It's not often that Microsoft recommends that Windows users should disable a much hyped part of the OS, but that's exactly what has happened regarding the Windows Sidebar and Windows Gadgets found in Windows Vista and Windows 7. Microsoft Security Advisory 2719662 clearly states "Disabling the Windows Sidebar and Gadgets can help protect customers from vulnerabilities that involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets" and Microsoft even provides a handy Fix-It tool to do the job for you. So what's all the fuss about, all of a sudden?
Well the simple answer is either 'Black Hat 2012' or "Gadgets have always been insecure but now someone has actually noticed the fact". The someone in question being Israeli security researcher Mickey Shkatov and infosec professional Toby Kohlenberg who are planning to reveal just how insecure the whole Windows Gadget Platform actually is on July 26th at Black Hat USA in a briefing aptly entitled 'We have you by the Gadgets'.
The briefing promises to reveal "a number of number of interesting attack vectors that are interesting to explore and take advantage of" as part of their "research into creating malicious gadgets, misappropriating legitimate gadgets" and "the sorts of flaws we have found in published gadgets". Microsoft notes that gadgets installed from untrusted sources can "harm your computer and can access your computer's files" and perhaps importantly change their behavior at any time so a once trusted Gadget could go rogue with no warning. "An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user" Microsoft warns, adding "If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system".
Unusually, perhaps because the revelations at Black Hat are due to take place before the end of the month, or perhaps because it had already decided to kill off the Gadget platform in Windows 8 anyway, Microsoft has opted not to wait for the next Patch Tuesday updates to handle the problem but instead issue a 'Fix It' tool that will totally nuke the Sidebar and Gadgets from your system. Something it recommends users do 'as soon as possible'. The Desktop Gadgets Gallery has already vanished from the Internet, and notes that Gadget developers are already "shifting their efforts to the online Windows Store" in readiness for Windows 8 anyway.
So, have you disabled Windows Gadgets yet? I have...