security - "gadget vulnerability"是什么？

Question

在最近的安全公告中，微软警告说“小工具中的漏洞可能允许远程执行代码”:

An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user.

( Microsoft Security Advisory 2719662 )

我真的不明白这个道理。据我所知，小工具是(按设计)基于 HTML 的应用程序，可以完全信任运行!

Full Trust

The choice to run a gadget is presented to the user in the same way that the choice to run any application downloaded from the Internet is presented. Information about the author of the gadget is displayed in a dialog box that indicates there is risk associated with this file. After the user accepts the warning, the gadget will run with all of the permissions associated with the user's login account.

( MSDN: Gadgets for Windows Sidebar Security )

例如，没有什么可以阻止您添加

<script language="VBScript"> 
    Set shell = CreateObject("Wscript.Shell")
    shell.Run "notepad.exe"
</script> 

并从您的小工具执行任意命令。 This works and it's by design.

显然，他们可以做在本地用户上下文中运行的另一个应用程序可以做的所有事情。那么，微软安全公告提到的“可以被利用”的漏洞在哪里？

Answer 1

那么“小工具漏洞”的问题在于:

the risks that gadgets are exposed to are the same as those faced by any web-based application, e.g. Man-In-The-Middle or code injection. Similar issues existed in earlier versions of most web browsers but modern browsers have specifically implemented controls to attempt to mitigate many of these issues. These controls have not been implemented in the Gadgets platform, leaving them vulnerable to well-known and thoroughly discussed attacks.
- We have you by the gadgets, black hat.

所以你可以看到主要的漏洞是没有控制来限制小工具不受限制地运行代码。

另一个问题:

Microsoft has said that it has discovered that some Vista and Win7 gadgets don’t adhere to secure coding practices and should be regarded as causing risk to the systems on which they’re run.

所以确实运行任意代码是 HTA 的一部分，但是因为侧边栏和小工具平台没有缓解它并且非常悲观，认为所有小工具程序员都会编写安全的代码并且不会试图利用或做小工具不假设的事情去做。

希望它回答了你的问题。

我仍然认为这个问题很模糊，因为你说:好吧，他们允许运行任意代码，这是模型和概念的一部分，他们没有减轻它，那么漏洞是什么？它已经被利用了...... - 这就是整个想法:)

可以询问每个缺陷和攻击，这正是问题所在 - 这是设计使然的问题并且不安全，因此发现由于没有缓解措施并且您确实能够毫无问题地运行和执行恶意代码小工具有缺陷。