By Woody Leonhard
In the unlikely chance that you’re using Windows gadgets, you need to get rid of them — right now!
Those seemingly innocuous accessory apps that you stick onto your desktop, included with Vista and Windows 7, could be used to subvert your system.
If you paid any attention to the launch of Windows Vista, you might remember Microsoft hyping a fabulous new feature in the newest and greatest version of Windows yet — the Windows we’d all been waiting for to replace XP. It was a magical new technology known as the Windows Sidebar, a place where you could put really cool mini-apps — gadgets — such as stock tickers, clocks (shown in Figure 1), simple games, and weather guides. (If none of this sounds familiar, you’re easily forgiven.)
As an MS Windows Sidebar and gadgets how to states, gadgets “offer information at a glance and provide easy access to frequently used tools. For example, you can use gadgets to display a picture slide show, view continuously updated headlines, or look up contacts.”
Microsoft made it sound as if gadgets were something totally new and different — a feature that would drive power users to upgrade to Vista. But in fact, the new gadgets bore a remarkable resemblance to Konfabulator’s widgets, which were already available to Windows users. (The company was bought out by Yahoo and rebranded in 2005. There’s a fascinating cartoon history of the Konfabulator gadgets — er, widgets — on the old Konfabulator site.) Vista gadgets also looked a lot like Apple’s Dashboard widgets, introduced with OS X Tiger over a year before Vista’s release.
Like widgets, gadgets embodied the trend toward push technology — the ability for outside data sources (such as live stock-market feeds) to continuously stream information onto a PC. Microsoft started experimenting with push techniques in Windows 95 with the Active Desktop, a miserable feature that worked sporadically and often failed without notice. A slimmed-down version of Active Desktop turned into the Vista Sidebar, with the new gadgets acting as the dancing bears. Windows 7 kept gadgets but no longer required the Sidebar stage.
Gadgets are little snippets of HTML code that work with few rules and no security sandboxing. That’s an open invitation to malicious hackers looking for unguarded entries into Windows.
Although the vulnerability in gadgets has existed for years, two security researchers are shedding some new light on the threat. At next week’s annual hacker gathering in Las Vegas — Black Hat USA 2012 (more info) — Mickey Shkatov and Toby Kohlenberg will deliver their presentation, “We have you by the gadgets.” As is common for Black Hat presentation pre-announcements, there are as yet few details. But Shkatov and Kohlenberg promise, “We will be talking about the Windows gadget platform and what nastiness can be done with it, how are gadgets made, how are they distributed, and, more importantly, their weaknesses. … As a result, there [are] a number of interesting attack vectors that are interesting to explore and take advantage of. We will be talking about our research into creating malicious gadgets, misappropria! ting legitimate gadgets, and the sorts of flaws we have found in published gadgets.”
Much to their credit, Shkatov and Kohlenberg have been in talks with Microsoft, apparently divulging some of their findings. (The point of Black Hat is to reveal detailed information on how new security exploits work, thus pushing software developers into rapidly patching their code.) I can imagine the security folks at Microsoft saying, “These guys have us nailed.” (Some of the MSRC folks might have said something considerably less printable.) The result is MS Security Advisory 2719662, which states, “Customers who are concerned about vulnerable or malicious gadgets should apply the automated Fix It solution as soon as possible” (more on that below).
Microsoft might have several ulterior motives for dumping gadgets. It’s been quietly phasing them out for some time now, and it finally shuttered the doors on the Gadget Gallery several weeks ago. There are rumors that Microsoft has yanked gadget support from the final version of Windows 8 (although gadgets still run just fine in the current Win8 Release Preview). But as is plainly stated in what’s left of the Gadget Gallery page, Microsoft wants to push you in the direction of Windows 8 Metro — where you’ll find a similar experience, but tied to an infinitely better infrastructure.
Whatever Microsoft’s intentions, there’s no doubt that Shkatov and Kohlenberg have discovered a security breach that should curl your PC’s toes.
At this time, it’s not clear whether the vulnerability is within the gadgets themselves or is associated with the Sidebar. (In Windows 7, you can run gadgets with or without the Sidebar.) MS Security Advisory 2719662 suggests both. I suppose we’ll find out next Thursday, but for now I think you need to kiss those clocks and stock tickers good-bye.
Fortunately, disabling gadgets and the Sidebar is pretty easy. Microsoft invented a poison pill, disguised as a fixit in MS Support article 2719962. You’ll find two Fix it buttons halfway down the page: one to disable the Sidebar and gadgets, and another to enable them (which might be useful if Microsoft provides an actual patch for the vulnerability).
Clicking the fixit button downloads a file, which you then need to run. You can protect other PCs by just copying that file onto a USB drive and running it on any other Vista or Windows 7 machine.
Do it now, while you’re thinking about it. The fixit doesn’t take much time, but a system reboot is required to enable it. Warn your friends: this could turn into something nasty very quickly.