Guest LilBambi Posted December 13, 2012 Share Posted December 13, 2012 (edited) Apps for Windows 8 easily hacked - H-Online Windows 8 offers several vectors that enable attackers to manipulate or modify apps, according to Justin Angel. On his private homepage, he has described how hacking such apps is easy because, he says, the encrypted data is stored locally – along with the encryption algorithm and the hash key. Angel also discusses how the problems can be fixed. For example, he notes that the availability of encrypted app storage that can only be accessed by developers could help. Trial and full versions could be clearly separated by releasing trial versions as packages with a generally limited functionality – and without the option to unlock the full version. I wondered about this. Especially after the vulnerabilities of the Gadget Platform on Windows 7 and Microsoft telling everyone to disable the Gadget Platform. (1,2,3,4) From the (2) link at ZDNet: Microsoft is speeding up plans to kill off the Windows Gadget platform after receiving word that serious security vulnerabilities will be disclosed at the upcoming Black Hat security conference. According to a brief abstract from the Black Hat site, researchers Mickey Shkatov and Toby Kohlenberg plan to discuss weaknesses associated with Windows Sidebar and Gadgets and demonstrate "nastiness" that can be done on the platform. And this from same article: As many of you are aware, Windows 8 will deprecate the Sidebar and Gadgets, and Gadget developers are already shifting their efforts to the online Windows Store. Meanwhile, we’ve discovered that some Vista and Win7 gadgets don’t adhere to secure coding practices and should be regarded as causing risk to the systems on which they’re run. With time running out for the Sidebar and Gadgets and with developers already moving on, we’ve chosen to deprecate the Windows Gadget Gallery effective immediately, and to provide a Fix it to help sysadmins disable Gadgets and the Sidebar across their enterprises. Microsoft is telling people to totally disable the Gadget Platform, see the following as was noted in the (4) link at Microsoft TechNet: Microsoft Security Advisory (2719662)Vulnerabilities in Gadgets Could Allow Remote Code Execution Published: Tuesday, July 10, 2012 Version: 1.0 General Information Executive Summary Microsoft is announcing the availability of an automated Microsoft Fix it solution that disables the Windows Sidebar and Gadgets on supported editions of Windows Vista and Windows 7. Disabling the Windows Sidebar and Gadgets can help protect customers from vulnerabilities that involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets. In addition, Gadgets installed from untrusted sources can harm your computer and can access your computer's files, show you objectionable content, or change their behavior at any time. An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Applying the automated Microsoft Fix It solution described in Microsoft Knowledge Base Article 2719662 disables the Windows Sidebar experience and all Gadget functionality. Recommendation. Customers who are concerned about vulnerable or malicious Gadgets should apply the automated Fix It solution as soon as possible. For more information, see the Suggested Actions section of this advisory. I have been disabling it on all client computers for months now as we have appts. I first became worried about Gadget Platform vulnerabilities about a year or so ago when a client's Windows 7 Gadgets all turned black from some sort of hack. If they could do that to the gadgets, they could do so much more. And now, this about Windows 8 Apps ... but aren't the Apps just another form of Gadgets for or less? Edited December 13, 2012 by LilBambi Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted December 13, 2012 Share Posted December 13, 2012 And another one that clears it up a bit too: Nokia engineer: Here's how to hack Windows 8 games - CNET Not that he's recommending those hacks, mind you. He wants to alert developers to the possibility that knowledgeable users could wreak havoc on the revenue stream from those games. I am sure if it can happen with games, it can happen with other Apps too. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted December 13, 2012 Share Posted December 13, 2012 Interesting. The link to JustinAngel.net now shows this 503 Server not found error: Not just the article, but the entire website! Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted December 23, 2012 Share Posted December 23, 2012 Great, it's back! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.