Disable your Windows 7 & Vista Sidebar & Gadgets, if you havent!

Speed Up My PC

Users of Windows 7 Desktop Gadgets may be aware of this, but since I did not use Gadgets on Windows 7, when I came across this bit of news today, it was new to me. But because it is an important development, I decided to post about it, albeit late.

desktop gadgets 400x140 Disable your Windows 7 & Vista Sidebar & Gadgets, if you havent!

A few months back, Microsoft decided to take off all the Gadgets which were being hosted by it, in its Windows Personalization Gallery. The Windows Personalization Gallery hosts Themes, wallpapers and Gadgets for Windows. The reason mentioned on the Gadgets Gallery was:

Because we want to focus on the exciting possibilities of the newest version of Windows, the Windows website no longer hosts the gadget gallery.

The actual reason was different. It appears that there were vulnerabilities in Gadgets, that could allow Remote Code Execution which could compromise your computer.

An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In its Security Advisory 2719662, Microsoft also thanked Mickey Shkatov and Toby Kohlenberg for working with them on this issue. The two security researchers gave a presentation on this vulnerability at the Black Hat security conference.

Why send someone an executable when you can just send them a sidebar gadget? We will be talking about the windows gadget platform and what the nastiness that can be done with it, how are gadgets made, how are they distributed and more importantly their weaknesses. Gadgets are composed of JS, CSS and HTML and are application that the Windows operating system has embedded by default. As a result there are a number of interesting attack vectors that are interesting to explore and take advantage of. We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets.

Microsoft has recommended that Windows 7 and Windows Vista users, disable the Sidebar and Desktop Gadgets.

Disabling the Windows Sidebar and Gadgets can help protect customers from vulnerabilities that involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets. In addition, Gadgets installed from untrusted sources can harm your computer and can access your computer’s files, show you objectionable content, or change their behavior at any time.

To help users disable the Sidebar and Gadgets easily and quickly, Microsoft released an automated Fix It  which you can download from KB2719662. The Fix It will automatically and quickly disable the Sidebar and the Desktop Gadgets.

No wonder Microsoft has dropped Gadgets in Windows 8!

As a Windows 7 or Windows Vista user, have you disabled the Sidebar and Gadgets yet?

Posted by on , in Category Security with Tags ,
Anand aka HappyAndyK is an end-user Windows enthusiast, a Microsoft MVP in Windows Desktop Experience since 2007, and the Admin of TheWindowsClub.com, TheGeeksClub.com & WinVistaClub.com. Creating a System Restore Point before trying out a new software or a tweak is always recommended.

Random Posts

  • Aj Jeffries

    I have to say what a load off rubbish i have never heard or seen a problem or had one and every PC/Laptop were i work use the sidebar gadgets

  • Ian M Williams

    I agree what a load of rubbish: I have been running the sidebar gadgets on Windows Vista through Windows 7 without any problems for years now.

  • No more Microsoft!

    Microsoft – a big bunch of deceitful liars.

  • JohnH, Sydney

    Discussed this with expert Win7 user, he confirmed my thoughts: 1. Don’t use Sidebar. 2. Standard Win7 gadgets such as the Calendar should be OK — just don’t load any alleged “upgrades”. 3. The problem is mainly with non-MS (third party) gadgets. Don’t load them, and if you have any get rid of them.

  • Mel

    I rely on my gadgets for system monitoring, ISP internet usage, time zones among other things. I won’t be disabling them. In fact, I have enabled gadgets in Windows 8 as well.
    I trust my Internet Security Suite to minimise the risks.

  • FoilHatWearer

    If this is such a problem, why aren’t there articles flooding the airwaves about people’s identities being stolen and their computers taken over? I couldn’t help but notice that this story hit the news in July 2012, there’s a trickle of news items in August-September, then it’s all just totally died. Everybody I know uses gadgets and nobody has had any problems.

    This isn’t a security issue, it’s a marketing decision by Microsoft.

  • FoilHatWearer

    This is total garbage. Using Microsoft’s “logic” everybody needs to quit surfing the internet because you might hit a malicious website that installs tracking cookies and malware.

    The part that really kills me is how supposedly competent computer security types have swallowed this non-issue hook, line, and sinker. In doing so, they’ve made themselves marketing hacks doing free work for Microsoft. What a joke.