Microsoft Urging Customers To Disable Windows Gadgets

In a security advisory released on Tuesday, Microsoft announced that it has released a fix that will disable the Windows Sidebar and Gadgets on supported editions of Windows Vista and Windows 7. While many end-users may pout that they can no longer play virtual piano or giggle at their kitty cat clock, Microsoft insists it's in everyone's best interest, as vulnerabilities have been discovered that will allow remote code execution.

"Disabling the Windows Sidebar and Gadgets can help protect customers from vulnerabilities that involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets," Microsoft reports. "In addition, Gadgets installed from untrusted sources can harm your computer and can access your computer's files, show you objectionable content, or change their behavior at any time."

Microsoft warns that if an attacker successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. "If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system," the company adds. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

The advisory arrives just two weeks prior to Black Hat where Mickey Shkatov and Toby Kohlenberg are scheduled to present research on Windows Gadget flaws and exploits. As the warning indicates, Microsoft has acknowledged the problem, but the company has yet to detail the vulnerability, pushing users to ditch their favorite desktop Gadgets.

Taking place on July 26, the presentation will be called "We Have You By The Gadgets" and will note "a number of interesting attack vectors" discovered in Gadgets. "We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets," the presentation's description states.

News of the Gadget exploit arrives after a recent internal build of Windows 8 -- 844x -- revealed to contain no references to desktop Gadgets in the control panel or desktop mode. Currently Gadgets are supported in Windows 8 Consumer and Release Preview editions. Microsoft also recently cleaned "Gadget house" online, as the company now offers a "Greatest Hits" collection of 29 internal and 3rd-party developed Gadgets.

"Because we want to focus on the exciting possibilities of the newest version of Windows, Microsoft no longer supports uploading new Gadgets. But that doesn't mean you can't still get Gadgets. The most popular and highest-rated gadgets are still available on this page," the Gadget page officially reads towards the bottom.

Desktop Gadgets have been around since the launch of Windows Vista, and have proved to be quite useful and entertaining. They were originally required to be docked (or contained) within a special sidebar in Windows Vista. Visually this feature was removed in Windows 7, allowing Gadgets to float on the desktop or be attached to the left or right side of the screen. However all Gadgets are still owned by the sidebar.exe process, as seen in the Process tab of Windows Task Manager.

But now it seems that desktop Gadgets will experience an early death before the arrival of Windows 8. For more information about disabling the Windows Sidebar and Gadgets, read Security Advisory 2719552 here.

Create a new thread in the UK News comments forum about this subject
This thread is closed for comments
Comment from the forums
    Your comment
  • HEXiT
    oh what a suprise... gadgets are no longer safe after being so for the last 3 years. why, because microsoft is removing gadgets from windows 8...
    basicaly convince your user base that there unsafe so the company doesnt get the drubbing it deserves by dropping support for a feature people like... whats the bet malware starts appearing soon in the guise of desktop widgets...
  • silver565
    I was thinking the same thing....
    I bet the start menu was unsafe too
  • doveman
    It's not just about virtual pianos and cute cats. I use a large clock, calendar, weather app, plus quick-access standby/shutdown buttons, CPU/RAM monitor and other useful system tools.

    Won't my anti-virus and firewall protect me from these exploits. Will I even be at risk from them if I just use these established gadgets and don't go around installing random new ones?

    Normally when a feature has a vulnerability, one patches it, not kills it! I'm sure it can't be that hard to sandbox gadgets.