Skip to main content

Kill those Vista and Win7 gadgets now!

gadgetsMicrosoft’s hot new feature that never was.

If you paid any attention to the launch of Windows Vista, you might remember Microsoft hyping a fabulous new feature in the newest and greatest version of Windows yet — the Windows we’d all been waiting for to replace XP. It was a magical new technology known as the Windows Sidebar, a place where you could put really cool mini-apps — gadgets — such as stock tickers, clocks (shown in Figure 1), simple games, and weather guides. (If none of this sounds familiar, you’re easily forgiven.)
As an MS Windows Sidebar and gadgets how to states, gadgets “offer information at a glance and provide easy access to frequently used tools. For example, you can use gadgets to display a picture slide show, view continuously updated headlines, or look up contacts.”
My Gadgets
Figure 1. A handful of common Windows gadgets: Clock, Stock Ticker, and System Monitor
Microsoft made it sound as if gadgets were something totally new and different — a feature that would drive power users to upgrade to Vista. But in fact, the new gadgets bore a remarkable resemblance to Konfabulator’s widgets, which were already available to Windows users. (The company was bought out by Yahoo and rebranded in 2005. There’s a fascinating cartoon history of the Konfabulator gadgets — er, widgets — on the old Konfabulator site.) Vista gadgets also looked a lot like Apple’s Dashboard widgets, introduced with OS X Tiger over a year before Vista’s release.
Like widgets, gadgets embodied the trend toward push technology — the ability for outside data sources (such as live stock-market feeds) to continuously stream information onto a PC. Microsoft started experimenting with push techniques in Windows 95 with the Active Desktop, a miserable feature that worked sporadically and often failed without notice. A slimmed-down version of Active Desktop turned into the Vista Sidebar, with the new gadgets acting as the dancing bears. Windows 7 kept gadgets but no longer required the Sidebar stage.

Why gadgets have earned a bad reputation.

Gadgets are little snippets of HTML code that work with few rules and no security sandboxing. That’s an open invitation to malicious hackers looking for unguarded entries into Windows.
Although the vulnerability in gadgets has existed for years, two security researchers are shedding some new light on the threat. At next week’s annual hacker gathering in Las Vegas — Black Hat USA 2012 (more info) — Mickey Shkatov and Toby Kohlenberg will deliver their presentation, “We have you by the gadgets.” As is common for Black Hat presentation pre-announcements, there are as yet few details. But Shkatov and Kohlenberg promise, “We will be talking about the Windows gadget platform and what nastiness can be done with it, how are gadgets made, how are they distributed, and, more importantly, their weaknesses. … As a result, there [are] a number of interesting attack vectors that are interesting to explore and take advantage of. We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets, and the sorts of flaws we have found in published gadgets.”
Much to their credit, Shkatov and Kohlenberg have been in talks with Microsoft, apparently divulging some of their findings. (The point of Black Hat is to reveal detailed information on how new security exploits work, thus pushing software developers into rapidly patching their code.) I can imagine the security folks at Microsoft saying, “These guys have us nailed.” (Some of the MSRC folks might have said something considerably less printable.) The result is MS Security Advisory 2719662, which states, “Customers who are concerned about vulnerable or malicious gadgets should apply the automated Fix It solution as soon as possible” (more on that below).
-->
Microsoft might have several ulterior motives for dumping gadgets. It’s been quietly phasing them out for some time now, and it finally shuttered the doors on the Gadget Gallery several weeks ago. There are rumors that Microsoft has yanked gadget support from the final version of Windows 8 (although gadgets still run just fine in the current Win8 Release Preview). But as is plainly stated in what’s left of the Gadget Gallery page, Microsoft wants to push you in the direction of Windows 8 Metro — where you’ll find a similar experience, but tied to an infinitely better infrastructure.
Whatever Microsoft’s intentions, there’s no doubt that Shkatov and Kohlenberg have discovered a security breach that should curl your PC’s toes.
At this time, it’s not clear whether the vulnerability is within the gadgets themselves or is associated with the Sidebar. (In Windows 7, you can run gadgets with or without the Sidebar.) MS Security Advisory 2719662 suggests both. I suppose we’ll find out next Thursday, but for now I think you need to kiss those clocks and stock tickers good-bye.

What you need to do before next Thursday.

Fortunately, disabling gadgets and the Sidebar is pretty easy. Microsoft invented a poison pill, disguised as a fixit in MS Support article 2719962. You’ll find two Fix it buttons halfway down the page: one to disable the Sidebar and gadgets, and another to enable them (which might be useful if Microsoft provides an actual patch for the vulnerability).

Clicking the fixit button downloads a file, which you then need to run. You can protect other PCs by just copying that file onto a USB drive and running it on any other Vista or Windows 7 machine.
Do it now, while you’re thinking about it. The fixit doesn’t take much time, but a system reboot is required to enable it. Warn your friends: this could turn into something nasty very quickly.
 
If you liked this article, subscribe to the feed by clicking the image below to keep informed about new contents of the blog:
windows_xp
Labels:

Comments

Post a Comment

Do not insert clickable links or your comment will be deleted. Checkbox Send me notifications to be notified of new comments via email.

Popular posts from this blog

How to change the size of the touch and on-screen keyboard in Windows 10

Windows 10 PCs come with two keyboard apps, one is the OnScreen Keyboard , and the other is the Touch Keyboard . Basically, you don't need a touch screen to use the on-screen keyboard. It displays a virtual keyboard on the screen and you can use the mouse to select and press the keys. Although the on-screen keyboard app is very useful when we don't have a physical keyboard, its size is always a problem for users. You can move or enlarge the virtual keyboard from the icons in the upper right corner. If you want, you can also easily resize it. Changing the size of the on-screen keyboard is very easy. Type On-Screen Keyboard in your Windows search and run the desktop app, or you can also go via Settings > Ease of Access > Keyboard> Turn on the On-screen keyboard.   To change the size of the on-screen keyboard, move the cursor to the corner and drag it to the desired size. Resizing the touch keyboard is as simple as doing it! Just drag it and resize it us...
Post a Comment
Read more

Designing the Windows 8 touch keyboard.

When we began planning how touch and new types of PCs might work on Windows 8, we recognized the need to provide an effective method for text entry on tablets and other touch screen PCs. Since Windows XP SP1, which had Tablet PC features built in, Windows has included a touchable on-screen keyboard. But those features were designed as extensions to the desktop experience.  For Windows 8, we set out to improve on that model and introduce text input support that meets people’s needs, matches our design principles, and works well with the form factors we see today and expect to see in the future. I’m writing this blog post on our Windows 8 touch keyboard using the standard QWERTY layout in English. As I look at it, the keyboard seems very simple and sort of obvious. This comes partly from having worked on it for a while, but also because keyboards are familiar to us. But there is more here than meets the eye (or, fingertips). We started planning this feature area with no preco...
Post a Comment
Read more

How to install offline .NET Framework 3.5 on Windows 10 using DISM.

Windows 10 comes with .NET framework 4.5 pre-installed, but many apps developed in Vista and Windows 7 era require the .NET framework v3.5 installed along with 4.5. These apps will not run unless you will install the required version. When you try to run any such app, Windows 10 will prompt you to download and install .NET framework 3.5 from the Internet. However, this will take a lot of time. You can save your time and install .NET Framework 3.5 from the Windows 10 installation media. This method is much faster and does not even require an Internet connection. Here is how to install it. How to install offline .NET Framework 3.5 on Windows 10 using DISM. Contents: [ hide ] How to install offline .NET Framework 3.5 on Windows 10 using DISM. To install .NET Framework 3.5 in Windows 10, do the following: Insert your Windows 10 DVD, or double click its ISO image, or insert your bootable flash drive with Windows 10, depending on what you have. Open 'This PC' in File...
2 comments
Read more