woolie 50 Report post Posted July 21, 2012 Microsoft Kills Windows Gadgets Via Security Update Posted by timothy on Thursday July 12, @01:00PM from the cutting-losses dept. benfrog writes "Microsoft has taken the unusual step of killing the Windows Gadgets feature completely via a security update. According to an advisory issued Tuesday, an attacker could take over a user's system if they are logged in as admin and they install a vulnerable gadget. Microsoft has pulled the plug on its official Gadgets Gallery and is offering a Fix-it that completely disables the Windows Sidebar and Gadgets. Researchers Mickey Shkatov and Toby Kohlenberg are scheduled to give a presentation on the vulnerability at the upcoming Black Hat conference called We Have You By the Gadgets." http://it.slashdot.org/story/12/07/12/166200/microsoft-kills-windows-gadgets-via-security-update Security flaws signal early death of Windows Gadgets Microsoft is pulling the plug on the Windows Sidebar and Gadgets platform ahead of news that security vulnerabilities will be disclosed at this year's Black Hat conference. Security flaws signal early death of Windows Gadgets Summary: Microsoft is pulling the plug on the Windows Sidebar and Gadgets platform ahead of news that security vulnerabilities will be disclosed at this year's Black Hat conference. Ryan Naraine By Ryan Naraine for Zero Day | July 11, 2012 -- Updated 15:53 GMT (08:53 PDT) Microsoft is speeding up plans to kill off the Windows Gadget platform after receiving word that serious security vulnerabilities will be disclosed at the upcoming Black Hat security conference. According to a brief abstract from the Black Hat site, researchers Mickey Shkatov and Toby Kohlenberg plan to discuss weaknesses associated with Windows Sidebar and Gadgets and demonstrate "nastiness" that can be done on the platform. follow Ryan Naraine on twitter [ Microsoft drops surprise IE patch, fixes under-attack Windows zero-day ] "Gadgets are comprised of JS, CSS and HTML and are application that the Windows operating system has embedded by default. As a result there are a number of interesting attack vectors that are interesting to explore and take advantage of. We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets," the researchers said. Microsoft was already planning to deprecate Sidebar and Gadgets in the upcoming Windows 8 but, after working with Schkatov and Kohlenberg ahead of Black Hat, the company decided to push for the immediate death of the platform. From the MSRC blog: As many of you are aware, Windows 8 will deprecate the Sidebar and Gadgets, and Gadget developers are already shifting their efforts to the online Windows Store. Meanwhile, we’ve discovered that some Vista and Win7 gadgets don’t adhere to secure coding practices and should be regarded as causing risk to the systems on which they’re run. With time running out for the Sidebar and Gadgets and with developers already moving on, we’ve chosen to deprecate the Windows Gadget Gallery effective immediately, and to provide a Fix it to help sysadmins disable Gadgets and the Sidebar across their enterprises. The company released a security advisory with information to help system administrators disable the Windows Sidebar and Gadgets on supported versions of Windows Vista and Windows 7 with one Fix it click. Microsoft did not provide details on the vulnerabilities but warned that there is a risk of remote code execution attacks. "An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system," Microsoft warned. This automated Fix-It will disable the Windows Sidebar experience and all Gadget functionality on affected machines. http://www.zdnet.com/security-flaws-signal-early-death-of-windows-gadgets-7000000724/ Share this post Link to post Share on other sites
