The Windows Vista Weather gadget contains a vulnerability that may allow and attacker to execute code.
Gadgets are mini-applications designed to provide the user with information or utilities. Windows Vista treats gadgets similar to the way Windows Vista treats other executable code. Gadgets are written using HTML and script, but this HTML is not located on an arbitrary remote server as web pages are. HTML content in the Gadget is downloaded first as part of a package of resources and configuration files and then executed from the local computer. This download process is similar to applications (.exe files) downloaded from the Internet.
Today, the Windows Vista Sidebar hosts Gadgets built from HTML, JavaScript, and potentially ActiveX controls, and because Gadgets are HTML, they are subject to Cross-site Scripting style bugs. These bugs are extremely serious because script in the Sidebar is capable of running arbitrary code in the context of the locally logged-on user.This document outlines some of the secure programming best practices that should be considered when building Windows Vista Sidebar Gadgets.
Never Trust Input
This is the same advice we have given for years, and it still holds true for Sidebar Gadgets. Many Gadgets read, manipulate, and then display untrusted data, such as that coming from an XMLHttpRequest object or an ActiveX control. All such input needs to be validated.
Validate Untrusted Input
There is no replacement for a good input checker. You should build a function or functions that include regular expressions to verify that the input is correctly formed, and if it is not, you should reject the data. Below is a loose example that only allows numbers, brackets, dashes, and spaces between 6 and 14 characters long.
More Information MS07–048
No comments:
Post a Comment