On October 22, I posted a blog here entitled “Interesting Adventures with iCloud and Outlook 2013” wherein I recounted some difficulties with making those two software components play nice with each other in the immediate aftermath of my upgrade from Windows 8.0 to 8.1 on my production machine. Having now waiting a little over two weeks for more collective wisdom to coalesce online, I’ve found my way to a solution of those difficulties.
I’m now using the iCloud service, trying to get better synergy between my desktop and notebook PCs running Windows (8 or 8.1) and my iPhone and iPad (now both running iOS 7). By and large things are going reasonably well, but I noticed some glitches in the past few days after upgrading my production desktop to Windows 8.1 GA (from the September version of the 8.1 called RTM). I wasn’t expecting too much to change between RTM and GA, and mostly that’s been a sustainable supposition, but a few things have changed in surprising ways. And alas, some of those changes have not been for the better…
Case in point: I recently installed the iCloud Control Panel applet on my production desktop, when that system was running Windows 8.1 RTM. To my immense suprise, when I next went to visit My Contacts in Outlook 2013, the contents of the local My Contacts folder was empty. But because I could access the same information online through the iCloud folder instead, I thought to myself at the time “Good thing I’ve got a backup” and also “I can’t believe they decided to remove local data altogether instead of synching local and remote copies.”
That’s why I wasn’t completely bollixed when, in the wake of the 8.1 RTM-to-GA update, iCloud stopped working in Outlook 2013. Instead of accessing the cloud version of my contact data, when I click on iCloud in the Contacts view in Outlook, I get an error message window that reads: “This set of folders cannot be opened. The information store could not be opened.”
So what did I do? I went to my backup PST file and used the Import command to grab the Contacts folder from that file and bring it back into the local copy inside the resident PST file on my production desktop. I got my contacts back without too much fuss and bother, but I still can’t help wondering, yet again: Why did Apple decide to take the only copy of the data and put it in the cloud, so that if you lose access to the Internet (or in this case to the necessary “information store” on the Internet) you can’t access your contact data, either. Not at all.
I have trouble understanding how a software designer could cobble together a system that could so easily deprive a person of his or her contacts. For those of us who, like me and countless others, depend on that information for their livelihoods, that kind of catastrophic loss of access is simply not acceptable. In my case, I knew exactly how to work around it. But I know many others who would be crushed by this loss, and who might not have a backup PST file from which to pull the information. It’s still accessible, by the way, through a login to iCloud.com on my account there — it’s just no longer programmatically accessible to Outlook, for whatever arcane reason broke the Outlook to iCloud connection.
Sure hope Apple or MIcrosoft, or the two of them in tandem, get this fixed sometime soon! I’d also suggest that they give users the option of creating a local backup during the iCloud install process, with some instructions on how to restore that backup should it become necessary. It wouldn’t take much extra effort, though it could confer considerable increased peace of mind.
Since the introduction of Windows Vista in 2006, Windows Gadgets have made colorful and useful additions to Windows desktops everywhere. At this moment, Windows Gadgets work on Windows 8 as well as on Windows 7 and Windows Vista. But a planned discussion of profound security vulnerabilities in the Gadget architecture at the upcoming Black Hat DEFCON Conference(July 21-26, Caesars Palace) appears to spell doom for these desktop denizens.
What you see in the screen capture to the left comes from one of my Windows 8 test machines running the Release Preview: my Lenovo X220 Tablet with touchscreen. I’ve found the CPU Usage and Network Meter gadgets from AddGadgets.com to be particularly useful over the years. I also use the analog clock that’s built into the Windows base gadget set, and a handy little gadget called Shutdown as well. That last item is useful because I tend to remote into my test (and other family member) PCs over the network, and it gives me the ability to shut down or restart those machines quickly and easily through a remote desktop session.
But as security researchers Mickey Shkatov and Toby Kohlenberg have discovered (as reported by Ryan Naraine “Security flaws signal early death of Windows Gadgets,” ZDNet), the gadget interface is rife with points of vulnerability that could lead to attack. Hackers could, in fact, take over a system through a malicious gadget foisted on unsuspecting users, or by direct attack on gadgets already running on a Windows desktop. From there, a successful exploit could lead to the attacker obtaining the same level of system privileges and access that attaches to the current logged-in user account. Because so many users routinely log in with system admin privileges, this effectively transfers complete system control to the attacker.
The details aren’t completely clear yet — I guess we’ll have to wait for the presentation and demonstration at DEFCON — but Microsoft has already issued a security advisory (Vulnerabilities in Gadgets could allow remote code execution). This web page includes two “Fix It” tools numbered 50906 and 50907. Because MS fails to describe what these tools do, I learned by experimentation that 50906 disables gadgets (and the Windows Sidebar in Vista), while 50907 turns them back on again.
It might be simpler for users with admin privileges who manage their own systems to simply remove all gadgets from their desktops, and not to add any new ones. I’m not sure it’s necessary to disable underlying support for gadgets if none are running. Apocalyptic warnings aside, I’m going to leave my gadgets up and running until more information emerges from the upcoming DEFCON conference. I need to better my understanding of the nature of the vulnerabilities that already-installed gadgets can pose before I do anything more. Frankly, I’m not sure that a gadget I’ve been using for years actually poses a security risk on my heavily firewalled home network, so I’m willing to wait and learn more about the potential risks of ongoing exposure before I wipe my desktops clean of these helpful bits of software.
It is interesting to understand that Microsoft will do away with the gadget interface, rather than attempting to repair its security issues. The company had already indicated it was deprecating gadgets in Windows 8 (though I discovered to my relief that they still worked on the Developer Preview release late last year, and have continued to use them anyway). However, it now seems likely that they will disable the Gadget interface in the upcoming RTM and GA releases for Windows 8. Thus, production versions of the new OS cannot fall prey to whatever security vulnerabilities gadgets might pose. It should be interesting to mull over what these researchers have learned, and what they’ll reveal, to decide if even trusted gadgets must go on Windows Vista and 7.
I am sorry to see this happen to gadgets. If it turns out they must be removed from my desktops, I’ll also be sorry to see them go. I’ll report back again later this month after the word on gadget vulnerabilities comes out in more detail.
[Note added on 11/18/2013: Thanks to an article I read recently by Deb Shinder, as recounted in a recent post to my Windows Enterprise Desktop blog entitled “Say! You CAN user Gadgets in Windows 8…” I’m very pleased to report that, thanks to 8GadgetPack, you can restore and use Gadgets in the Windows 8 and 8.1 environments. Whoopee! You may do this at your pleasure; I am doing it on several of my Windows 8 and 8.1 machines already.]