Microsoft preps Vista to thwart rogue gadgets
An optional OS update can block buggy or malicious mini-apps
Computerworld - Microsoft Corp. today urged Windows Vista users to download a new security tool that automatically disables suspicious or malicious "gadgets," the small applets that mimic the "widgets" popular on Mac OS X.
Dubbed "Windows Sidebar Protection," the 1MB download was added to Windows Update on Tuesday and classified as a "high-priority" update. Microsoft customers running Vista RTM -- the initial version that launched in late 2006 to businesses and early 2007 to consumers -- saw the update on the list starting Tuesday. The update is optional, but depending on what settings have been selected in Windows' Automatic Updates, it may be downloaded and installed without any additional user interaction.
Windows Sidebar is a Vista-only panel that holds the miniature applications known as gadgets -- small single-purpose tools that, for instance, display the time and date or RSS feeds. The Windows gadgets are composed of HTML and various scripts.
And there's the rub, said Microsoft.
"Vista treats gadgets like it treats all executable code," said the advisory that accompanied the update. "Gadgets are written using HTML and script, but this HTML is not located on an arbitrary remote server as Web pages are. HTML content in the gadget is downloaded first as part of a package of resources and configuration files and then executed from the local computer."
In other words, gadgets could be dangerous, even malicious. The small applications are crafted not only by Microsoft but also by third-party developers and users; Microsoft distributes gadgets on its Web site, but it doesn't vet them.
"The update gives us a mechanism to prevent a malicious gadget from being installed first of all, and if it's installed, to block the gadget [from running]," said Austin Wilson, a director in the Windows client product management group. "We're being proactive here. We looked at the [security] landscape and wanted this in place in case a problem arises in the future."
There are no known vulnerabilities in any existing gadgets, Wilson claimed, stressing that Microsoft knows of no purposefully malicious gadgets, either.
When it detects a flawed, suspicious or malicious gadget, Microsoft will create a "kill bit" file that it will then push to users through Windows Update on the regular once-a-month patch day, said Wilson. Yesterday's update included no kill bit, stressed Wilson, but instead is the tool that generates a unique ID for each gadget, accepts the list from Windows Update and then blocks existing gadgets from running or newly-downloaded gadgets from installing.
After a gadget has been identified as bad, its icon gets swapped out with one labeled "Bad Gadget." The icon also can't be dragged, and the tool tip shows it as a security risk.
The Sidebar security update is already integrated in the bits that were distributed as Vista Service Pack 1's release candidate last month, said Wilson, and it will be included in the final when that launches in the coming weeks.
Microsoft has posted a pair of documents on its support site that go into more detail: KB943411 includes the download links to the 32- and 64-bit versions of the tool; KB941411 walks users through the various dialog boxes they will see when the tool tries to bar or block a gadget.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts