[AI] Microsoft Reveals First Vista Gadget Bugs

Vikas Kapoor dl.vikas at gmail.com
Thu Aug 16 09:49:02 EDT 2007

Microsoft Reveals First Vista Gadget Bugs
Microsoft patched several Windows Vista gadgets this week, the first time it's had to fix the small applications.
Gregg Keizer, Computerworld

 time it's had to fix the small applications, prompting one researcher to mark the date as the real "arrival of the next-generation of

The three bugs detailed in one of the nine bulletins issued Tuesday could let attackers inject their own malicious code into a victim's Vista-powered PC,
said Microsoft. Three of Vista's bundled gadgets -- the small applications that sit on the desktop, usually pulling information from other programs or
off the Web -- are flawed: the RSS, contacts and weather gadgets. The vulnerabilities in the RSS and weather gadgets are particularly dangerous, since
both are enabled by default in a standard Vista installation.

"If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget or added a malicious contacts file in the Contacts Gadget or a user clicked on
a malicious link in the Weather Gadget an attacker could potentially run code on the system," Microsoft reported in the bulletin.

Although the bugs can result in remote code executing on the target machine -- a characteristic that usually pegs the vulnerability as "critical" -- Microsoft
ranked them one step lower, as "important," in part because Vista's revised account rights settings should deflect the worst kind of damage.

Most third-party researchers, however, fixed attention not so much on the bugs themselves but on the fact that they lived inside Vista's gadgets.

"Six months ago, around the time of Vista [release] we started talking about the new types of vulnerabilities we might see," said 
Amol Sarwate
, the manager of 
' vulnerability research lab. "These vulnerabilities are a testament that this next generation has finally arrived."
Tyler Reguly

, a 
-based researcher with 
nCircle Network Security Inc.
, also tapped the gadget vulnerabilities as among the most interesting of Tuesday. "There was actually an article almost two years ago quoting a researcher
Trend Micro
 who said that RSS would be the botnets' next stomping ground," said Reguly in a posting to the nCircle blog. "This vulnerability could be proof of that.
When you subscribe to an RSS feed you are implicitly trusting that feed. This vulnerability takes advantage of that trust relationship, inserting malicious
code into something that you are 'blindly' trusting."

Like Sarwate, Reguly thinks that the RSS gadget bug is a harbinger of bad things to come. "It's a scary thought. This isn't like clicking a link in 
Internet Explorer
...this action has been pre-approved. I'm interested to see where this will lead us."

 iDefense, which originally reported the RSS bug to Microsoft in March, also spelled out how a hacker could wreak the most havoc with the vulnerability.
"If an attacker can find some way to inject data into a trusted feed then they will be able to exploit any subscribers to the feed," the company said in
its own advisory, also published Tuesday. iDefense credited 
Aviv Raff
, a security researcher who works for 
Finjan Inc.
 and is noted for rooting out bugs in Web browsers. In the past, 
 has disclosed vulnerabilities in 
Apple Inc.'s Safari
Mozilla Corp.
Firefox .

But while these patches are the first to fix Microsoft's tools, flawed gadgets aren't new. Late last month, for example, 
Yahoo Widgets
, a competing gadget platform, was tagged with a critical vulnerability in an associated 

Microsoft's gadget patches can be grabbed via one of the developer's update services.
www.computerworld.comFor more enterprise computing news, visit 
. Story copyright © 2007 Computerworld Inc. All rights reserved.


Vikas Kapoor,
MSN Id:dl_vikas at hotmail.com, Yahoo+Skype Id: dl_vikas,
Mobile: (+91) 9891098137.

More information about the AccessIndia mailing list