Windows Vista系统如何彻底清除垃圾? 史上最便宜的Vista笔记本大比拼 完全清理Vista注册表文件垃圾 Windows Vista的超级防火墙 全方位、360度的保护你的Vista系统 戴尔(Dell)笔记本预装Vista更送200元 世界顶级免费Vista系统杀毒软件 Vista 系统运行更快速的秘密
当前位置:首页 >> Vista新闻 >> Vista最新消息

【Vista之家译】新趋势,微软Vista侧边栏小工具出现漏洞


2007年8月17日 编辑:Vista之家 - vista123.com 人气: 评论:6

 

Vista之家译】微软披露并修补Vista侧边栏小工具漏洞

  微软公司在本星期二(8月14)日,发布了windows vista产品的几个补丁,这是微软第一次给Sidebar侧边栏上面的小应用工具发布补丁。这也许,意味着下一代的漏洞入口。

  这三个侧边栏小工具(Sidebar Widgets)都是微软Vista里面的捆绑产品,分别是RSS、联系人和天气这三个小工具。RSS里面可能会包含一些恶意的链接,天气小工具则可能让攻击者运行代码,这些,都在此次补丁里面做了更新。

  这一切,或许意味着,侧边栏,成了攻击者和病毒制造者的新温床。

Vista之家www.vista123.com)特别提供英文原文如下:

Microsoft Reveals First Vista Gadget Bugs

Microsoft patched several Windows Vista gadgets this week, the first time it's had to fix the small applications.
Gregg Keizer, Computerworld
Wednesday, August 15, 2007 2:00 PM PDT

Microsoft Corp. Tuesday patched several Windows Vista gadgets, the first time it's had to fix the small applications, prompting one researcher to mark the date as the real "arrival of the next-generation of vulnerabilities."

The three bugs detailed in one of the nine bulletins issued Tuesday could let attackers inject their own malicious code into a victim's Vista-powered PC, said Microsoft. Three of Vista's bundled gadgets -- the small applications that sit on the desktop, usually pulling information from other programs or off the Web -- are flawed: the RSS, contacts and weather gadgets. The vulnerabilities in the RSS and weather gadgets are particularly dangerous, since both are enabled by default in a standard Vista installation.

"If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget or added a malicious contacts file in the Contacts Gadget or a user clicked on a malicious link in the Weather Gadget an attacker could potentially run code on the system," Microsoft reported in the bulletin.

Although the bugs can result in remote code executing on the target machine -- a characteristic that usually pegs the vulnerability as "critical" -- Microsoft ranked them one step lower, as "important," in part because Vista's revised account rights settings should deflect the worst kind of damage.

Most third-party researchers, however, fixed attention not so much on the bugs themselves but on the fact that they lived inside Vista's gadgets.

"Six months ago, around the time of Vista [release] we started talking about the new types of vulnerabilities we might see," said Amol Sarwate, the manager of Qualys' vulnerability research lab. "These vulnerabilities are a testament that this next generation has finally arrived."

Tyler Reguly, a Toronto-based researcher with nCircle Network Security Inc., also tapped the gadget vulnerabilities as among the most interesting of Tuesday. "There was actually an article almost two years ago quoting a researcher at Trend Micro who said that RSS would be the botnets' next stomping ground," said Reguly in a posting to the nCircle blog. "This vulnerability could be proof of that. When you subscribe to an RSS feed you are implicitly trusting that feed. This vulnerability takes advantage of that trust relationship, inserting malicious code into something that you are 'blindly' trusting."

Like Sarwate, Reguly thinks that the RSS gadget bug is a harbinger of bad things to come. "It's a scary thought. This isn't like clicking a link in Internet Explorer...this action has been pre-approved. I'm interested to see where this will lead us."

VeriSign iDefense, which originally reported the RSS bug to Microsoft in March, also spelled out how a hacker could wreak the most havoc with the vulnerability. "If an attacker can find some way to inject data into a trusted feed then they will be able to exploit any subscribers to the feed," the company said in its own advisory, also published Tuesday. iDefense credited Aviv Raff, a security researcher who works for Finjan Inc. and is noted for rooting out bugs in Web browsers. In the past, Raff has disclosed vulnerabilities in Apple Inc.'s Safari and Mozilla Corp.'s Firefox.

But while these patches are the first to fix Microsoft's tools, flawed gadgets aren't new. Late last month, for example, Yahoo Widgets, a competing gadget platform, was tagged with a critical vulnerability in an associated ActiveX control.

Microsoft's gadget patches can be grabbed via one of the developer's update services.

Vista之家www.vista123.com),冲锋 Windows Vista最前沿

      
Vista之家网友 (211.161.188.*) 于 2007-12-3 14:08:30 发表下列评论:   [删除]
大家知道不知道怎么才可以还原小工具栏啊   我的不小心关掉了就找不到了
Vista之家网友 (202.100.221.*) 于 2007-11-14 19:48:02 发表下列评论:   [删除]
我关机之前如果不关小工具栏的话就会在注销后关机前的几秒中里出现蓝屏,开始以为偶然,可几次试过后还是这样,而退出边框后则可正常关机,请问这是什么原因呢?
Ne7en (125.115.245.*) 于 2007-8-18 10:45:52 发表下列评论:   [删除]
百度一下或者google一下就有很多啊,只不过是打几个字的问题,像 www.mysidebar.cn 这个网站,我记得百度出来是出现在第一页的,而且小工具库面板右下角“联机获取更多小工具”打开微软官方的小工具栏网页也有一些不错的网友上传的小工具。
Vista之家 (221.3.116.*) 于 2007-8-17 18:22:31 发表下列评论:   [删除]
有好用的,请提供或者介绍给大家,说这话有什么意义呢
Ne7en (125.114.250.*) 于 2007-8-17 17:42:47 发表下列评论:   [删除]
无视,这三个工具我都不用,网上有更好的
Vista之家网友 (218.18.24.*) 于 2007-8-17 17:33:21 发表下列评论:   [删除]
现在有人使用VISTA123以前提供的方法,重新替换天气的小工具软件。
这样重新修改,会不会让8月14日的漏洞补丁失效?使机子出现险情。如果是这样的话,请VISTA123修改相关文件,以使能够两全其美哟!
发表评论
昵称:
内容:
(按Control+Enter直接提交)   点击一下,Vista问题有问必答
Vista优化大师
firefox
搜狗拼音输入法

完全清理 Windows Vista 注册表和系统垃圾
世界顶级的注册表垃圾清理软件,完全免费下载
多项世界大奖的5星级清理专家,完美支持Vista

Windows Vista 系统加速的秘密
Windows Vista系统应用运转更加快速
加速你的Windows Vista应用程序

Windows Vista 最好的防火墙 - Stopzilla
Stopzilla保护你的电脑,防止Trojan(特洛伊木马)程序
防止黑客入侵您的Windows Vista系统

戴尔笔记本电脑3199元疯狂热销
七天免费试用?免费升级内存硬盘?
更有超多礼物发送中,不抢白不抢

Windows Vista 装机必备软件大全
压缩、备份、杀毒、优化、办公、美化、虚拟光驱等常用软件
Windows Vista操作系统软件安装一条龙

热门文章