Microsoft fix-it to disable gadgets - SA 2719662

Published: 2012-07-10
Last Updated: 2012-07-10 22:10:12 UTC
by Swa Frantzen (Version: 1)
6 comment(s)

Microsoft Security Advisory 2719662 announces the availability of a fix-it to disable windows sidebar and gadgets. The threat seems to be insecure gadgets that allow random code to be executed with the rights of the logged on user.

See:

The fix-it disables the sidebar and gadgets.

--
Swa Frantzen -- Section 66

6 comment(s)

Comments

One question I didn't see addressed in the advisory is whether the standard set of Gadgets that shipped with the OS are known to contain any vulnerabilities, and if not whether they were subjected to a security review. I'll go ahead and ask during tomorrow's Microsoft patch webcast.
Now, it will only be a matter of time before Microsoft announces a fix it to disable all 3rd party software and switches to an App-store distribution model.

Gadgets in the sidebar are typically just scripting-enabled html and are no longer part of Windows 8. Microsoft stopped distributing new Gadgets some time ago, which sent users to other sites. If a user wants a function that is currently provided by a Gadget and the user can no longer use Gadgets, then that user will download and install 3rd party software that provides that function. That 3rd party software will allow code to be executed with the rights of the logged on user. Per MS' security advisory "Gadgets installed from untrusted sources can harm your computer and can access your computer's files, show you objectionable content, or change their behavior at any time." That applies to pretty much all software installed from untrusted sources... but MS is no longer serving as a "trusted source" for Gadgets.
The response from Microsoft on today's call was that Microsoft has done security reviews on the standard set of Gadgets that shipped with the OSes, and that if security vulnerabilities are discovered within the Gadgets that shipped with the OSes they will continue to release updates for them. So, if you are 100% certain you only use Gadgets that came with the OS and have never installed any other Gadgets (i.e. if you're using the calendar or the weather dohickey that came with the OS), you should be OK.
Has there been any information discussed as to how whether the vulnerability can be exploited within existing gadgets?

A potential compromise I would like to investigate for environments where gadgets are in use is to apply the GPO to disable the installation of unsigned gadgets until more information is available.
This brings a little light into the issue:
http://www.theregister.co.uk/2012/07/11/disable_stupid_gadgets_says_microsoft/

"Microsoft has advised Vista and Windows 7 users to put Gadgets and the Windows Sidebar to the sword, following the revelation of yet-to-be-detailed remote code execution vulnerabilities in the features.

Redmond issued this advisory ahead of an upcoming Black Hat presentation by Mickey Shkatov and Toby Kohlenberg. The two have promised to reveal “interesting attack vectors” in a presentation called “We Have You By The Gadgets”."
An article by Sophos: http://nakedsecurity.sophos.com/2012/07/12/disable-windows-sidebar-gadgets/

Diary Archives