Microsoft to users: disable Windows Gadgets

Do you use Gadgets in Windows 7 or Vista? Bad news, then. In a security advisory published yesterday, Microsoft says the diminutive desktop (and sidebar) applets may be vulnerable to attacks that enable remote code execution. An attacker could purportedly use them to access your PC with the same privileges as your user account—so if you have administrative privileges, the attacker could get full control of your machine.

To address the problem, Microsoft has released a "Fix it" wizard that disables Windows Gadgets altogether. (Another wizard, available from the same page, switches the feature back on.) Microsoft’s security advisory says you can disable Windows Gadgets yourself using the Registry Editor, as well, provided you follow a few simple instructions.

According to Computerworld, the advisory "may be linked" to the upcoming Black Hat security conference. There, two researchers—Mickey Shkatov and Toby Kohlenberg—plan to show a presentation about attack vectors in Gadgets. Here’s the abstract:

Why send someone an executable when you can just send them a sidebar gadget?
We will be talking about the windows gadget platform and what the nastiness that can be done with it, how are gadgets made, how are they distributed and more importantly their weaknesses. Gadgets are comprised of JS, CSS and HTML and are application that the Windows operating system has embedded by default. As a result there are a number of interesting attack vectors that are interesting to explore and take advantage of.

We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets.

Sure enough, in the "Acknowledgments" section of the advisory, Microsoft thanks "Mickey Shkatov and Toby Kohlenberg for working with us on Gadget vulnerabilities." I guess Shkatov and Kohlenberg may be white hat hackers rather than black hat ones. (Thanks to The Verge for the tip.)

Comments closed
    • burntham77
    • 7 years ago

    You’ll have to pry my gadgets out of my cold dead desktop.

    • Chrispy_
    • 7 years ago

    Isn’t the Metro interface just a gadget grid?

    /facepalm.

    • rxc6
    • 7 years ago

    Never really cared much for Microsoft’s gadgets.

    On the other hand, I’ve been using [url<]http://rainmeter.net/[/url<]

    • Bensam123
    • 7 years ago

    And .pdfs can infect your computer as can malicious java applets. My last two infections have been from java applets that auto-ran on websites. That’s out of like four total viruses I’ve ever gotten.

    • HisDivineOrder
    • 7 years ago

    So for Windows 8, they’re disabling Aero. And gadgets for everyone.

    Next, MS will disable multitasking and rename Windows 8 to a new name: Window 8.

    • plonk420
    • 7 years ago

    is there a way to completely and safely just uninstall it altogether??

      • BobbinThreadbare
      • 7 years ago

      That’s the point of their “patch”

    • albundy
    • 7 years ago

    yeah, probably with MS’s cr@ppy browser. The smart ones keep quite a distance from IE these days. Or maybe this is just another ploy to enmass a cant wait for win8 population.

    • MadManOriginal
    • 7 years ago

    From the Q&A for this Security Advisory:
    [quote<] How could an attacker exploit the vulnerability? An attacker would have to convince a user to install and enable a vulnerable Gadget. [/quote<] I take that to mean the standard MS Gadgets or others from the MS Gadget page ought to be safe (assuming MS checks them for exploits.) However, when you go to the Gadget page now there is this message: [quote<]Because we want to focus on the exciting possibilities of the newest version of Windows, the Windows website no longer hosts the gadget gallery.[/quote<] So you can't download presumably safe MS Gadgets. and [quote<]Some info for developers: You can now use your HTML5, CSS3, and JavaScript skills to build Metro style apps for Windows 8 Release Preview. To get started developing Metro style apps, go to Windows Dev Center. [/quote<] So the 'push for Windows 8' people are right, at least in that MS isn't going to bother fixing this which I'm sure they could. Pretty pathetic, I found Gadgets useful since I rarely run my desktop programs full-screen.

    • thebeastie
    • 7 years ago

    Microsofts solution to the problem is pretty funny, curse me stupid MS os addiction if only I didn’t like playing PC games at max performance.

    Yeah I like the CPU and network usage gadgets, there good, a little too good, they scream israeli super embedded spy ware in them that no ones discovered yet, that allows them to own ur PC if sent a few secret packets that the gadgets look out for.

    • Madman
    • 7 years ago

    I thought it was because the gadgets are deprecated in Win8 when I read the title, turns out there is another reason, or maybe not 🙂

    • gmskking
    • 7 years ago

    Microsoft to users: uninstall Windows

      • Jakubgt
      • 7 years ago

      So you want to uninstall windows because sidebars suddenly became disabled?

    • brucethemoose
    • 7 years ago

    I always used Omnimo with Rainmeter.

    Why use windows gadgets when there’s a cleaner, more sophisticated alternative anyway?

    • Deanjo
    • 7 years ago

    Well at least KDE knows how to offer security and gadgets (widgets).

    • kamikaziechameleon
    • 7 years ago

    So basically one of the coolest and most poorly supported features in vista is officially dying. I’m so confused what is up with Microsoft. They don’t declare a patch or fix inbound. Instead they say hey you guys its time we told you about an old loop hole.

      • Deanjo
      • 7 years ago

      What I get a kick out of is the gadgets web page now:

      [url<]http://windows.microsoft.com/en-US/windows/downloads/personalize/gadgets[/url<] [quote<]Gadgets installed from untrusted sources can harm your computer and can access your computer's files, show you objectionable content, or change their behavior at any time.[/quote<] [quote<]You can now use your HTML5, CSS3, and JavaScript skills to build Metro style apps for Windows 8 Release Preview.[/quote<] Like there has never been CSS or Javascript exploits.

        • indeego
        • 7 years ago

        Gadgets are HTML/XML/CSS/Javascript based.

      • Bensam123
      • 7 years ago

      Apple doesn’t have gadgets…

      …Do they?

        • Deanjo
        • 7 years ago

        They have had widgets for a long time.

        • kyboshed
        • 7 years ago

        They’ve had HTML/JS/CSS ‘widgets’ since 2005.[1]

        They also had a more rudimentary version called desk accessories way back in 1984[2]

        [url<]http://en.wikipedia.org/wiki/Dashboard_(Mac_OS)[/url<] [url<]http://en.wikipedia.org/wiki/Desk_Accessory[/url<]

    • Tristan
    • 7 years ago

    Wow, MS is really fast. W8 still is months away, and they begin destroying W7 ALREADY !!!
    Gadgets are strong competitors to tiles, so they removed gallery with gadgets, and now want to switch them off. Of course everything in light of user interest. Viiruses are like terrorist, we can’t kill them all, but we can kill gadgets to protect users, isn’t.?

      • l33t-g4m3r
      • 7 years ago

      Just a repeat of Vista removing stackable folders on your desktop for shortcut use. That’s what I used to categorize my games before steam. Also, the control panel in windows 7 was removed and replaced with annoying wizards.

      [url<]https://en.wikipedia.org/wiki/Features_removed_from_Windows_Vista[/url<] [url<]https://en.wikipedia.org/wiki/Features_removed_from_Windows_7[/url<] Pretty disgusting tactics MS keeps using. This is not how you keep customers.

        • isaacg
        • 7 years ago

        What does “stackable folders on your desktop for shortcut use” mean? I don’t recall any such feature, nor can I find it on the wiki page you listed.

          • l33t-g4m3r
          • 7 years ago

          Exactly. This was a feature windows had since 95-XP(64). It worked very much like quick-launch, you take a folder of shortcuts drag it onto the side of your desktop and Voila a new shortcut bar. You can still do this to a much lesser extent, try it for yourself, as only the stackable feature was removed. I used to vertically stack them in different categories.

        • indeego
        • 7 years ago

        > This is not how you keep customers.

        Microsoft has the largest marketshare they’ve ever had in 2012 on the desktop, and amongst the highest profits based on those sales and peripheral sales. Surely customers would revolt!

          • l33t-g4m3r
          • 7 years ago

          Because there has been no viable alternative for a very long time. Linux is slowly approaching an almost usable state, and now would be the best time to push capable users over. More users and cash are what is needed, and they need to start working on a Distro worthy of public use immediately. Microsoft dropped the ball, and all the linux community has to do is pick it up.

            • TEAMSWITCHER
            • 7 years ago

            Agreed. Windows 8 is not exactly the sharpest knife in the drawer, and Mountain Lion, while very good, is tied to expensive hardware and subject arcane App Store rules.

            Linux on the other hand is high quality, affordable, portable, configurable, and powerful. The only problem is App support. Rumor is Valve is porting Steam to Linux. That might create a decent base for gaming, maybe they will also have a Linux based game console.

            There is a huge opportunity approaching for Desktop Linux. I hope someone is paying attention.

            • l33t-g4m3r
            • 7 years ago

            Linux basically needs a distro dedicated to making a stable desktop experience. Mandriva is the only Distro I’ve tried that attempts to be an usable out of the box desktop experience, and it includes drivers from both amd and nvidia. Only problem is that they’re not as well funded and have slow releases. I think they could really push linux forward with enough funding, perhaps with a kickstarter page. I agree with you on Valve, as steam could create a base for gaming, and once that takes off distros will get more funding from new users, which will futher help linux improvement. There is a chain reaction event imminent, but we need somebody to set off the initial jump forward.

            edit: Valve is working on it:
            [url<]http://www.phoronix.com/scan.php?page=article&item=valve_linux_dampfnudeln&num=1[/url<]

            • bjm
            • 7 years ago

            Of course, the source you quote is the same one who said that Linux is DirectX compatible with a native implementation simply because a state tracker had been developed with pre-alpha-wtf quality. An article that, if I remember correctly, you yourself parroted as the end of Windows. This was two years ago and nothing at all came of it.

            While I won’t count out the possibility that Valve will eventually release Steam on Linux, you have to be realistic in your expectations. Valve won’t magically solve the issues with incompatibilities between the distros. They will have to implement and package all of their APIs into their installation, as well as each game they install — essentially being their own mini-platform on top of Linux. That is, they’ll have to fly in the face of what Linux distributions consider a well-packaged package.

            [quote<]There is a chain reaction event imminent, but we need somebody to set off the initial jump forward.[/quote<] Ah, year of the desktop linux... maybe next year, right?

          • BobbinThreadbare
          • 7 years ago

          Do they? I was pretty sure Apple’s market share has grown significantly since the late 90s, and I’ve heard positive numbers from Linux too.

          Everyone can’t have the highest marketshare they’ve ever had.

            • l33t-g4m3r
            • 7 years ago

            Yup. Apple is definitely a threat, and that’s what the whole surface/Metro thing is about.

            • BIF
            • 7 years ago

            “Everyone can’t have the highest marketshare they’ve ever had.”

            That’s only true if you have actually mastered fundamental mathematics. 😉

      • danny e.
      • 7 years ago

      Microsoft wants everything going through their own app store. Also, everytime the space shuttle launches, there is a major earthquake.

      • burntham77
      • 7 years ago

      Maybe they could allow some tiles on the desktop.

    • indeego
    • 7 years ago

    Last night’s patches broke stuff. grrr.

    • Omniman
    • 7 years ago

    I always use the Weather gadget and the All CPU Meter 🙁 . The stock market gadgets I used to have were great too until Microsoft pulled the plug on 99% of the gadgets market!

      • BobbinThreadbare
      • 7 years ago

      Yeah I use those two and a clock, so I have a clock on both screens.

      I think I’m going to just risk it and keep them.

      • superjawes
      • 7 years ago

      Simple gadgets are nice…simple enough to get the information I want/need, and I was sad to see them basically get axed.

      I also wish that this would have better clarification, though, because it seems unclear whether this “some gadgets are scams” or “ALL” gadgets are at risk.

    • Arclight
    • 7 years ago

    Don’t use them atm. I experimented a bit in the past but i quickly disabled them. As far as i’m concerned, i will use the “Fix it for me” thingy. Thanks for the heads up. On a realated note, i should def. spend more time on their website/forums

    • Ryhadar
    • 7 years ago

    Given that the they’re having you go through the registry to turn off gadgets, I’m assuming that even if you’re not even using gadgets you’re still at risk?

    I, myself begrudgingly stopped using the weather widget some time ago (I thought it was rather neat). I had a problem where the ALT+TAB preview would be sent behind the window it was previewing, rendering it fairly useless. After some googling, I concluded the issue was running gadgets, and had to turn it off as I use ALT+TAB far more than I check the weather.

      • Arclight
      • 7 years ago

      Does it also happen with Windows+Tab?

        • Ryhadar
        • 7 years ago

        Nope, but I much prefer ALT+TAB. I never really like the Windows+Tab feature to begin with.

          • sweatshopking
          • 7 years ago

          and it’s gone it 8.

          • BobbinThreadbare
          • 7 years ago

          I wish they took one the linux things with WinKey+Tab where it put all the windows in a circle that you could rotate. That was actually mildly useful, and much cooler looking than a stack.

    • quarantined
    • 7 years ago

    The weather gadget was kinda nice, but so much for that I guess.

    • flip-mode
    • 7 years ago

    I’ve never used the gadgets. I always thought they were too gimmicky.

      • Farting Bob
      • 7 years ago

      I use a clock one and a CPU monitor that works with coretemp so it displays usage and temperature of each core. Pretty nice to have on screen as i have a large display so rarely do i have the whole screen covered up at once, and its easier to look there than at the taskbar.

      Any standalone programs offer desktop widgets as an alternative until MS fixes it?

      Its rare that they announce a vulnerability in such detail and say “you should really just not use this feautre, at all.” so im guessing its not a quick fix for them and may be exploiting a fundamental part of the windows gadgets codebase that cant be easily patched around.

        • Corrado
        • 7 years ago

        I use the coretemp widget too…

          • squeeb
          • 7 years ago

          Same. And I don’t plan to disable it.

            • Vaughn
            • 7 years ago

            I currently use Coretemp,Network Meter and GPU observer and I don’t plan to stop.

            All of them are very useful to me cause I don’t always have apps open full screen aka windows 8 and need the information they provide at a quick glance.

            Why is microsoft turning into Apple?

            i’m already planning on skipping windows 8 due to metro unless a third party and fix it and provide a proper desktop experience on a real pc.

            Linux is looking better everyday now……

      • Shambles
      • 7 years ago

      Agreed. Why on earth would I care about anything sitting on my desktop. If i’m on the computer it means I’m using the computer. Hence the desktop is always hidden behind several windows.

        • Deanjo
        • 7 years ago

        Depends on the user and what the gadget is being used for. I have for example coded gadgets to monitor servers, call boards, etc.

        PS You can set gadgets to always be on top.

      • jpostel
      • 7 years ago

      All CPU Meter is pretty good. I have also used gadgets for putty and RDP.

      • cynan
      • 7 years ago

      Most do seem gimmicky. But there are some more genuine 3rd party gadgets.

      The one I’m using currently is that which comes with Sapphire Trixx (for those unaware, it’s an overclocking utility similar to MSI Afternburner or Riva Tuner). It keeps a small window that displays GPU temp, clock speed, voltage, etc, that can be quite useful when stress-testing your GPU overclocks when not in full screen mode.

      • BIF
      • 7 years ago

      I use them. I like to live dangerously. That analog clock just screams “Rebel!” to all who happen to see my desktop.

      When I get home tonight, I think I will run with scissors. And make funny faces.

      • Bensam123
      • 7 years ago

      cpu monitor, HD monitor, and network monitor… All made by the same person.

      I’d use weather if I didn’t have another application that did it. Same with a email notifier, clock and calendar are a nice touch.

    • Michaelzehr
    • 7 years ago

    The security advisory and the quotes suggest that the main problem is with insecure gadgets. Do you have any information regarding whether there are problems with microsoft provided gadgets? I might not trust a cpu monitor gadget from a random site, but what about the clock gadget that comes with Windows? Phrased another way, is the vulnerability in the gadgets or in the infrastructure that runs the gadgets? Is there risk having sidebar enabled with no gadgets running, for example?

    Thanks for any additional info.

      • gamoniac
      • 7 years ago

      Yea, I just turned my weather gadget off.

      I have always removed my user account from the admin group since years ago, but I guess the attack could still delete files from the drives/network folders. Not good. Bye bye gadget.

      • LocalCitizen
      • 7 years ago

      I share your question. When I start a program, be it a gadget or Solitaire, it will run under my user privileges. Is there a particular concern with the gadgets? If the user is dumb enough to download unknown gadgets from the web and run under admin privilege, is there a way to prevent it? Should it be prevented?

Pin It on Pinterest

Share This