We've just passed Microsoft's black Tuesday. Microsoft have patched two vulnerabilities that I've reported in the Windows Vista Sidebar gadgets.
The first vulnerability was in the Contacts gadget. Because I was supposed to present this vulnerability at Defcon as Finjan's representative, I cannot discuss it. But, you can find information about this vulnerability at Finjan's MCRC blog post.
The second vulnerability was in the RSS Feeds gadget. I've reported this vulnerability to Microsoft through iDefense VCP program. iDefenst have recently published their own advisory for this vulnerability.
Microsoft have decided to rate these vulnerabilities with "Important" severity. This is because that according to Microsoft's rating system, they rate a vulerability as "Critical" only when the exploitation of the vulnerability could allow a propagation of a worm without user interaction.
Not rating the RSS gadget vulnerability as "Critical" might make sense in the old era of "Web 1.0". But on today's "Web 2.0" era, an Internet Worm can be easily propagated by exploiting this vulnerability.
Think about the following scenario:
1) User Joe is subscribed to digg.com's "Upcoming Stories" RSS feed.
2) The attacker adds a malicious item to digg.com. When the vulnerable RSS gadget fetches the malicious item, it infects Joe's computer with a malicious Trojan worm.
3) Joe is a major blogger at myblog.com. The malicious trojan worm identifies that Joe has a myblog.com cookie, and automatically adds a malicious post to his blog.
4) User Juliet reads Joe's blog regularly, as she's one of the thousands people who subscribe to Joe's blog RSS feed. Juliet also gets infected by the Trojan worm, when her vulnerable RSS gadget automatically fetches the malicious post.
5) Juliet is a known writer at FamousPeople.com magazine. She uses a standard online content management system to publish her stories. Again, the malicious Trojan worm identifies the content management system, and automatically post a fake story about Paris Hilton, which of-course includes a malicious payload.
6) User Dan is a fan of Paris Hilton. But, instead of using the FamousPeople.com RSS feed, he subscribe to Google News RSS feed with all Paris Hilton related news. When Google News spiders FamousPeople.com it automatically adds the malicious story to the RSS feed, and Dan gets infected too.
7) For Dan, the malicious worm sends a malicious payload as an email to all his contacts which uses webmail (e.g. GMail). Why? You guessed it right. The webmail systems also support RSS feeds. So, now all of Dan's contacts who fetch their mail as RSS feed and use a vulnerable RSS gadget are in danger...
8) Etc. etc. etc.
As you can see from this scenario, when it comes to a vulnerability in an RSS reader, an internet worm becomes very realistic.
Fortunately, this vulnerability has already been fixed by MS. Unfortunately, it took them almost 6 month to fix one line of code in a non-core component.
If you are using Windows Vista, I encourage you to update your machine as soon as possible, or stop using the Windows Vista Sidebar.
For those of you who develop gadgets, I recommend to read Microsoft's "Inspect Your Gadget" document. Although it is not perfect, this document should give you some hints on how to develop a more secure gadget.