takes
place @Black Hat by Mickey Shkatov and Toby Kohlenberg next Thursday,
July 26th. As yet, thankfully, few details have been released other then

" We will be talking about the windows gadget platform and what the
nastiness that can be done with it, how are gadgets made, how are they
distributed and more importantly their weaknesses. Gadgets are comprised
of JS, CSS and HTML and are application that the Windows operating
system has embedded by default. As a result there are a number of
interesting attack vectors that are interesting to explore and take
advantage of.

We will be talking about our research into creating malicious gadgets,
misappropriating legitimate gadgets and the sorts of flaws we have found
in published gadgets. "


MowGreen
================
*-343-* FDNY
Never Forgotten
================

Here's a link to the whitepaper from the presentation given yesterday,
July 26th, by Shkatov and Kohlenberg @ Black Hat:

https://media.blackhat.com/bh-us-12...nberg_Blackhat_Have_You_By_The_Gadgets_WP.pdf

IMHO, gadgets included with Vista/Win7, such as the CPU meter, Weather,
Calendar, etc. are *not* at risk.

In addition, the presenters claim that these security settings in IE's
Internet Zone - "Access data sources across domains " and " Initialize
and script ActiveX controls not marked as safe for scripting " are
Enabled by either the Default setting or the installation of 3rd party
gadgets.
There aren't any 3rd party gadgets installed on this Win 7 system and I
find the above settings are *Disabled*.


The presenters' recommendations, taken from their whitepaper, are listed
below -

" Recommendations

The issues we have identified are common to many application platforms.
As a result, the recommended mitigations are relatively simple:

â— If you are a user of gadgets, only install gadgets that come from
known trusted sources.

â— If you are a developer of gadgets, the best option is to stop
developing using the gadget framework and move to the Windows 8 Metro
platform. If you must continue to develop on the gadgets platform then
follow well-known secure development best practices for writing
applications that need to run over the Internet.

â— If you do not use gadgets, remove the sidebar functionality using the
instructions detailed by Microsoft:
http://technet.microsoft.com/en-us/security/advisory/2719662 "



MowGreen
================
*-343-* FDNY
Never Forgotten
================