Last week, I blogged on my site to report that a pair of security researchers plan to unveil majority security flaws in the Windows Sidebar and Gadgets interface at the upcoming Black Hat convention, DEFCON, to be held in Las Vegas from July 21-26 at Caesars Palace (see Goodbye Gadgets, Goodbye to read the original). It seems that there are major security holes that can be exploited to create malicious gadgets quite easily. It’s even possible that existing gadgets can be subverted to confer the same rights and privileges to an attacker as enjoyed by the current logged-in user. And because so many users log in with admin privileges, that means the doors fly wide open for savvy attackers to do whatever they like on systems where gadgets grant them a foothold.
Some of my favorite gadgets I still keep running on Windows 7.
In the wake of this disclosure, Microsoft has indicated it will NOT include support for gadgets in the upcoming RTM and GA versions of Windows 8. It has also issues a security advisory — Vulnerabilities in Gadgets could allow remote code execution — that permits users to turn off the sidebar and gadgets in both Windows Vista and Windows 7 as well. This advisory includes two Microsoft FixIt tools named 50906 and 50907. Because MS doesn’t tell you what they do, I’ll add that 50906 turns the Sidebar and gadgets off, while 50907 turns them back on. In my blog, I opined that as long as users take all gadgets off their desktops, I’m not sure it’s absolutely necessary to disable gadget support and the sidebar entirely. In my case on Windows 7, given my own pretty good local security regime, I’m not worried too much about leaving my favorite gadgets up and running on my Windows 7 machines inside my double firewalled network (boundary firewall, plus individual firewalls on all client machines). Nevertheless, I’ll be keeping an eye out on the results of the DEFCON demo and presentation to see if my current lack of fear and trepidation remains justified once I better understand the nature of the threat(s) and vulnerabilities involved.
In the meantime, you might also find it interesting to read the chatter on this subject on the Windows EightForums, in a thread entitled “Microsoft urges death of Windows gadgets as researchers plan disclosur[e]…” You’ll find many of my thoughts and musings echoed and amplified there, and some occasionally hilarious conspiracy theories about what Microsoft is doing, how and why Win8 sucks, and various factors no doubt contributing to the end of civilization as we know it. But interesting to read nevertheless.
For myself, I’m waiting to learn more when the DEFCON disclosures are made. Should be interesting to understand how dire the security issues might be, and to ponder the question of why MS wishes to kills the sidebar and gadgets rather than to correct and repair their security deficiencies.