Microsoft urges death of Windows gadgets as researchers plan disclosures
Reacts to upcoming revelations of gadget vulnerabilities at Black Hat by offering tool that kills feature in Vista, Windows 7
Computerworld - Just two weeks before researchers are to disclose bugs in Windows "gadgets" at Black Hat, Microsoft acknowledged unspecified security vulnerabilities in the small pieces of software supported by Vista and Windows 7.
To deal with the vulnerabilities, Microsoft has provided a way to cripple all gadgets and disable the "sidebar" engine that runs them.
"The purpose of this advisory is to notify customers that Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows Vista and Windows 7," Microsoft said in a security warning issued Tuesday.
"The deprecation of gadgets and the sidebar is interesting," said Jason Miller, manager of research and development at VMware, in an interview. "Gadgets are not much used for business, so if you don't use it, get rid of it. That's one of the best ways to reduce your attack profile."
Microsoft did not detail the vulnerabilities or explain why it was letting users ditch gadgets, but the move may be linked to an upcoming presentation at Black Hat, the annual security conference held in Las Vegas. On July 26, Mickey Shkatov and Toby Kohlenberg are scheduled to present research on gadget flaws and exploits.
The Black Hat entry for their presentation, "We Have You by the Gadgets," noted "a number of interesting attack vectors" in gadgets.
"We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets," the description stated.
In its advisory, Microsoft thanked Shkatov and Kohlenberg for their help with gadget bugs. The researchers were unavailable for comment or to answer questions late Tuesday.
Gadgets and the sidebar engine were introduced in 2007's Windows Vista as a way to run and manage single-use, lightweight applications. Windows 7 also supported gadgets, but let users place them directly on the desktop rather than on the separate sidebar.
At their debut, some critics noted gadgets' similarity to the widgets and Dashboard introduced two years earlier by Apple in OS X 10.4, also known as Tiger.
While touted by Microsoft before the launch of Vista, gadgets never caught on with users. It was thus no surprise when Microsoft announced last fall that it was pulling support of gadgets from Windows 8. At the same time it retired the Windows Live Gallery, a source for desktop gadgets.
The Windows website, which until Tuesday described how to obtain gadgets, now warns users. "Gadgets installed from untrusted sources can harm your computer and can access your computer's files, show you objectionable content, or change their behavior at any time," said the site.
Microsoft offered users a "Fixit" -- one of its automated configuration tools -- that disables the sidebar and all gadgets in Vista and Windows 7. The tool can be found on this page of Microsoft's support site.
"My first take was that Microsoft was admitting that it's very difficult for a third-party developer to securely write a gadget," said Andrew Storms, director of security operations at nCircle Security. "So they're disabling them all. Thank goodness for that."
This was not the first time that Microsoft has reacted to security problems in gadgets. More than four years ago, Microsoft updated Vista with a tool that let the company automatically -- and remotely -- disable suspicious or malicious gadgets.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Application Security in Computerworld's Application Security Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- Gartner Magic Quadrant for Application Security The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing...
- Five Steps to Achieve Success in your Application Security Program This white paper provides a general framework your organization can use to create or build upon an application security program. It includes guidelines...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Application Security White Papers | Webcasts