Which is read:
Because we screwed up and created a huge vulnerability, we're glad this isn't a feature for Windows 8, and we're just going to let this kind of disappear as a huge mistake, like Windows ME.
I'm reading the Specifics of the vulnerability as presented at the Black Hat conference for which Microsoft was responding pre-emptively.
I found the actual Video and am Watching it now. At least I think I did, it's definitely from defcon and they seem to be talking about sidebar widgets.
I started to fast forward and skip parts of the presentation, then I realized I was watching the wrong one after all. This is the actual one in question that prompted numerous "security advisories"... this was surprisingly difficult to find, I had to actually search on youtube because google was filled with crap posts that talked about "omg you need to patch dis" but not actually showing the video or the actual security vulnerability in question. Such a vulnerability- even one labelled "remote code execution" could easily be mitigated, some of them require a very specific set of options, too. So I watched this. Or rather, am currently watching it.
So far, I've noticed a few things. I'll post notes here as I watch it.
At one point they talk about how Windows Desktop evolved. Their slide says "the technology and concept on which the sidebar widgets are based is based on the ideas from Active Desktop, introduced with Windows XP"... They say that "people have told them it existed in Windows 98 but they couldn't find any traces of it"... IMO this is pretty incredulous already... Windows 98 introduced Active Desktop and in fact a default install put a Channel bar on your desktop that was impossible to miss and you had to explicitly disable it. XP's implementation was disabled by default, I don't even remember if it worked properly, because a lot of DHTML related content was removed. Not sure why this is worth mentioning but I just found it a bit odd that such facts would be mixed up... Heck Active Desktop was on Windows 95 with the IE4 Update.
Continuing on....
Some of the points they make are that this vulnerability is not inherent in the sidebar, but is more a factor of the development model that the gadgets typically take, which is mostly that they are quick, one-off scripts designed for a purpose but not specifically with security in mind, particularly not using SSL for web queries. They explicitly say in the presentation that (not an exact quote, fwiw) "this isn't news, if you write bad code, you are going to get compromised. This type of thing will be far more useful for exploiting gadgets and other similar widget-based features on mobile platforms as well as on the web through container-based apps that are how smartphones typically approach application development"
Some further notes: The researchers (can we call them that? yeah, I think so, why not) note that they were impressed by both the security model documentation provided by Microsoft regarding how to properly secure gadgets, given what they found in third party gadgets.
The two things I have taken from this are that:
-the "vulnerability" is mostly social. In that most people don't bat an eye to installing gadget's anymore today than opening an E-mail or website, in that they don't really think of a ".gadget" file in the same way as a ".exe" file. Their "Proof of concept" of a malicious gadget should come as no surprise in that it did something malicious. Obviously, a precursor to such a malicious gadget doing malicious things is the installation of said gadget.
-None of the default Windows included gadget's have this problem. The one they demo'd, aside from their example of a malicious gadget, was a Man-in-the-middle attack on a "Piano" gadget that was part of the Windows Live gallery. It was particularly interesting since the MitM attack was able to leverage the Gadget platform and get a Powershell prompt that was controllable from the remote end.
-just having sidebar and gadget's running is not in and of itself enough to exploit this "vulnerability". the gadget itself needs to be coded with an ill-focus on security (the demonstration used the Piano App). Fundamentally they never really explained the "vulnerability" even in the Piano App; it seemed to rely on a MitM attack to work successfully at all, though I'm not sure about that. (They used a MitM attack to send crafted results to the Piano App when it was downloaded, which allowed arbitrary Javascript to run, download a powershell program, and then write a batch file to launch the powershell binary which worked around the default setting to not run powershell programs, and then launch said powershell script, with an active connection via ncat to a remote machine. This provides shell access at the user level to the remote user via a Powershell prompt. definitely not something you want.
It's the MitM thing I can't get around. The entire thing seemed to rely on that- even though they claimed it wasn't necessary, I don't see how you could intercept and change the HTTP response from a gadget's requests without either a MitM attack or otherwise already having control of the machine anyway, meaning you could probably perform the payload more directly since you have some modicum of control. Obviously gadget's can be vulnerable and exploited, but from where? I'm still skeptical this is really much of a security problem at all.
From what I could tell, the problems would lie with the gadget's themselves and how they don't use SSL to prevent a MITM attack from crafting responses. Since it is a problem with the gadget's themselves, Microsoft cannot really fix it. They provided (as the researcher's mentioned) a very well-documented set of security documentation on how to properly write gadgets, and the gadget' writers ignore it; can't be helped. The only real fix would be to disable the Gallery and that sort of makes gadget's pointless. (Though it's arguable whether they were much use to begin with, really).
This was the video, by the way. (41 minutes. I found it exceedingly boring, to be honest.):
http://www.youtube.com/watch?v=-Q8rDADin1s&feature=relatedI figure the advantage from the malicious side is mostly that it's easier to get people to install a malicious gadget than a malicious application.