Forgot your password?
typodupeerror
Microsoft Security Bug Software Windows Technology

Microsoft Kills Windows Gadgets Via Security Update 161

Posted by timothy
from the cutting-losses dept.
benfrog writes "Microsoft has taken the unusual step of killing the Windows Gadgets feature completely via a security update. According to an advisory issued Tuesday, an attacker could take over a user's system if they are logged in as admin and they install a vulnerable gadget. Microsoft has pulled the plug on its official Gadgets Gallery and is offering a Fix-it that completely disables the Windows Sidebar and Gadgets. Researchers Mickey Shkatov and Toby Kohlenberg are scheduled to give a presentation on the vulnerability at the upcoming Black Hat conference called We Have You By the Gadgets."
This discussion has been archived. No new comments can be posted.

Microsoft Kills Windows Gadgets Via Security Update

Comments Filter:
  • Misinformed Title (Score:5, Informative)

    by Mike Wag (2683017) on Thursday July 12, 2012 @01:00PM (#40629457)
    Slashdot's title gives the idea that Microsoft is using Windows Update to disable gadgets while in fact they are not. The article, however, is correct so this is just Slashdot trying to be sensationalist.

    What Microsoft is giving is 'Fix It' executable on their website. These are entirely optional and are proactively downloaded and enabled by users. They also contain the full info of what they do.

    As for the "vulnerability", well, duh. You download executable code, you might get pwnd. Even Chrome warns you that addons can pwn your system.
    • by ackthpt (218170) on Thursday July 12, 2012 @01:07PM (#40629533) Homepage Journal

      Slashdot's title gives the idea that Microsoft is using Windows Update to disable gadgets while in fact they are not. The article, however, is correct so this is just Slashdot trying to be sensationalist.

      What Microsoft is giving is 'Fix It' executable on their website. These are entirely optional and are proactively downloaded and enabled by users. They also contain the full info of what they do.

      As for the "vulnerability", well, duh. You download executable code, you might get pwnd. Even Chrome warns you that addons can pwn your system.

      Some of us are the beneficiaries of updates pushed out to us by IT departments where they take whatever Microsoft puts up, without much reading, because they don't know who they might step on.

      But your point is well taken.

      • Re:Misinformed Title (Score:5, Informative)

        by Sc4Freak (1479423) on Thursday July 12, 2012 @01:21PM (#40629691)

        This is a fix-it update, which doesn't appear through windows update and isn't pushed out through WSUS...

        • by Dog-Cow (21281) on Thursday July 12, 2012 @01:59PM (#40630183)

          And even if it was, it wouldn't matter. IT departments that push patches indiscriminately deserve any negative feedback they get.

          • Re: (Score:3, Insightful)

            by Anonymous Coward

            Tell me something, Mr Elite. How does someone who has never had formal training, but ends up leading a team of even less clued lackys across a few hundred servers/workstations? You think they have time to test patches or arrange their environment for better upgrading? No probably not, they are probably worked to the n'th hour, job prospects for them look slim so they are happy with the $35k year they make and they do enough to keep up with outages, requests, and upper management.

            When things are working p

          • by fatphil (181876) on Thursday July 12, 2012 @06:09PM (#40632819) Homepage
            The problem is that there's a flip-side. IT departments who don't push vital patches in time will get negative feedback for delaying.
          • Re: (Score:2, Troll)

            by Trogre (513942)

            Especially when Microsoft keep having these frequent "accidents", such as pushing Skype and Silverlight (twice) as security updates over WSUS.

    • I'm no Microsoft fan; but this sort of thing is common enough(especially among what I imagine Slashdot's readership to be), that I'd expect better.

      For better or for worse, MS is eyeballs-deep in the corporate market, which generally doesn't give a fuck about the cube drones' desire to have a shiny clock wasting 50 pixels on whatever screen was cheap from Dell 3 years ago; but does care about getting 0wn3d.

      For this reason, while they adopt a somewhat milder hand toward home users with autoupdate on, MS
      • by racermd (314140) on Thursday July 12, 2012 @03:07PM (#40630899)

        As a former enterprise-grade desktop support staffer (i.e.: one level up from the front-line call-takers), I know there have always been ways to disable the Windows Gadget platform. If not through GPO, at least through most other alternative rights-management schemes. Ultimately, it's as simple as removing the sidebar.exe file from the Program Files folder(s). Alternatively, an anti-malware utility (that's centrally managed, right?) can prevent the executable from starting.

        This should not be news to any company large enough to have a (competent) IT staff. Anything that runs applets or other code locally is potentially vulnerable. Disabling the platform entirely is one of the most effective ways of preventing this sort of vulnerability from being any sort of problem on a large-ish network. As such, assuming they're competent, they've already disabled or restricted this functionality long before a formal vulnerability existed.

        And, like you said, what IS sorta newsworthy is the subtext - that Microsoft is choosing to eliminate the Gadget platform altogether rather than patch it appropriately. Heading into Windows 8, I'm betting they didn't want to expend the resources necessary to do a proper repair job and, instead, focus developer time on Windows 8, Windows Server 2012, and optimizations on their new tablet platform.

        • by westlake (615356)

          As a former enterprise-grade desktop support staffer, I know there have always been ways to disable the Windows Gadget platform. If not through GPO, at least through most other alternative rights-management schemes.

          For a single user in Win 7 it is as simple as this:

          Search > Windows Features > Turn Windows Features On or Off > Windows Gadget Platform

      • by tehcyder (746570)

        I'm no Microsoft fan

        That's a mighty bold statement in this town, partner.

    • by jellomizer (103300) on Thursday July 12, 2012 @01:52PM (#40630071)

      But we want Microsoft to be EVIL and Blundering. As we giggle in glee of all of Microsoft Mistakes knowing these are mistakes of Pure Evil. While we use our own Pure OS, which by the nature of the fact that we chose to run it, is Good and infallible (unless it in some ways have been corrupted), but would be quickly purified by the forces of good. While the same problem by Microsoft is part of a devious plot to keep its corruption to an all time high.

    • The gadgets still work, but when I click on the "Get more gadgets online", it brings me to a webpage that says Microsoft doesn't host gadgets anymore because they are too busy making Windows 8.

      Instead if gives me the really helpful advice to not download gadgets from untrusted sources. This strikes me as unusual, since I was hoping Microsoft would be a trusted source where I could get safe gadgets. Apparently they aren't interested in doing that.
      • It has been this way for some time - At least as of a few months ago. That message isn't related to what's happening now.
        • by locopuyo (1433631)
          Microsoft stopped hosting gadgets a long time ago because they didn't want to be responsible for them. The get more gadgets link is completely useless. You have to search online to find them and the sites that have them are ridden with advertisements for spyware.
    • Re: (Score:2, Troll)

      by hairyfeet (841228)

      Not only is it bullshit I'd say its just one more move to try to get people to move over to Win 8. I mean who DIDN'T KNOW that running an executable as admin is a BAD THING, hmm? Are MSFT honestly trying to get us to believe that they don't even have enough common sense to keep malware off their own damned site? if so their security team should be fucking ashamed of themselves!

      Most of my users use gadgets and I will be telling them to simply ignore this, because they already have the gadgets they want. But

    • by gorzek (647352)

      Amazing how you figured that out within a minute of this being posted, yet the Slashdot "editors" apparently didn't even bother to check. These people get paid, don't they??

  • Wrong summary (Score:5, Informative)

    by Jennifer Wag (2683019) on Thursday July 12, 2012 @01:01PM (#40629467)
    Microsoft Windows Update does not remove Windows Gadgets. To remove Windows Gadgets, you need to proceed to Microsoft website and download a Fix-It that can be then used to disable Windows Gadgets on your computer.
    • If you do remove gadgets, there is only one true loss. The Pandora gadget is extremely useful because it provides the only ad-free frontend to pandora. If you disable Gadgets, you can still access it through this link:

      http://internal-tuner.pandora.com/windowsgadget/gadget.jsp [pandora.com]

      I found the audio to be choppy for some reason under firefox when you navigate away from the tab that contains it... for that reason it should likely be spawned into its own window.

  • What? (Score:5, Insightful)

    by trifish (826353) on Thursday July 12, 2012 @01:03PM (#40629499)

    An attacker could take over a user's system if they are logged in as admin and they install a vulnerable gadget.

    I always thought that if an attacker is logged in as admin, he owns the system already.

    Why do they talk about a specific attack? There are zillions of them if you have admin rights.

    • by Sir_Sri (199544)

      If the user is running as admin, which on windows lots of users (probably the vast majority of home users) then being able to gain remote control of the system is problematic at best.

      It's unfortunate, because I actually find some of the gadgets really handy (weather monitor, CPU monitor etc), but it's not worth getting your computer remotely seized for.

      It's not like there aren't other ways to do just about everything gadgets do anyway, it's just a poor mans live tile for small bits of info that are handy o

      • by Mike Wag (2683017)
        It's not remotely exploitable. Only if you install such gadget. You shouldn't be installign rand om softww wer anyways.
        • by gl4ss (559668)

          It's not remotely exploitable. Only if you install such gadget. You shouldn't be installign rand om softww wer anyways.

          that's even more stupid. if you as an admin install an program you can run it as admin? WHAT SHOCKING NEWS!!!!
          will they be uninstalling windows explorer next?

          is this their metro push plan? will they be uninstalling metro from win8 once it becomes known that if you install a malicious livetile program then that program can own you?

          • by Mike Wag (2683017)
            They're not uninstalling anything, they're providing you a tool you can use to uninstall gadgets.
            • by Sir_Sri (199544)

              And I think, to prevent installing them at all.

              Seems like it's one of those problems where the entire concept cannot be secured quickly (think I.E. 6).

              But we'll know more when the black hat presentation comes.

      • by hairyfeet (841228)

        Not unless they are on XP, which if they are still running a 12 year old OS they have worse problems, like how damned many patches on top of patches that XP has had. Most of the gadgets anybody would actually want like the weather are included by default in the Win 7 gadget library, don't know about Vista as i don't have a machine with Vista handy at the shop.

        There is one that is excellent that isn't included that I will provide the link for, the most excellent Meter Gadgets [addgadgets.com] which include CPU Meter, which i

    • by Anonymous Coward

      Did you know a thief could steal all of your valuables if they used a key to unlock your front door?

      • by dd1968 (1174479)
        "Did you know a thief could steal all of your valuables if they used a key to unlock your front door?" And did you know that if you give the thief the key and tell the thief when you are going to be away from home you are more at risk?
        • by Anonymous Coward

          Did you know a thief could steal all of your valuables if they used a key to unlock your front door?

          And did you know that if you give the thief the key and tell the thief when you are going to be away from home you are more at risk?

          Did you know that if you are actually at home on a hot date with the thief's mother when you said you'd be gone, and you've had the foresight to label a large bottle of deadly deadly poison as "EYE/BRAIN BLEACH" and leave it sitting in the front room, hilarity is essentially guaranteed?

          • by Anonymous Coward

            Did you know a thief could steal all of your valuables if they used a key to unlock your front door?

            And did you know that if you give the thief the key and tell the thief when you are going to be away from home you are more at risk?

            Did you know that if you are actually at home on a hot date with the thief's mother when you said you'd be gone, and you've had the foresight to label a large bottle of deadly deadly poison as "EYE/BRAIN BLEACH" and leave it sitting in the front room, hilarity is essentially guaranteed?

            And did you know the front door we're all talking about is the front door of motor home? Because otherwise, this analogy is non-automotive.

      • by JustOK (667959)

        What if someone steals the key from the thief?

    • by 0racle (667029)
      "An attacker could take over a user's system if they (the user) are logged in as admin and they (the user) install a vulnerable gadget."

      Clearer?
      • by jmorris42 (1458) *

        So? It still resolves down to misunderstanding exactly what is meant by 'admin'. Whoever has admin/root can do whatever they darned well want.... or at least until the DRM hammer falls. But because they don't want end users to understand that they are blowing smoke up everyone's butt and removing a feature most of us consider a waste of cycles and memory but some people actually like.

    • Sidebar Gadgets seem benign, but they are for all intents and purposes an IE window, running in the local zone (by default can create any ActiveX object on the system), with no scripting restrictions. So someone with admin rights can essentially install something that is telling them the weather, but can be quite mean. It isn't an obvious vector.
    • by treeves (963993)

      I think it was poorly worded, but what was meant was that if the USER is logged as admin, he could install a gadget that would give the attacker the ability to gain unwanted access to the system.

  • by FrYGuY101 (770432) on Thursday July 12, 2012 @01:05PM (#40629513) Journal

    an attacker could take over a user's system if they are logged in as admin and they install a vulnerable gadget

    Am I missing something? Because if the attacker has root privs, you're pretty much screwed no matter what, gadget or no...

  • by Megane (129182) on Thursday July 12, 2012 @01:09PM (#40629555) Homepage
    "I got you this time, Gadgets!"
  • Couldn't MS simply patch their Gadgets engine so it won't run in an account with admin privileges? Maybe present the user with a popup "unable to run, you're an admin, you shouldn't do that on your daily driver account, etc..."

    This way users who like widgets will have an incentive to make their Windows profile safer.

    Carrot vs Stick. Sometimes the carrot is better.

    • by VMSBIGOT (933292)

      I'm not really sure what the hell the article is talking about. Unless you have disabled UAC, Sidebar.exe is running always under an unprivileged account. Take a look using Process Explorer and you will see that the "administrators" group is denied to that process.

      Hell, at least on Windows 8, you can't even try to run it as an administrator. It spawns an unprivileged child process to run it if you do.

  • Disabling gadgets is one of the first things I do on any new Windows system. They're never useful, all they do is eat up CPU time or distract you with constantly-moving readouts. Hate those things.

    • by Picass0 (147474)

      >> "They're never useful"

      You shouldn't speak in absolutes. For some people they are. There are widgets that make things simple for everyday people instead of power users. Eg - When you tell your grandma it's more secure to turn her WiFi off in certain situations, a desktop toggle widget makes this a lot easier.

      When you think someone's machine is running a bit hot you might be inclined to put temperature monitors where the user can help you keep an eye on things.

      • by gman003 (1693318)

        You say absolutes; I say hyperbole.

        • Absolute or hyperbole; regardless of the word used to describe it, I'd recommend finding a better term than "never useful". It makes you sound like a pretentious asswipe who can't think past his own needs, wants, and preferences.

          Unless you are a pretentious asswipe; in which case, carry on.

    • by Anonymous Coward

      Well, I use some gadgets that are very useful, such as Drive Activity, TopProcess and Clipboarder (this one is a must have for me), I don't think there are alternatives for all of them. And no, they don't distract me in any way.

    • Actually, I liked Windows Gadgets. I still using many of the ones offers by http://addgadgets.com./ [addgadgets.com.] Specifically the CPU, Network, and GPU meters. Hands-down should be included in the official Windows 7 Gadgets list.

    • They're never useful, all they do is eat up CPU time or distract you with constantly-moving readouts. Hate those things.

      For fact checking:

      Sysinternals > sidebar.exe > Properties

      Performance
      Performance Graph
      GPU Graph

      On my system the current load is 0% GPU and 1.5-2% CPU.

      The CPU and GPU monitors, almost certainly.

      I've been tracking system and GPU cooling in our summer heat waves.

    • by Saija (1114681)
      Hey i have a slide show gadget showing me pictures from my wife, baby and relatives, cheaper than buy some frames or digital frame.
  • In a previous job, middleware admins had a custom gadget that displayed status on a wide variety of web apps for which the department was responsible. Personally, I wouldn't have done it that way (you never know what Microsoft ...stuff... will hang around and what won't) but I wasn't consulted.

    So it occurs to me that, if the Windows admin group pushes out this update, it'll take a mission critical tool offline. I will have to call a former co-worker and see how that goes. Since Windows admin is outsource

  • Sigh (Score:1, Troll)

    by AdmV0rl0n (98366)

    Seriously has Sinofsky's mits written all over this.
    They killed this in 8, and it just means they have bullshit justification by saying 'it was insecure'.

    Yes, run as admin and download/run executable can own your machine. (For the past 30 years. Its not new. )
    Nobody should be running as Admin. And partially even when you do the OS impedes this to some degree.

    I suspect what is likely is that Gadgets may be flawed to a level where UAC and OS protection can't cover off enough, and its unhinged. But they should

    • Re:Sigh (Score:5, Funny)

      by the eric conspiracy (20178) on Thursday July 12, 2012 @01:43PM (#40629967)

      > But then thats MS in 2012. Remove and restrict features, charge you for what was free before, and generally be a fucking bunch of dicks.

      As Steve Ballmer said, we are not going to let Apple have any market unchallenged.

    • You don't need it. I've been using Windows 8 for less than a day and I do not miss the cluttered start menu--I've been using windows for 20 years. I use the Toolbar Address option to quick search on the desktop and it launches everything I need instantly. The new tiles interface is just a cleaner copy of the best android interfaces and it is welcome. Regular users are going to eat this up. I supplied my social network and Exchange accounts and it integrated all of them cleanly into the interface. It t

  • Does anyone else find it ironic that Metro is little more than Gadgets running in a full-screen Start Menu.

  • I just spent an all-nighter figuring out why certain VMs wouldn't clone cleanly -- and it ended up being SideShow that was the root problem, preventing sysprep under the covers.

    If only I'd known, "just be patient" would have been the best advice.
    • by omnichad (1198475)

      Sideshow isn't the same thing as Sidebar, though they are related. Sideshow is a second screen (usually smaller) that is just big enough for a system status widget or other small indicator.

  • I use desktop gadgets in Windows 7 for system monitoring, application launcher, weather report and volume control and have come to rely upon them heavily. I won't be applying this patch, however I can't help but wonder if MS is sneakily trying to kill off gadgets partly to promote the Windows 8 tiles and start screen.
    • by idontgno (624372)

      That occurred to me too.

      The threat statement comes down to "A program you download, install, and execute may secretly do bad things to your computer with the privileges and permissions of the user who is executing the program."

      In the words of the Prophet, "Well, DUH!"

      There is nothing distinctive to desktop gadgets in this. So the stated rationale has the whiff of bullshit that usually emanates from acts of Security Theatre.

      And that always make me wonder about ulterior motives and what kind of bad faith that

    • by JDG1980 (2438906)

      I won't be applying this patch, however I can't help but wonder if MS is sneakily trying to kill off gadgets partly to promote the Windows 8 tiles and start screen.

      Judging from the message they've posted on the closed Gadgets Gallery page [microsoft.com], it certainly looks that way"

      "Because we want to focus on the exciting possibilities of the newest version of Windows, the Windows website no longer hosts the gadget gallery."

      Translation: nothing to see here, Windows 7 is yesterday's news, throw away your real PCs and em

  • So do I enable the Fix-it solution to disable the gadgets? Or do I disable the Fix-it solution to disable gadgets? Or do I disable the fix-it solution to enable the gadgets after I enable the Fix-it solution to disable gadgets?
  • by Simulant (528590)
    Can anyone explain how a Gadget is more dangerous than any other piece of software you might download and execute? Microsoft didn't.
    I think they just want to get rid of Gadgets. They closed the shop months ago.
  • by Nimey (114278) on Thursday July 12, 2012 @02:37PM (#40630595) Homepage Journal

    Looks like we're going to have to treat timothy like we treated kdawson until he shapes up.

  • "An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user," company officials said in an advisory issued Tuesday. "If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system." To be successful, they added, "An attacker would have to convince a user to install and enable a vulnerable Gadget."

    In other words: Gadgets are just like any other kind of executable code – they

    • by spitzak (4019)

      and eventually require everything to either go through the App Store or some sort of corporate app repository

      I think if that was the plan, then you should still get "official Microsoft gadgets" from the Microsoft "app store". But apparently they have been removed from there.

      I don't use Windows so I really don't know what is going on, but this does sound mysterious. I mean it is pretty much a "duh" insight that running untrusted software as admin is a problem, and they did not remove *all* software. So this

  • As a once gadget developer I say "Fuck you Microsoft!" and here's why ... when gadgets were all the shit they pushed the gadget gallery and they pushed it hard. OMG, you can program in JS and HTML, you can reuse your webdeveloping skills. I was excited as fuck. So I made a farely popular free gadget. I thought that they would expand their site to make non-free gadgets possible, since the "gadget store" was littered with mentions about a misterious Microsoft currency, but that didn't happen, the updates were

    • You should have realized this would happen when you considered for a moment why Windows Gadgets existed at all. They were an answer to the Google Desktop Sidebar, which was precisely the same thing: gadgets programmed in JS and HTML. Google discontinued Google Desktop a couple of years ago, citing specifically the creation of Windows Gadgets as one of the reasons why. Now that people have forgotten Google Desktop, Windows Gadgets has served its purpose and can be euthanized.

      And I am VINDICATED! I said y

  • I love their solution. Instead of Easily fixing the problem, which btw is definitely possible, they tell you to upgrade to Windows 8 and Metro as an alternative. Um ok...

    MS can blow me if they think that's somehow an acceptable alternative.They must really be desperate to get people to buy into Metro if they are pulling stunts like this.

"Silent gratitude isn't very much use to anyone." -- G. B. Stearn

Working...