Windows Gadgets Could Put your PC at Risk

Every year in Las Vegas, hackers and security researchers convene at an event called Black Hat USA. Held at Caesar’s Palace this year, the two-day convention attracts an interesting mix of professionals and “hobbyists.” This year’s speakers range from the former head of the FBI Cyber Crime division to a guy who goes only by the handle NILS. 

Among the many topics scheduled for discussion, the charmingly titled “We Have You by the Gadgets” briefing focuses on weaknesses in Microsoft’s Gadget platform. The presenters will speak about their “research into creating malicious gadgets, misappropriating legitimate gadgets, and the sorts of flaws we have found in published gadgets.” 

Gadgets are the mini-apps—such as stock tickers, clocks, weather info, etc.—that reside in Windows Vista’s and Windows 7’s Sidebar. They rely on a technology called “push” that allows outside data sources (such as stock prices and weather alerts) to be broadcast directly to your computer in real time. 

Although we don’t yet know the exact nature of the exploit, Microsoft’s solution to the problem, detailed in Security Advisory 2719662, is to turn them off completely. 

Black Hat’s purported raison d’être is to reveal detailed information about how new security exploits work, and hopefully prod software makers into patching vulnerabilities quickly. If we had to guess, the exploit probably involves a weakness in the walls around the environment in which Gadgets execute code (a design principle referred to by information security professionals as “sandboxing”). 

Fortunately, Microsoft has provided a simple fix to protect you. Simply go to this Knowledge Base Article, click on the “Fix It” button marked “Disable Windows Sidebar and Gadgets,” download the file, and run it. You will need to restart your computer for the changes to take effect.