Since the introduction of Windows Vista in 2006, Windows Gadgets have made colorful and useful additions to Windows desktops everywhere. At this moment, Windows Gadgets work on Windows 8 as well as on Windows 7 and Windows Vista. But a planned discussion of profound security vulnerabilities in the Gadget architecture at the upcoming Black Hat DEFCON Conference(July 21-26, Caesars Palace) appears to spell doom for these desktop denizens.
What you see in the screen capture to the left comes from one of my Windows 8 test machines running the Release Preview: my Lenovo X220 Tablet with touchscreen. I’ve found the CPU Usage and Network Meter gadgets from AddGadgets.com to be particularly useful over the years. I also use the analog clock that’s built into the Windows base gadget set, and a handy little gadget called Shutdown as well. That last item is useful because I tend to remote into my test (and other family member) PCs over the network, and it gives me the ability to shut down or restart those machines quickly and easily through a remote desktop session.
But as security researchers Mickey Shkatov and Toby Kohlenberg have discovered (as reported by Ryan Naraine “Security flaws signal early death of Windows Gadgets,” ZDNet), the gadget interface is rife with points of vulnerability that could lead to attack. Hackers could, in fact, take over a system through a malicious gadget foisted on unsuspecting users, or by direct attack on gadgets already running on a Windows desktop. From there, a successful exploit could lead to the attacker obtaining the same level of system privileges and access that attaches to the current logged-in user account. Because so many users routinely log in with system admin privileges, this effectively transfers complete system control to the attacker.
The details aren’t completely clear yet — I guess we’ll have to wait for the presentation and demonstration at DEFCON — but Microsoft has already issued a security advisory (Vulnerabilities in Gadgets could allow remote code execution). This web page includes two “Fix It” tools numbered 50906 and 50907. Because MS fails to describe what these tools do, I learned by experimentation that 50906 disables gadgets (and the Windows Sidebar in Vista), while 50907 turns them back on again.
It might be simpler for users with admin privileges who manage their own systems to simply remove all gadgets from their desktops, and not to add any new ones. I’m not sure it’s necessary to disable underlying support for gadgets if none are running. Apocalyptic warnings aside, I’m going to leave my gadgets up and running until more information emerges from the upcoming DEFCON conference. I need to better my understanding of the nature of the vulnerabilities that already-installed gadgets can pose before I do anything more. Frankly, I’m not sure that a gadget I’ve been using for years actually poses a security risk on my heavily firewalled home network, so I’m willing to wait and learn more about the potential risks of ongoing exposure before I wipe my desktops clean of these helpful bits of software.
It is interesting to understand that Microsoft will do away with the gadget interface, rather than attempting to repair its security issues. The company had already indicated it was deprecating gadgets in Windows 8 (though I discovered to my relief that they still worked on the Developer Preview release late last year, and have continued to use them anyway). However, it now seems likely that they will disable the Gadget interface in the upcoming RTM and GA releases for Windows 8. Thus, production versions of the new OS cannot fall prey to whatever security vulnerabilities gadgets might pose. It should be interesting to mull over what these researchers have learned, and what they’ll reveal, to decide if even trusted gadgets must go on Windows Vista and 7.
I am sorry to see this happen to gadgets. If it turns out they must be removed from my desktops, I’ll also be sorry to see them go. I’ll report back again later this month after the word on gadget vulnerabilities comes out in more detail.