Presentation is loading. Please wait.

Presentation is loading. Please wait.

We have you by the gadgets Hitting your OS below the belt.

Published byIsabella Wood Modified over 8 years ago

Similar presentations

Presentation on theme: "We have you by the gadgets Hitting your OS below the belt."— Presentation transcript:

1 We have you by the gadgets Hitting your OS below the belt

2 Thank you for waking up

3 Legal Notice Our opinion is our own. It DOES NOT IN ANY WAY represent the view of our employers.

4 Agenda Who we are What are Gadgets o A little bit of history o Why this matters o How to develop gadgets o Gadget security model What's wrong with them o Attack Surface o Problems found o Demos What do you do about it?

5 whoami - Toby

6 whoami - Mickey

7 Thank you: Itzik Kotler, FX, Ian Amit, Jayson Street, SophSec, Wim Remes, Aviv Raff, Gal Diskin SUZUKI Hisao, Mitko Haralanov, Tim Brown R. Dominguez Vega, SecureTest group #include

8 What are Gadgets Little applications that run on your Windows desktop For instance:

9 A little bit of history Windows XP/98 - Concept first introduced as "Active Desktop" o Allowed you to put updating content on your desktop. Vista - Sidebar introduced, first mention of "gadgets" o Gadgets ran in the sidebar "container" couldn't be placed randomly on the desktop Windows 7 - significant changes o Improvements in management: o Gadgets now can be anywhere on the desktop o All gadgets run in a single process o Addition of the enterprise security features o Also - New stuff to help in development

10 Windows Vista Sidebar

11 Windows 7 Gadgets

12 Why this still matters Gadget use is in decline But! This style of app development is taking off o Container-based apps for smartphones that allow you to do all your dev in HTML, XML, Javascript, etc…

13 Creating Gadgets Cat.Zip  Cat.Gadget

14 Creating Gadgets Usually just a web app o html o css o javascript o gadget specific manifest file Can also be WPF or Silverlight

15 Gadget Security Model MSFT provides a detailed explanation o (see references) Code signing is possible but not required Prompt for install similar to standard applications:

16 Gadget Security Model Most similar to HTA - HTML Applications Basically run in "Local Machine Zone" with some differences: o Can instantiate any installed ActiveX object o UAC  Runs as standard user even if the user is part of the admin group  Can't raise UAC prompts BUT! apps launched by a gadget can Parental Controls apply

17 Gadget Security Model Some enterprise controls available o Turn off Windows Sidebar. o This policy allows administrators to completely disable the Windows Sidebar. o Disable unpacking and installation of gadgets that are not digitally signed.  Only affects gadgets that are downloaded and installed by double-clicking on the gadget package. All previously installed gadgets, as well as those installed manually, will still function. o Turn off user-installed gadgets. o Override the "Get more gadgets online" link.

18 Attack Surface Attacking with gadgets Attacking gadgets

19 Attacking with gadgets Delivery: o Install this gadget? Sure! Sidebar gadgets aren't perceived as being dangerous software or even software at all

20 Attacking with gadgets So I installed your gadget, so what? I can't do much, just this: o Execute code  Game over Also: o Open URLs o Create files with arbitrary content o Read files o Make your computer speak

21 Attacking with gadgets Demo time

22 Attacking Gadgets Gadgets are code. Therefore gadgets are vulnerable Step 1 - Search for gadgets Step 2 - Analyze Step 3 - Profit (and share the findings)

23 Attacking Gadgets LOTS of malware claiming to be gadgets Minimal use of SSL Lots of ad server connections (no ads displayed) o And domain parking sites A couple primary producers, shared code between gadgets o If you find something in one, it's probably in the others

24 Attacking Gadgets Poor security practices, easy targets o Multiple ways to inject code o Default Permissions is "full" Traffic sniffing Easy to spot o X64 (proof)

25 Attacking Gadgets – Traffic Sniffing SSL is haaaaard All downloaded gadgets pulled most of their content w/o SSL Including updated gadget code in some cases

26 Attacking Gadgets - MitM There are not many gadgets out there, capturing their requests is simple. (AirPwn) Using a custom simple proxy to automate injection. Demo

27 Attacking Gadgets – Code Injection Any web scripting language o Or powershell Demo

28 What to do about it? Code is code o Remember not to take candy from strangers Write applications properly For app frameworks o Make the secure method the default method Microsoft’s solution

29 Security Advisory 2719662 “Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows Vista and Windows 7” Fix It Solution Engineering solution that removes the attack vector. Moving away from the Windows Sidebar and towards the Windows Store. Deprecated the Windows Gadget Gallery Updated developer documentation Microsoft Solution

30 Prior Work Standing on the shoulders of giants CVEs o CVE 2007-3032 o CVE 2007-3033 o CVE 2007-3891 Presentations o The Inherent Insecurity of Widgets and Gadgets - Aviv Raff, Ian Amit o Jinx - Malware 2.0 - Itzik Kotler, Jonathan Rom

31 References Gadget Security Model o http://msdn.microsoft.com/en-us/library/ff486358.aspx http://msdn.microsoft.com/en-us/library/ff486358.aspx Writing Secure Gadgets o http://msdn.microsoft.com/en- us/library/bb498012.aspx http://msdn.microsoft.com/en- us/library/bb498012.aspx

32 Thank you ! Q/A

Download ppt "We have you by the gadgets Hitting your OS below the belt."

Similar presentations

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.
Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.

Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.
Omicron Consulting 1700 Market Street Philadelphia, PA 19103 Omicron Consulting 1700 Market Street Philadelphia, PA 19103 Should You Upgrade to Windows.

Omicron Consulting 1700 Market Street Philadelphia, PA Omicron Consulting 1700 Market Street Philadelphia, PA Should You Upgrade to Windows.
NetAcumen ActiveX Download Instructions

NetAcumen ActiveX Download Instructions
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Web Development in Microsoft Visual Studio 2013. Slide 2 Lecture Overview Introduce Visual Studio 2013 Create a first ASP.NET application.

Web Development in Microsoft Visual Studio Slide 2 Lecture Overview Introduce Visual Studio 2013 Create a first ASP.NET application.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)

1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)
Module 16: Software Maintenance Using Windows Server Update Services.

Module 16: Software Maintenance Using Windows Server Update Services.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
WCA-B324 Get Up!!! YAAAWWWN! App-V 5.0 Get Ready for… Are You Ready?

WCA-B324 Get Up!!! YAAAWWWN! App-V 5.0 Get Ready for… Are You Ready?
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.

Similar presentations

Ads by Google