Users of Windows 7 Desktop Gadgets may be aware of this, but since I did not use Gadgets on Windows 7, when I came across this bit of news today, it was new to me. But because it is an important development, I decided to post about it, albeit late.
A few months back, Microsoft decided to take off all the Gadgets which were being hosted by it, in its Windows Personalization Gallery. The Windows Personalization Gallery hosts Themes, wallpapers and Gadgets for Windows. The reason mentioned on the Gadgets Gallery was:
Because we want to focus on the exciting possibilities of the newest version of Windows, the Windows website no longer hosts the gadget gallery.
The actual reason was different. It appears that there were vulnerabilities in Gadgets, that could allow Remote Code Execution which could compromise your computer.
An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
In its Security Advisory 2719662, Microsoft also thanked Mickey Shkatov and Toby Kohlenberg for working with them on this issue. The two security researchers gave a presentation on this vulnerability at the Black Hat security conference.
Why send someone an executable when you can just send them a sidebar gadget? We will be talking about the windows gadget platform and what the nastiness that can be done with it, how are gadgets made, how are they distributed and more importantly their weaknesses. Gadgets are composed of JS, CSS and HTML and are application that the Windows operating system has embedded by default. As a result there are a number of interesting attack vectors that are interesting to explore and take advantage of. We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets.
Microsoft has recommended that Windows 7 and Windows Vista users, disable the Sidebar and Desktop Gadgets.
Disabling the Windows Sidebar and Gadgets can help protect customers from vulnerabilities that involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets. In addition, Gadgets installed from untrusted sources can harm your computer and can access your computer’s files, show you objectionable content, or change their behavior at any time.
To help users disable the Sidebar and Gadgets easily and quickly, Microsoft released an automated Fix It which you can download from KB2719662. The Fix It will automatically and quickly disable the Sidebar and the Desktop Gadgets.
No wonder Microsoft has dropped Gadgets in Windows 8!
As a Windows 7 or Windows Vista user, have you disabled the Sidebar and Gadgets yet?