Microsoft Disables Windows Sidebar, Gadgets Due to Security Risk

 
 
By Robert J. Mullins  |  Posted 2012-07-12 Email Print this article Print
 
 
 
 
 
 
 

The software company has released a security update that shuts off the desktop feature out of concerns that hackers could get into a user’s system.

Microsoft has issued a security advisory urging users to install an update that disables the Sidebar and Gadgets features on Windows Vista and Windows 7 operating systems due to a potential security vulnerability.

The security advisory warns that a hacker could get into a user€™s system through an insecure Gadget running in Sidebar, execute arbitrary code and wreak havoc on the system. The Sidebar, as its name implies, is a section of the desktop real estate that lies to one side of the screen. Gadgets running in Sidebar are various tools, created with small amounts of code, which a user can see at a glance while working on their computer, such as a clock, the local temperature, a news headline feed or a stock ticker.

€œGadgets installed from untrusted sources can harm your computer and can access your computer's files, show you objectionable content, or change their behavior at any time,€ Microsoft stated in its security advisory, posted July 10. 
Worse yet, if the user of the compromised computer has administrative rights on a network, the hacker could take complete control of the affected system, making it possible for them to install programs, view, change, or delete data, or create new accounts with full user rights, the advisory stated.

The advice to disable Gadgets, for those who still use them, comes shortly before security researchers are scheduled to make a presentation on Gadget vulnerabilities at the annual Black Hat USA 2012 security industry conference beginning July 21 in Las Vegas. On July 26, researchers Mickey Shkatov and Toby Kohlenberg will present €œWe Have You By The Gadgets€ that will detail the risks.

€œWe will be talking about the Windows Gadget platform and the nastiness that can be done with it, how Gadgets are made, how they are distributed and, more importantly, their weaknesses,€ reads a synopsis of their presentation on the Black Hat conference Website. Gadgets have been written in JavaScript, Cascading Style Sheet (CSS) and Hyper Text Markup Language (HTML), say the researchers, who will also explain how malicious gadgets can be created and how even legitimately created Gadgets can be misappropriated by hackers.

Microsoft closed the Windows Live Gallery at which users could select Gadgets to run in Sidebar in 2011, so the end of the feature was already preordained.

€œBecause we want to focus on the exciting possibilities of the newest version of Windows, the Windows Website no longer hosts the Gadget gallery,€ Microsoft explained last year.

Instead of writing Gadgets for what is basically a defunct feature of Windows, the company now invites developers to use HTML5, CSS3 and JavaScript to build Metro style apps for Windows 8 Release Preview, the precursor to the new Windows 8 operating system. At the recently concluded Worldwide Partner Conference in Toronto, Microsoft announced that Windows 8, and the related OS Windows RT, will be released to manufacturing the first week in August and that general availability of the OS as a standalone product and installed on new hardware, is scheduled for late October.

 
 
 
 
Robert Mullins is a freelance writer for eWEEK who has covered the technology industry in Silicon Valley for more than a decade. He has written for several tech publications including Network Computing, Information Week, Network World and various TechTarget titles. Mullins also served as a correspondent in the San Francisco Bureau of IDG News Service and, before that, covered technology news for the Silicon Valley/San Jose Business Journal. Back in his home state of Wisconsin, Robert worked as the news director for NPR stations in Milwaukee and LaCrosse in the 1980s.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel