The Register® — Biting the hand that feeds IT

Feeds

Disable Gadgets NOW says Redmond

Remote execution vuln

By Richard Chirgwin, 11th July 2012
  • print
  • alert

Customer Success Testimonial: Recovery is Everything

Microsoft has advised Vista and Windows 7 users to put Gadgets and the Windows Sidebar to the sword, following the revelation of yet-to-be-detailed remote code execution vulnerabilities in the features.

Redmond issued this advisory ahead of an upcoming Black Hat presentation by Mickey Shkatov and Toby Kohlenberg. The two have promised to reveal “interesting attack vectors” in a presentation called “We Have You By The Gadgets”.

Microsoft hasn’t provided any further information about the vulnerability, other than to say that users could install insecure Gadgets that enable remote code execution.

“Gadgets installed from untrusted sources can harm your computer and can access your computer’s files, show you objectionable content, or change their behavior at any time,” Microsoft notes.

Since Gadgets run with the rights of the current user, the vulnerability could allow exploits all the way up to administrative level.

The Microsoft fix disables the Windows Sidebar and Gadgets on all supported Vista and Windows 7 editions.

The unloved Sidebar feature for Gadgets was killed off in Windows 8, as was the Windows Live Gallery used to access Gadgets from the desktop. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

COMMENTS

House Rules Send Corrections
All Reader Comments (121)
Highly Rated
Steen Eugen Poulsen

New fangled Microsoft strategy...

"Remove our software, it's so buggy we don't know how to fix it."

I don't think they ran this idea by the PR department...

36
0
ScottK

So basically...

...install a program from an untrusted source (which in this case just happens to be a gadget) and it will have access to resources on your computer, with your access rights.

This is new how?

25
0
Mongo

My spin goes up to 11

The MS "Gadget Gallery" page goes beyond coyly suggesting that gadgets from "untrusted sources" are problematic. They've vaped all of the official ones too - but it's ok, it's because...

Because we want to focus on the exciting possibilities of the newest version of Windows, the Windows website no longer hosts the gadget gallery.

You can now use your HTML5, CSS3, and JavaScript skills to build Metro style apps for Windows 8 Release Preview. To get started developing Metro style apps, go to Windows Dev Center.

So either they're blythely lying about the threat perimeter or they're so desperate for Win8 migration that they've killed a (admittedly crappy, but that doesn't distinguish it much from Metro) feature of the current commercial release.

16
1

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats
19