Security flaws signal early death of Windows Gadgets

Microsoft is speeding up plans to kill off the Windows Gadget platform after receiving word that serious security vulnerabilities will be disclosed at the upcoming Black Hat security conference.

According to a brief abstract from the Black Hat site, researchers Mickey Shkatov and Toby Kohlenberg plan to discuss weaknesses associated with Windows Sidebar and Gadgets and demonstrate "nastiness" that can be done on the platform.

[ Microsoft drops surprise IE patch, fixes under-attack Windows zero-day ]

"Gadgets are comprised of JS, CSS and HTML and are application that the Windows operating system has embedded by default. As a result there are a number of interesting attack vectors that are interesting to explore and take advantage of. We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets," the researchers said.

Microsoft was already planning to deprecate Sidebar and Gadgets in the upcoming Windows 8 but, after working with Schkatov and Kohlenberg ahead of Black Hat, the company decided to push for the immediate death of the platform.

From the MSRC blog:

As many of you are aware, Windows 8 will deprecate the Sidebar and Gadgets, and Gadget developers are already shifting their efforts to the online Windows Store. Meanwhile, we’ve discovered that some Vista and Win7 gadgets don’t adhere to secure coding practices and should be regarded as causing risk to the systems on which they’re run. With time running out for the Sidebar and Gadgets and with developers already moving on, we’ve chosen to deprecate the Windows Gadget Gallery effective immediately, and to provide a Fix it to help sysadmins disable Gadgets and the Sidebar across their enterprises.

The company released a security advisory with information to help system administrators disable the Windows Sidebar and Gadgets on supported versions of Windows Vista and Windows 7 with one Fix it click.

Microsoft did not provide details on the vulnerabilities but warned that there is a risk of remote code execution attacks.

"An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system," Microsoft warned.

This automated Fix-It will disable the Windows Sidebar experience and all Gadget functionality on affected machines.