Microsoft Fix ItA scheduled talk at the Black Hat Briefings security conference in Las Vegas later this month may have dealt a fatal blow to the once ballyhooed Windows Sidebar and Windows Gadgets. Redmond, Washington-based Microsoft, on Tuesday, issued a software “fix” that disables gadgets and the Windows sidebar on Vista and Windows 7 entirely.

The “Fix it” update marks an inglorious end for Windows Sidebar and the plug-able Gadgets which, just six years ago, were seen as a way to make Microsoft’s stodgy OS hipper and happier, like Mac’s popular OS X. But in a security advisory issued Tuesday, Microsoft warned that the Gadgets posed a security risk to Windows Vista and Windows 7 systems and provided a tool to disable them altogether.

“Disabling the Windows Sidebar and Gadgets can help protect customers from vulnerabilities that involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets,” the company wrote in its Advisory. “Customers who are concerned about vulnerable or malicious Gadgets should apply the automated Fix It solution as soon as possible.”

Gadgets were already on the road to obsolescence. Microsoft announced in October that it was shutting down Windows Live Gallery, the company’s Gadget application store. Though supported in early versions of the upcoming Windows 8 operating system, the Sidebar and Gadgets and were dropped from later Windows 8 builds and won’t be supported in the new Windows Metro user interface. Microsoft’s Gadgets download Web site now warns users that gadgets “installed form untrusted sources can harm your computer” and links to the most recent advisory. 

Microsoft didn’t provide details on the nature of the remote code execution problem, the company did thank Mickey Shkatov and Toby Kohlenberg for “working with us on Gadget vulnerabilities.”

Shkatov and Kohlenberg are scheduled to present a talk, “We Have You By The Gadgets” at the Black Hat Briefings security conference on July 26 in Las Vegas. The talk is described as one about “creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets,” according to the Black Hat Briefings Web site.The Fix It Microsoft released is described as a “work around,” not a patch. It works by disabling both the Sidebar and Gadget functionality in affected versions of Vista and Windows 7 ().

Windows Gadgets never caught on with the public and have received scant attention from attackers, as a result. However, security researchers have shown how DLLs from gadgets obtained on the Windows Live Marketplace could be leveraged with other software security holes in Vista and Windows 7 to bypass critical security features like ASLR (Address Space Layout Randomization).


Categories: Vulnerabilities