Microsoft Urging Customers To Disable Windows Gadgets

In a security advisory released on Tuesday, Microsoft announced that it has released a fix that will disable the Windows Sidebar and Gadgets on supported editions of Windows Vista and Windows 7. While many end-users may pout that they can no longer play virtual piano or giggle at their kitty cat clock, Microsoft insists it's in everyone's best interest, as vulnerabilities have been discovered that will allow remote code execution.

"Disabling the Windows Sidebar and Gadgets can help protect customers from vulnerabilities that involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets," Microsoft reports. "In addition, Gadgets installed from untrusted sources can harm your computer and can access your computer's files, show you objectionable content, or change their behavior at any time."

Microsoft warns that if an attacker successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. "If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system," the company adds. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

The advisory arrives just two weeks prior to Black Hat where Mickey Shkatov and Toby Kohlenberg are scheduled to present research on Windows Gadget flaws and exploits. As the warning indicates, Microsoft has acknowledged the problem, but the company has yet to detail the vulnerability, pushing users to ditch their favorite desktop Gadgets.

Taking place on July 26, the presentation will be called "We Have You By The Gadgets" and will note "a number of interesting attack vectors" discovered in Gadgets. "We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets," the presentation's description states.

News of the Gadget exploit arrives after a recent internal build of Windows 8 -- 844x -- revealed to contain no references to desktop Gadgets in the control panel or desktop mode. Currently Gadgets are supported in Windows 8 Consumer and Release Preview editions. Microsoft also recently cleaned "Gadget house" online, as the company now offers a "Greatest Hits" collection of 29 internal and 3rd-party developed Gadgets.

"Because we want to focus on the exciting possibilities of the newest version of Windows, Microsoft no longer supports uploading new Gadgets. But that doesn't mean you can't still get Gadgets. The most popular and highest-rated gadgets are still available on this page," the Gadget page officially reads towards the bottom.

Desktop Gadgets have been around since the launch of Windows Vista, and have proved to be quite useful and entertaining. They were originally required to be docked (or contained) within a special sidebar in Windows Vista. Visually this feature was removed in Windows 7, allowing Gadgets to float on the desktop or be attached to the left or right side of the screen. However all Gadgets are still owned by the sidebar.exe process, as seen in the Process tab of Windows Task Manager.

But now it seems that desktop Gadgets will experience an early death before the arrival of Windows 8. For more information about disabling the Windows Sidebar and Gadgets, read Security Advisory 2719552 here.

  • leaderWON
    people use these?
  • Unolocogringo
    Most toolbars,gadgets,free add-ons etc are considered trojans.
    They do offer their basic function but underneath most track everything you do on the internet and reports it back to the publisher.
  • dameon51
    I really like the Google sidebar. i would rather use the windows once since its built it, but it doesn't have as many widgets/gadgets.
  • A Bad Day
    Rick_CriswellMost toolbars,gadgets,free add-ons etc are considered trojans. They do offer their basic function but underneath most track everything you do on the internet and reports it back to the publisher.
    I agre-

    Oh look, a smiley face cursor! Hmm, it requires a 50 MB download. Meh, I want it anyways!
  • ashinms
    If someone took over my computer and started doing stuff on it the first thing I would do is pull the chord...
  • balister
    leaderWONpeople use these?
    Some of them are kind of handy. I run the MS CPU/Memory gadget so I can know what's going on at any given time with CPU and Memory resources without having to go to Task Manager. I also run the MS Weather gadget that can be configured to show the predicted weather for the next few days coming up. So yes, there's a couple useful ones, but most are not.
  • badaxe2
    Does this have anything to do with their recent chopping of Gadget support in Win 8?
  • jrharbort
    There's always alternatives. Gotta love rainmeter.
  • halcyon
    Wait, wait. Microsoft creates "gadgets" to copy the feature-set/functionality of OS X' widgets. Promotes the feature and now is turning around and telling us to stop using the feature because its a significant security threat? You. Have. Got. To. Be. Frick'n. Kidd'n. Me. ...right? As an OS X user I admit, I like Windows' gadgets and I believe the appropriate thing for MS to do is to FIX the frick'n security hole. How 'bout that, eh?! No, no. "If you buy our new Windows H8te OS you're good-to-go". I call bullsh*t. Fix it MS.

    Next they'll be advising not to use the desktop or screen-savers because a security hole was found.

    I really hope I mis-read the article in my skimming of it. If this was Apple the haters would be cumming all over themselves in self-righteous glee.

    Frick'n disqusting.
  • badaxe2
    It's almost like they had this discussion in a board room meeting:

    Suit A: "So, we want less gadgets in Windows 8. Hell, we really don't want any. Capiche?"

    Suit B: "The people aren't gonna like that."

    Suit A: "Hmmm...true....well, lets just release a 'security' warning about how 'unsafe' they are."

    Suit B: "I like they way you think, sir."

    Suit A: "I know."