Time to kill (most) Windows Gadgets

Gadgets, those little mini apps that sit on the Windows desktop, have a small but devoted following. But it’s clear that Microsoft now views Gadgets as security vulnerabilities that should be done away with posthaste.

Earlier this month Microsoft released Security Advisory 2719662 which, together with an associated FixIt, disables Windows Sidebar and Gadgets on Vista and Windows 7 machines. The intent is to “help protect customers from vulnerabilities that involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets. In addition, Gadgets installed from untrusted sources can harm your computer and can access your computer’s files, show you objectionable content, or change their behavior at any time.”

The Security Advisory thanks former Intel employees Mickey Shaktov and Toby Kohlenberg, who last week at the Black Hat conference gave a presentation (PDF) called “We have you by the gadgets,” which delved into many security problems with Gadgets and the Windows Sidebar program that supports them.

Microsoft, which has been gunning for Gadgets for a long time, shut down support for third-party Gadgets last October. Of course, it’s in Microsoft’s best interests to move people away from the old Gadgets and on to Windows 8’s Metro Start screen, which takes the Gadgets concept into a new dimension. At the time Microsoft dropped Gadget support, the old Gadget website said, “With Windows Developer Preview [the current version of Windows 8 at the time], developers can create rich app experiences where customers focus on their important tasks. Apps are at the center of the Windows Developer Preview experience and are alive with activity and vibrant content. Users immerse themselves in your full-screen app while Windows gracefully gets out of the way.”

That piece of marketing fluff has been replaced by a slightly less breathless, “Because we want to focus on the exciting possibilities of the newest version of Windows, the Windows website no longer hosts the gadget gallery… Some info for developers: You can now use your HTML5, CSS3, and JavaScript skills to build Metro-style apps for Windows 8 Release Preview.”

Many people have written to me, asking if they really, really need to kill all their Windows Gadgets. Some people like having multiple analog clocks on their desktops; others appreciate the simplicity of the dual-dial Windows activity monitor; more than a few have a favorite stock ticker Gadget that keeps them on top of the market while only taking up a small part of the Windows desktop.

While Microsoft has a vested interest in getting Windows customers to move to Windows 8, many people figure they aren’t going to be upgrading any time soon. So why, they ask, should they ditch Gadgets they’ve been using for years, when there haven’t been any major warnings — much less infections — until now?

It’s a fair question, and to get a straight answer I took a close look at Shaktov and Kohlenberg’s paper. Here’s what I found.

Gadgets are generally written in HTML, XML, CSS, and/or JavaScript. “Gadgets should be thought of as essentially being a website that is run from the Windows desktop with some advanced capabilities and additional APIs being made available to increase functionality.” All Windows 7 Gadgets run together inside a single process called Sidebar, and the Sidebar process provides them with all necessary services.

While Gadgets work a lot like Web pages, running on the desktop, they aren’t subject to many of the restrictions that normal Web pages encounter. Shaktov and Kohlenberg give one frightening example: By default, Gadgets can call up any ActiveX control. Gadgets run with standard user privileges and are prohibited from requesting UAC approval for any Administrator actions — but the Gadget can run a locally installed application, and that application can raise a UAC prompt.

Perhaps the biggest vulnerability lies in the way Gadgets are given free rein when interacting with the Internet. Browsers have built-in protection against cross-domain hijacking, code injection, or man-in-the-middle attacks. Gadgets don’t have any of that protection.

More damning, antivirus products aren’t particularly adept at identifying malicious Gadgets. “[B]y design a gadget can perform actions exactly like a traditional compiled executable but operate under a completely different scope within the Sidebar process. Simply put, a gadget can do all that an executable can, without being considered as executable by the antivirus software,” according to Shaktov and Kohlenberg’s paper.

All of that leads to three recommendations:

• If you use Gadgets, only use Gadgets from trusted sources.
• If you develop Gadgets, get out of the business and move on to Metro.
• If you don’t use Gadgets, use Microsoft’s FixIt to make it impossible to accidentally install one.

Although other people have come to different conclusions, to me the takeaway is pretty simple: If you stick with the Gadgets that Microsoft developed years ago — the analog clock, CPU meter, currency converter, and weather Gadgets for example — you’re fine. But if you’re using Gadgets from a third party, you’re taking a gamble.

My favorite example is the stock ticker. Several financial firms offer stock ticker Gadgets, and I’m sure they were developed with all good intent. But I’m deleting mine because I’m not entirely sure its Internet connection is safe. If someone figured out how to run a code injection through the real-time feed on that Gadget, it could hurt.

It isn’t a question of intent. There are hundreds of perfectly usable Gadgets that aren’t malicious, don’t use hijackable techniques, and were created with the purest of motivations. But unless they were made with strict security controls in mind, they might be subverted. That’s just too big a risk.

This story, “Time to kill (most) Windows Gadgets,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.