Microsoft has warned that a Gadgets feature included in Vista and later versions of Windows could allow attackers to hijack end-user machines and has taken the unusual step of issuing a temporary update that allows it to be completely disabled.
“An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user,” company officials said in an advisory issued Tuesday. “If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system.” To be successful, they added, “An attacker would have to convince a user to install and enable a vulnerable Gadget.”
Microsoft added the Gadgets feature and an accompanying Sidebar to Windows Vista in hopes of matching the success Apple had with a similar feature called Dashboard, which is included in Mac OS X. It allows end users to add clocks, stock tickers, and other small apps to their desktops. A few weeks ago, Microsoft pulled the plug on its official Gadgets gallery. The page now includes a warning that says, “Gadgets installed from untrusted sources can harm your computer and can access your computer’s files, show you objectionable content, or change their behavior at any time.”
An accompanying Fix-it, which users are free to use or ignore, is described as a “workaround” and completely disables the Windows Sidebar and Gadgets.
Microsoft didn’t elaborate on the vulnerability or its long-term plans for Gadgets. Tuesday’s advisory thanked “Mickey Shkatov and Toby Kohlenberg for working with us on Gadget vulnerabilities.” The researchers are scheduled to deliver a presentation on July 26 at the Black Hat security conference in Las Vegas titled “We Have You by the Gadgets.”