Disable your Windows 7 & Vista Sidebar & Gadgets, if you havent!

Users of Windows 7 Desktop Gadgets may be aware of this, but since I did not use Gadgets on Windows 7, when I came across this bit of news today, it was new to me. But because it is an important development, I decided to post about it, albeit late.

Why were gadgets discontinued in Windows 7

Gadgets are no longer available on the Microsoft website because the Windows Sidebar platform in Windows 7 and Windows Vista has serious vulnerabilities. Gadgets could be exploited to harm your computer, access your computer’s files, show you objectionable content, or change their behavior at any time. An attacker could even use a gadget to take complete control of your PC.

A few months back, Microsoft decided to take off all the Gadgets which were being hosted by it, in its Windows Personalization Gallery. The Windows Personalization Gallery hosts Themes, wallpapers and Gadgets for Windows. The reason mentioned on the Gadgets Gallery was:

Because we want to focus on the exciting possibilities of the newest version of Windows, the Windows website no longer hosts the gadget gallery.

The actual reason was different. It appears that there were vulnerabilities in Gadgets, that could allow Remote Code Execution which could compromise your computer.

An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In its Security Advisory 2719662, Microsoft also thanked Mickey Shkatov and Toby Kohlenberg for working with them on this issue. The two security researchers gave a presentation on this vulnerability at the Black Hat security conference.

Why send someone an executable when you can just send them a sidebar gadget? We will be talking about the windows gadget platform and what the nastiness that can be done with it, how are gadgets made, how are they distributed and more importantly their weaknesses. Gadgets are composed of JS, CSS and HTML and are application that the Windows operating system has embedded by default. As a resultthere are a number of interesting attack vectors that are interesting to explore and take advantage of. We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets.

Microsoft has recommended that Windows 7 and Windows Vista users, disable the Sidebar and Desktop Gadgets.

As a result, Microsoft retired the feature in newer releases of Windows in favor of Windows Store apps in Windows 8.

Disabling the Windows Sidebar and Gadgets can help protect customers from vulnerabilities that involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets. In addition, Gadgets installed from untrusted sources can harm your computer and can access your computer’s files, show you objectionable content, or change their behavior at any time.

To manually disable Windows Sidebar 7 Gadgets, open Control > Panel > Turn Windows features on or off. Uncheck Windows Gadget Platform and click on OK. Also Run services.msc to open the service Manager. Search for Windows Sidebar Service. Right-click on it and select Properties. Set its startup type to Disables. You may be required to restart your Windows computer.

To help users disable the Sidebar and Gadgets easily and quickly, Microsoft released an automated Fix It  which you can download from KB2719662. The Fix It will automatically and quickly disable the Sidebar and the Desktop Gadgets.

No wonder Microsoft has dropped Gadgets in Windows 8!

As a Windows 7 or Windows Vista user, have you disabled the Sidebar and Gadgets yet?

Posted by on , in Category Security with Tags
Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.

7 Comments

  1. Aj Jeffries

    I have to say what a load off rubbish i have never heard or seen a problem or had one and every PC/Laptop were i work use the sidebar gadgets

  2. Ian M Williams

    I agree what a load of rubbish: I have been running the sidebar gadgets on Windows Vista through Windows 7 without any problems for years now.

  3. No more Microsoft!

    Microsoft – a big bunch of deceitful liars.

  4. JohnH, Sydney

    Discussed this with expert Win7 user, he confirmed my thoughts: 1. Don’t use Sidebar. 2. Standard Win7 gadgets such as the Calendar should be OK — just don’t load any alleged “upgrades”. 3. The problem is mainly with non-MS (third party) gadgets. Don’t load them, and if you have any get rid of them.

  5. Mel

    I rely on my gadgets for system monitoring, ISP internet usage, time zones among other things. I won’t be disabling them. In fact, I have enabled gadgets in Windows 8 as well.
    I trust my Internet Security Suite to minimise the risks.

  6. FoilHatWearer

    If this is such a problem, why aren’t there articles flooding the airwaves about people’s identities being stolen and their computers taken over? I couldn’t help but notice that this story hit the news in July 2012, there’s a trickle of news items in August-September, then it’s all just totally died. Everybody I know uses gadgets and nobody has had any problems.

    This isn’t a security issue, it’s a marketing decision by Microsoft.

  7. FoilHatWearer

    This is total garbage. Using Microsoft’s “logic” everybody needs to quit surfing the internet because you might hit a malicious website that installs tracking cookies and malware.

    The part that really kills me is how supposedly competent computer security types have swallowed this non-issue hook, line, and sinker. In doing so, they’ve made themselves marketing hacks doing free work for Microsoft. What a joke.

Leave a Reply

Your email address will not be published. Required fields are marked *


1 + 9 =