Microsoft Urging Customers To Disable Windows Gadgets
In a security advisory released on Tuesday, Microsoft announced that it has released a fix that will disable the Windows Sidebar and Gadgets on supported editions of Windows Vista and Windows 7. While many end-users may pout that they can no longer play virtual piano or giggle at their kitty cat clock, Microsoft insists it's in everyone's best interest, as vulnerabilities have been discovered that will allow remote code execution.
"Disabling the Windows Sidebar and Gadgets can help protect customers from vulnerabilities that involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets," Microsoft reports. "In addition, Gadgets installed from untrusted sources can harm your computer and can access your computer's files, show you objectionable content, or change their behavior at any time."
Microsoft warns that if an attacker successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. "If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system," the company adds. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
The advisory arrives just two weeks prior to Black Hat where Mickey Shkatov and Toby Kohlenberg are scheduled to present research on Windows Gadget flaws and exploits. As the warning indicates, Microsoft has acknowledged the problem, but the company has yet to detail the vulnerability, pushing users to ditch their favorite desktop Gadgets.
Taking place on July 26, the presentation will be called "We Have You By The Gadgets" and will note "a number of interesting attack vectors" discovered in Gadgets. "We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets," the presentation's description states.
News of the Gadget exploit arrives after a recent internal build of Windows 8 -- 844x -- revealed to contain no references to desktop Gadgets in the control panel or desktop mode. Currently Gadgets are supported in Windows 8 Consumer and Release Preview editions. Microsoft also recently cleaned "Gadget house" online, as the company now offers a "Greatest Hits" collection of 29 internal and 3rd-party developed Gadgets.
"Because we want to focus on the exciting possibilities of the newest version of Windows, Microsoft no longer supports uploading new Gadgets. But that doesn't mean you can't still get Gadgets. The most popular and highest-rated gadgets are still available on this page," the Gadget page officially reads towards the bottom.
Desktop Gadgets have been around since the launch of Windows Vista, and have proved to be quite useful and entertaining. They were originally required to be docked (or contained) within a special sidebar in Windows Vista. Visually this feature was removed in Windows 7, allowing Gadgets to float on the desktop or be attached to the left or right side of the screen. However all Gadgets are still owned by the sidebar.exe process, as seen in the Process tab of Windows Task Manager.
But now it seems that desktop Gadgets will experience an early death before the arrival of Windows 8. For more information about disabling the Windows Sidebar and Gadgets, read Security Advisory 2719552 here.