Microsoft, Yahoo say kill desktop gadgets now!
Ever since I purchased a new Vista-64 computer several years ago, I have enjoyed using several of Microsoft’s desktop gadgets and Yahoo’s desktop widgets. In recent years, I have written several columns extolling the joys of widgets and gadgets, and telling where to find them. Widgets and gadgets are small utilities that can be placed on a Windows or Mac desktop and provide the user with current information of some kind. Yahoo offered more than 6,000 free widgets, and Microsoft offered thousands of gadgets.
While I currently have many gadgets and widgets running on my desktop and continue to use them and enjoy them, I will probably have to digitally kill them in the next few days.
At the Black Hat USA 2012 hacker conference, there will be a public presentation by two hacker experts on how to take over a computer running gadgets, and this exploit will become instantly available to anyone. According to the Black Hat program Web site (www.blackhat.com), the July 26 conference will address the Windows gadget platform and what the “nastiness” can be done with it, how gadgets are made and distributed, and their weaknesses.
“Gadgets are comprised of JS, CSS and HTML and are applications that the Windows operating system has embedded by default,” the site says. “As a result, there are a number of attack vectors that are interesting to explore and take advantage of. We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets.”
Gadgets and widgets use a type of push technology, which allows content providers to continuously send data to your desktop. The widget that I probably utilize more than any other is the excellent Yahoo widget “TV Navigator,” which displays continuously updated localized TV listings and is fully customizable for TV provider (cable, satellite, off the air, etc.), favorite shows, integration with various calendar and reminder utilities, and other useful features. I also have a Wunderground gadget that displays current local weather conditions and forecasts, a gadget that shows the ever changing daily deals from my favorite “deal of the day” Web sites, a gadget that provides a near real-time display of current stock quotes and news, and a gadget that displays the real-time workload on each of the cores of my quad-core CPU chip as well as memory utilization.
While the technology is proven and well established with countless millions of users, the same push technology used by the providers has been discovered by hackers, crackers and other miscreants, allowing them to directly access a computer with widgets and gadgets installed and running. A simple analogy would be something akin to listening to your kids playing in the front yard, and having the door open; with the door open, you can hear the kids and watch them as desired. But while your front door is open, burglars can enter your house and steal your possessions. In a simplistic way, that is the problem with widgets and gadgets; since our firewalls and other protective barrier software allow the widgets to receive data via this open door, miscreants and crooks might now be coming in through that open door. Microsoft, in security advisory 2719662 dated July 10, 2012 (“Vulnerabilities in Gadgets Could Allow Remote Code Execution”) is warning users to kill any widgets and gadgets that may be running and possibly never run them again. This advisory and related knowledgebase apply to all computers running Windows 7 or Windows Vista (support.microsoft.com/kb/2719662). Microsoft has shut down its extensive library of gadgets and no longer allows any to be downloaded from Microsoft, but several third parties still offer gadgets for download.
According to Microsoft, “ An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
The answer might be to kill all of the gadgets (from Microsoft or third parties) running on a PC and prevent them and any others from ever again loading (unless explicitly re-enabled by the user). Microsoft has released a free “FIX IT” utility that can stop any of the Microsoft gadgets (and sidebars) that may be running on a Windows 7 or Vista computer, and prevent any gadgets from ever loading, thus closing and locking the door. If at some future date the user wants to re-allow gadgets, another “FIX IT” utility can resurrect the gadgets. Individual gadgets can be uninstalled by right clicking on an empty spot on the desktop, clicking on “Gadgets” and then right clicking on a gadget, and selecting “Uninstall.”
Yahoo has also taken down its extensive library of widgets and no longer allows any of the widgets to be downloaded. To stop any Yahoo widgets from loading (if you are using any) simply stop the Yahoo! Widgets control utility from loading when the computer boots by using any startup manager or Microsoft’s built-in Msconfig utility by unchecking the box adjacent to “Yahoo! Widgets” in the list of startup programs. Msconfig can be accessed by clicking on Start and then Run, type “msconfig” (without the quotes) and click OK. Then click on the “Startup” tab. Stopping the widgets utility from loading will block the “push access” via that route. For maximum security, the widget utility itself can be uninstalled by going to the system utility “Add/Remove Programs” and uninstalling the Yahoo! Widget utility. Once uninstalled, you might never be able to reinstall it as Yahoo no longer offers it for download.
In the informational blog “Windows Secrets” (windowssecrets.com/top-story/kill-those-vista-and-win7-gadgets-now), Woody Leonhard said, “Microsoft invented a poison pill, disguised as a Fixit in MS Support article 2719962. You’ll find two Fixit buttons halfway down the page: one to disable the Sidebar and gadgets and another to enable them (which might be useful if Microsoft provides an actual patch for the vulnerability). ... Do it now, while you’re thinking about it. The Fixit doesn’t take much time, but a system reboot is required to enable it. Warn your friends: This could turn into something nasty very quickly.” I will be killing all of my widgets and gadgets because it is only a matter of (short) time that the bad guys will be attacking computers with this vulnerability, if they are not already doing so. I will shed a tear because I will really miss my pet widgets and gadgets that I have become so attached to. RIP, my dear widgets and gadgets; you will sorely be missed by those of us who have enjoyed your companionship for so many years. Goodbye widgets. Goodbye, gadgets.
Listen to Ira Wilsker’s weekly radio show on Mondays from 6-7 p.m. on KLVI 560AM.