Microsoft Kills Windows Gadgets Via Security Update 161
benfrog writes "Microsoft has taken the unusual step of killing the Windows Gadgets feature completely via a security update. According to an advisory issued Tuesday, an attacker could take over a user's system if they are logged in as admin and they install a vulnerable gadget. Microsoft has pulled the plug on its official Gadgets Gallery and is offering a Fix-it that completely disables the Windows Sidebar and Gadgets. Researchers Mickey Shkatov and Toby Kohlenberg are scheduled to give a presentation on the vulnerability at the upcoming Black Hat conference called We Have You By the Gadgets."
Misinformed Title (Score:5, Informative)
What Microsoft is giving is 'Fix It' executable on their website. These are entirely optional and are proactively downloaded and enabled by users. They also contain the full info of what they do.
As for the "vulnerability", well, duh. You download executable code, you might get pwnd. Even Chrome warns you that addons can pwn your system.
Re:Misinformed Title (Score:4, Insightful)
Slashdot's title gives the idea that Microsoft is using Windows Update to disable gadgets while in fact they are not. The article, however, is correct so this is just Slashdot trying to be sensationalist.
What Microsoft is giving is 'Fix It' executable on their website. These are entirely optional and are proactively downloaded and enabled by users. They also contain the full info of what they do.
As for the "vulnerability", well, duh. You download executable code, you might get pwnd. Even Chrome warns you that addons can pwn your system.
Some of us are the beneficiaries of updates pushed out to us by IT departments where they take whatever Microsoft puts up, without much reading, because they don't know who they might step on.
But your point is well taken.
Re:Misinformed Title (Score:5, Informative)
This is a fix-it update, which doesn't appear through windows update and isn't pushed out through WSUS...
Re:Misinformed Title (Score:5, Insightful)
And even if it was, it wouldn't matter. IT departments that push patches indiscriminately deserve any negative feedback they get.
Re: (Score:3, Insightful)
Tell me something, Mr Elite. How does someone who has never had formal training, but ends up leading a team of even less clued lackys across a few hundred servers/workstations? You think they have time to test patches or arrange their environment for better upgrading? No probably not, they are probably worked to the n'th hour, job prospects for them look slim so they are happy with the $35k year they make and they do enough to keep up with outages, requests, and upper management.
When things are working p
Re:Misinformed Title (Score:5, Insightful)
Re: (Score:2, Troll)
Especially when Microsoft keep having these frequent "accidents", such as pushing Skype and Silverlight (twice) as security updates over WSUS.
Re: (Score:2)
For better or for worse, MS is eyeballs-deep in the corporate market, which generally doesn't give a fuck about the cube drones' desire to have a shiny clock wasting 50 pixels on whatever screen was cheap from Dell 3 years ago; but does care about getting 0wn3d.
For this reason, while they adopt a somewhat milder hand toward home users with autoupdate on, MS
Re:Misinformed Title (Score:5, Insightful)
As a former enterprise-grade desktop support staffer (i.e.: one level up from the front-line call-takers), I know there have always been ways to disable the Windows Gadget platform. If not through GPO, at least through most other alternative rights-management schemes. Ultimately, it's as simple as removing the sidebar.exe file from the Program Files folder(s). Alternatively, an anti-malware utility (that's centrally managed, right?) can prevent the executable from starting.
This should not be news to any company large enough to have a (competent) IT staff. Anything that runs applets or other code locally is potentially vulnerable. Disabling the platform entirely is one of the most effective ways of preventing this sort of vulnerability from being any sort of problem on a large-ish network. As such, assuming they're competent, they've already disabled or restricted this functionality long before a formal vulnerability existed.
And, like you said, what IS sorta newsworthy is the subtext - that Microsoft is choosing to eliminate the Gadget platform altogether rather than patch it appropriately. Heading into Windows 8, I'm betting they didn't want to expend the resources necessary to do a proper repair job and, instead, focus developer time on Windows 8, Windows Server 2012, and optimizations on their new tablet platform.
Re: (Score:2)
As a former enterprise-grade desktop support staffer, I know there have always been ways to disable the Windows Gadget platform. If not through GPO, at least through most other alternative rights-management schemes.
For a single user in Win 7 it is as simple as this:
Search > Windows Features > Turn Windows Features On or Off > Windows Gadget Platform
Re: (Score:2)
I'm no Microsoft fan
That's a mighty bold statement in this town, partner.
Re:Misinformed Title (Score:4, Insightful)
But we want Microsoft to be EVIL and Blundering. As we giggle in glee of all of Microsoft Mistakes knowing these are mistakes of Pure Evil. While we use our own Pure OS, which by the nature of the fact that we chose to run it, is Good and infallible (unless it in some ways have been corrupted), but would be quickly purified by the forces of good. While the same problem by Microsoft is part of a devious plot to keep its corruption to an all time high.
Re: (Score:2)
^^ This post is the reason why I feel embarrassed to be part of the Linux community. It seems to be one of the few communities who actively relish hating a company to the point where any debate is dominated with emotions rather than facts. It's enough to push anyone away from Linux - who the fuck would WANT to become like the above poster?
Re: (Score:2)
Since you obviously work for Microsoft, we hate you, too. Go, kill yourself.
Re: (Score:2)
Nah, I look better than you anyway (as per your livejournal). :)
Re: (Score:2)
Don't tell me they can't, because the Linux and GNU and FLOSS (in general) community has proven over and over again that they can ["released an Operating System that WORKED, was rock-solid, had bullet-proof security, was small, tight, and fast, was highly customizable, configurable, did it's job quietly and kept the hell out of your way... and never needed to be patched because it had been designed to be secure and uncrashable from the ground up"]
Delusional much? Could you provide a link to this magical, Linux/GNU/FLOSS software so that I may run it? Or alternatively, I could take a few seconds and point out the many flaws, patches, upgrades, and missing features.
Re: The gadget gallery is gone (Score:2, Interesting)
Instead if gives me the really helpful advice to not download gadgets from untrusted sources. This strikes me as unusual, since I was hoping Microsoft would be a trusted source where I could get safe gadgets. Apparently they aren't interested in doing that.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2, Troll)
Re: (Score:3)
Amazing how you figured that out within a minute of this being posted, yet the Slashdot "editors" apparently didn't even bother to check. These people get paid, don't they??
Re: (Score:1)
Re: (Score:2)
Don't trust anyone with a seven-digit uid.
Re: (Score:2)
Or anyone with a six-digit one either?
Re: (Score:2)
Trust is relative, you know...
Re:Misinformed Title (Score:5, Funny)
Please do; I'm afraid I'll not be able to kill Diablo on my own this time.
Comment removed (Score:5, Insightful)
Re:Misinformed Title (Score:5, Informative)
You like to complain about others making hyperbolic posts, yet every single post you make is an exaggerated bluster-filled rant.
Your endless faux outrage is fucking boring. Get a new gimmick and maybe I'll consider reading your comments again.
Re: (Score:2)
Re: (Score:2)
We only wish. You apparently don't work with many marketing people, they not only actually use stupid buzzwords like that but seem to believe that everyone else does. When I was younger and dumber I got into an argument with a marketing flack about "virtual" something or other, and was amazed at the really bizarre things he believed. I learned then not to argue with marketing people, it's as useless as debating with jehovahs witnesses.
Re: (Score:1)
I bet that gets lots of 'lolz'
We call them "lulz" now.
Re: (Score:2)
No, lulz is now a furry/MLP porn website.
Re: (Score:2)
No, lulz is now a furry/MLP pr0n website.
FTFY
Re: (Score:1)
Wrong summary (Score:5, Informative)
Retain ad-free Pandora gadget functionality (Score:2)
If you do remove gadgets, there is only one true loss. The Pandora gadget is extremely useful because it provides the only ad-free frontend to pandora. If you disable Gadgets, you can still access it through this link:
http://internal-tuner.pandora.com/windowsgadget/gadget.jsp [pandora.com]
I found the audio to be choppy for some reason under firefox when you navigate away from the tab that contains it... for that reason it should likely be spawned into its own window.
Re: (Score:1)
Seriously?
You were completely unable to find in humor in the GPs link?
Although it would have been more funny to post the real "Fix-It" link and the under that the Debian "Fixed-It" link.
What? (Score:5, Insightful)
An attacker could take over a user's system if they are logged in as admin and they install a vulnerable gadget.
I always thought that if an attacker is logged in as admin, he owns the system already.
Why do they talk about a specific attack? There are zillions of them if you have admin rights.
Re: (Score:2)
If the user is running as admin, which on windows lots of users (probably the vast majority of home users) then being able to gain remote control of the system is problematic at best.
It's unfortunate, because I actually find some of the gadgets really handy (weather monitor, CPU monitor etc), but it's not worth getting your computer remotely seized for.
It's not like there aren't other ways to do just about everything gadgets do anyway, it's just a poor mans live tile for small bits of info that are handy o
Re: (Score:1)
Re: (Score:2)
It's not remotely exploitable. Only if you install such gadget. You shouldn't be installign rand om softww wer anyways.
that's even more stupid. if you as an admin install an program you can run it as admin? WHAT SHOCKING NEWS!!!!
will they be uninstalling windows explorer next?
is this their metro push plan? will they be uninstalling metro from win8 once it becomes known that if you install a malicious livetile program then that program can own you?
Re: (Score:1)
Re: (Score:2)
And I think, to prevent installing them at all.
Seems like it's one of those problems where the entire concept cannot be secured quickly (think I.E. 6).
But we'll know more when the black hat presentation comes.
Re: (Score:2)
Re: (Score:1)
Did you know a thief could steal all of your valuables if they used a key to unlock your front door?
Re: (Score:2)
Re: (Score:1)
Did you know a thief could steal all of your valuables if they used a key to unlock your front door?
And did you know that if you give the thief the key and tell the thief when you are going to be away from home you are more at risk?
Did you know that if you are actually at home on a hot date with the thief's mother when you said you'd be gone, and you've had the foresight to label a large bottle of deadly deadly poison as "EYE/BRAIN BLEACH" and leave it sitting in the front room, hilarity is essentially guaranteed?
Re: (Score:1)
Did you know a thief could steal all of your valuables if they used a key to unlock your front door?
And did you know that if you give the thief the key and tell the thief when you are going to be away from home you are more at risk?
Did you know that if you are actually at home on a hot date with the thief's mother when you said you'd be gone, and you've had the foresight to label a large bottle of deadly deadly poison as "EYE/BRAIN BLEACH" and leave it sitting in the front room, hilarity is essentially guaranteed?
And did you know the front door we're all talking about is the front door of motor home? Because otherwise, this analogy is non-automotive.
Re: (Score:2)
What if someone steals the key from the thief?
Re: (Score:2)
Clearer?
Re: (Score:1)
So? It still resolves down to misunderstanding exactly what is meant by 'admin'. Whoever has admin/root can do whatever they darned well want.... or at least until the DRM hammer falls. But because they don't want end users to understand that they are blowing smoke up everyone's butt and removing a feature most of us consider a waste of cycles and memory but some people actually like.
Re: (Score:2)
Maybe it's bypassing UAC. The article was unclear.
Re: (Score:2)
Re: (Score:2)
I think it was poorly worded, but what was meant was that if the USER is logged as admin, he could install a gadget that would give the attacker the ability to gain unwanted access to the system.
Re: (Score:2)
Uh (Score:3)
Am I missing something? Because if the attacker has root privs, you're pretty much screwed no matter what, gadget or no...
Re:Uh (Score:5, Informative)
Re:Uh (Score:5, Funny)
Oh that's a rich. A Microsoft troll account accusing Google of smearing Microsoft. Good stuff!
Re:Uh (Score:5, Informative)
"An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user," company officials said in an advisory issued Tuesday. "If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system."
Re: (Score:2)
Your peaceful informative explanation brings clarity here. What were you thinking?
Dr. Claw's response (Score:5, Funny)
Why remove? (Score:2)
Couldn't MS simply patch their Gadgets engine so it won't run in an account with admin privileges? Maybe present the user with a popup "unable to run, you're an admin, you shouldn't do that on your daily driver account, etc..."
This way users who like widgets will have an incentive to make their Windows profile safer.
Carrot vs Stick. Sometimes the carrot is better.
Re: (Score:1)
I'm not really sure what the hell the article is talking about. Unless you have disabled UAC, Sidebar.exe is running always under an unprivileged account. Take a look using Process Explorer and you will see that the "administrators" group is denied to that process.
Hell, at least on Windows 8, you can't even try to run it as an administrator. It spawns an unprivileged child process to run it if you do.
And nothing of value was lost (Score:1)
Disabling gadgets is one of the first things I do on any new Windows system. They're never useful, all they do is eat up CPU time or distract you with constantly-moving readouts. Hate those things.
Re: (Score:2)
>> "They're never useful"
You shouldn't speak in absolutes. For some people they are. There are widgets that make things simple for everyday people instead of power users. Eg - When you tell your grandma it's more secure to turn her WiFi off in certain situations, a desktop toggle widget makes this a lot easier.
When you think someone's machine is running a bit hot you might be inclined to put temperature monitors where the user can help you keep an eye on things.
Re: (Score:2)
You say absolutes; I say hyperbole.
Re: (Score:2)
Absolute or hyperbole; regardless of the word used to describe it, I'd recommend finding a better term than "never useful". It makes you sound like a pretentious asswipe who can't think past his own needs, wants, and preferences.
Unless you are a pretentious asswipe; in which case, carry on.
Re: (Score:2)
I didn't think he was pretentious.
Re: (Score:1)
Well, I use some gadgets that are very useful, such as Drive Activity, TopProcess and Clipboarder (this one is a must have for me), I don't think there are alternatives for all of them. And no, they don't distract me in any way.
Re: (Score:2)
Sysinternals. (Score:2)
They're never useful, all they do is eat up CPU time or distract you with constantly-moving readouts. Hate those things.
For fact checking:
Sysinternals > sidebar.exe > Properties
Performance
Performance Graph
GPU Graph
On my system the current load is 0% GPU and 1.5-2% CPU.
The CPU and GPU monitors, almost certainly.
I've been tracking system and GPU cooling in our summer heat waves.
Re: (Score:2)
uh-oh (Score:2)
In a previous job, middleware admins had a custom gadget that displayed status on a wide variety of web apps for which the department was responsible. Personally, I wouldn't have done it that way (you never know what Microsoft ...stuff... will hang around and what won't) but I wasn't consulted.
So it occurs to me that, if the Windows admin group pushes out this update, it'll take a mission critical tool offline. I will have to call a former co-worker and see how that goes. Since Windows admin is outsource
Re: (Score:2)
Sounds like ya'll need a change management process.
Yeah, really?
Ok here's how change management works there: Everything, including minor changes to development boxes, has to go through outsourced change management. The meetings are weekly, so if you want to correct a configuration issue in a web server and it's the day after the change meeting, it'll be a minimum one week before the change can be made.
There is only one change meeting for the entire company. It is typically 3 to 4 hours long. It consists of reading through the changes and asking for "app
Re: (Score:2)
Post outsourcing, the people actually doing the change are very junior people (I'm resisting the urge to say "store clerks") who have no understanding what they're actually doing. Their sole role is to follow written proc
Sigh (Score:1, Troll)
Seriously has Sinofsky's mits written all over this.
They killed this in 8, and it just means they have bullshit justification by saying 'it was insecure'.
Yes, run as admin and download/run executable can own your machine. (For the past 30 years. Its not new. )
Nobody should be running as Admin. And partially even when you do the OS impedes this to some degree.
I suspect what is likely is that Gadgets may be flawed to a level where UAC and OS protection can't cover off enough, and its unhinged. But they should
Re:Sigh (Score:5, Funny)
> But then thats MS in 2012. Remove and restrict features, charge you for what was free before, and generally be a fucking bunch of dicks.
As Steve Ballmer said, we are not going to let Apple have any market unchallenged.
Re: (Score:2)
ironic (Score:1)
Does anyone else find it ironic that Metro is little more than Gadgets running in a full-screen Start Menu.
Re: (Score:2)
"JavaScript app (Gadget) and a Metro app (Real executable.)" ... that can be written in Javascript/HTML.
They couldn't have killed them YESTERDAY?? (Score:2)
If only I'd known, "just be patient" would have been the best advice.
Re: (Score:2)
Sideshow isn't the same thing as Sidebar, though they are related. Sideshow is a second screen (usually smaller) that is just big enough for a system status widget or other small indicator.
For security reasons only? (Score:2)
Re: (Score:2)
That occurred to me too.
The threat statement comes down to "A program you download, install, and execute may secretly do bad things to your computer with the privileges and permissions of the user who is executing the program."
In the words of the Prophet, "Well, DUH!"
There is nothing distinctive to desktop gadgets in this. So the stated rationale has the whiff of bullshit that usually emanates from acts of Security Theatre.
And that always make me wonder about ulterior motives and what kind of bad faith that
Re: (Score:3)
I won't be applying this patch, however I can't help but wonder if MS is sneakily trying to kill off gadgets partly to promote the Windows 8 tiles and start screen.
Judging from the message they've posted on the closed Gadgets Gallery page [microsoft.com], it certainly looks that way"
Translation: nothing to see here, Windows 7 is yesterday's news, throw away your real PCs and em
Fit-it (Score:2)
why? (Score:2)
I think they just want to get rid of Gadgets. They closed the shop months ago.
tag: timothysucks (Score:4)
Looks like we're going to have to treat timothy like we treated kdawson until he shapes up.
News flash: Running malicious programs is bad! (Score:2)
In other words: Gadgets are just like any other kind of executable code – they
Re: (Score:2)
and eventually require everything to either go through the App Store or some sort of corporate app repository
I think if that was the plan, then you should still get "official Microsoft gadgets" from the Microsoft "app store". But apparently they have been removed from there.
I don't use Windows so I really don't know what is going on, but this does sound mysterious. I mean it is pretty much a "duh" insight that running untrusted software as admin is a problem, and they did not remove *all* software. So this
Fuck you MS (Score:2)
As a once gadget developer I say "Fuck you Microsoft!" and here's why ... when gadgets were all the shit they pushed the gadget gallery and they pushed it hard. OMG, you can program in JS and HTML, you can reuse your webdeveloping skills. I was excited as fuck. So I made a farely popular free gadget. I thought that they would expand their site to make non-free gadgets possible, since the "gadget store" was littered with mentions about a misterious Microsoft currency, but that didn't happen, the updates were
Re: (Score:2)
You should have realized this would happen when you considered for a moment why Windows Gadgets existed at all. They were an answer to the Google Desktop Sidebar, which was precisely the same thing: gadgets programmed in JS and HTML. Google discontinued Google Desktop a couple of years ago, citing specifically the creation of Windows Gadgets as one of the reasons why. Now that people have forgotten Google Desktop, Windows Gadgets has served its purpose and can be euthanized.
And I am VINDICATED! I said y
Lame solution to a fixable problem (Score:2)
I love their solution. Instead of Easily fixing the problem, which btw is definitely possible, they tell you to upgrade to Windows 8 and Metro as an alternative. Um ok...
MS can blow me if they think that's somehow an acceptable alternative.They must really be desperate to get people to buy into Metro if they are pulling stunts like this.
They don't go away unless you want them to go away (Score:2)
I have a couple of extremely useful gadgets installed, and don't want to see them go away.
They don't go away unless you want them to go away.
You don't need the Fix-It Tool.
Search>Windows Features>Turn Windows Features On or Off>Windows Gadget Platform
Re: (Score:2)
Wow, it seems I struck a nerve with all the Microsoft fanbois. Not only have I been modded troll, but I've got several comments who clearly haven't even bothered to read what I wrote.
FACT A) Microsoft *admits* that the gadget platform is fundamentally flawed.
FACT B) Microsoft has provided an optional patch for you to disable it entirely if you don't want it.
One person says that the disabling of the feature is temporary. There is no citation for this, and this is NOT corroborated in the news articles.
What
Re: (Score:1)
And not only that, but it's supposedly temporary, presumably while they work on a better fix.
Re: (Score:2)
I'm sure you'll find lots of lawyers willing to help you, but to have a class-action lawsuit over this is beyond silly.
Re: (Score:2)
Not if you are a company that, for some reason, relies on gadget functionality.
Another case in point: there is an obscure function in SQL server that lets you load in data from Excel quickly and easily. It's insanely useful when importing data in from some wierdo 3rd party applications that can't really export in another more useful format.
Thing is, Microsoft stopped shipping the standard Access/Excel ODBC drivers in 64-bit Windows 2003. This essentially made this function useless (you could still import CS
Re: (Score:2)
Gadget functionality can be replicated in a number of ways using different platforms, but only Microsoft could have made an updated 64 bit driver for Access/Excel ODBC.
Re: (Score:2)
Why not just send out a patch that prevents Windows from executing code entirely since, you know, it COULD be dangerous.. :|
It's called Windows RT.