Microsoft has issued a security advisory urging users to install an update that disables the Sidebar and Gadgets features on Windows Vista and Windows 7 operating systems due to a potential security vulnerability.
The security advisory warns that a hacker could get into a users system through an insecure Gadget running in Sidebar, execute arbitrary code and wreak havoc on the system. The Sidebar, as its name implies, is a section of the desktop real estate that lies to one side of the screen. Gadgets running in Sidebar are various tools, created with small amounts of code, which a user can see at a glance while working on their computer, such as a clock, the local temperature, a news headline feed or a stock ticker.
Gadgets installed from untrusted sources can harm your computer and can access your computer’s files, show you objectionable content, or change their behavior at any time, Microsoft stated in its security advisory, posted July 10.
Worse yet, if the user of the compromised computer has administrative rights on a network, the hacker could take complete control of the affected system, making it possible for them to install programs, view, change, or delete data, or create new accounts with full user rights, the advisory stated.
The advice to disable Gadgets, for those who still use them, comes shortly before security researchers are scheduled to make a presentation on Gadget vulnerabilities at the annual Black Hat USA 2012 security industry conference beginning July 21 in Las Vegas. On July 26, researchers Mickey Shkatov and Toby Kohlenberg will present We Have You By The Gadgets that will detail the risks.
We will be talking about the Windows Gadget platform and the nastiness that can be done with it, how Gadgets are made, how they are distributed and, more importantly, their weaknesses, reads a synopsis of their presentation on the Black Hat conference Website. Gadgets have been written in JavaScript, Cascading Style Sheet (CSS) and Hyper Text Markup Language (HTML), say the researchers, who will also explain how malicious gadgets can be created and how even legitimately created Gadgets can be misappropriated by hackers.
Microsoft closed the Windows Live Gallery at which users could select Gadgets to run in Sidebar in 2011, so the end of the feature was already preordained.
Because we want to focus on the exciting possibilities of the newest version of Windows, the Windows Website no longer hosts the Gadget gallery, Microsoft explained last year.
Instead of writing Gadgets for what is basically a defunct feature of Windows, the company now invites developers to use HTML5, CSS3 and JavaScript to build Metro style apps for Windows 8 Release Preview, the precursor to the new Windows 8 operating system. At the recently concluded Worldwide Partner Conference in Toronto, Microsoft announced that Windows 8, and the related OS Windows RT, will be released to manufacturing the first week in August and that general availability of the OS as a standalone product and installed on new hardware, is scheduled for late October.