Disable your Sidebars & Gadgets

Glenn · Jul 14, 2012, 07:03:51

Users of Windows Vista and Windows 7 have been advised to completely disable their Windows Sidebar and Gadgets, in response to what appears to be a serious security risk.

http://nakedsecurity.sophos.com/2012/07/12/disable-windows-sidebar-gadgets/

Technical Ben · Jul 14, 2012, 07:38:28

Or a hope to bundle people over to windows 8...

zappaDPJ · Jul 14, 2012, 08:05:21

AFAIK Windows 8 doesn't cater for gadgets which is one reason why I may well hold off using it. And I'm certainly not going to disable my sidebar until I can ascertain the level of risk. A bit cart before the horse but switching it off would cause me some genuine grief $:-\$

Thanks for the heads up though Glenn, it's the first time I've heard about the problem.

Steve · Jul 14, 2012, 08:28:03

The warning is quite clear but it would be nice to see some evidence as well. Are all gadgets unsecure? Or are some of them safe? Can MS not be a bit more specific?

cavillas · Jul 14, 2012, 10:01:43

It seems that certain gadgets made by less wellknown companies are the culprits. As with all other advice only use gadgets that you know to come from reliable sources.

Niall · Jul 14, 2012, 13:10:41

I don't like sidebars or gadgets. I turn most things off. My system is as close to windows 2000 as I can get it, although recently I prefer the translucent taskbar

Technical Ben · Jul 14, 2012, 17:08:35

Quote from: Steve on Jul 14, 2012, 08:28:03
The warning is quite clear but it would be nice to see some evidence as well. Are all gadgets unsecure? Or are some of them safe? Can MS not be a bit more specific?

They are as unsecure as any program AFAIK. It seems it's Microsoft blowing it out of proportion. "Programs unsecure" should be the headline.

Glenn · Jul 14, 2012, 17:30:14

They can't win, tell the user once they find the problem and Microsoft is blowing it out of proportion, don't tell the user and they get slaughtered.

David · Jul 14, 2012, 17:34:29

Turned mine off to be on the safe side

Thanks Glenn

pctech · Jul 14, 2012, 17:58:16

Have to agree with Glenn, you lot are never happy.

David · Jul 14, 2012, 18:02:20

Im happy

FritzBox · Jul 14, 2012, 18:55:32

Hate that sidebar, it's long gone

Steve · Jul 14, 2012, 18:57:01

I must admit it's something I never found a use for, likewise with Dashboard on the Mac.

zappaDPJ · Jul 14, 2012, 19:02:56

I'm definitely not happy. I don't like running unsecured PCs and the sidebar provides functionality that is hard to get elsewhere. As an example I use the IDNet gadget to monitor our net usage. With three people hammer the net it's essential that we all know exactly what our usage is on all of our connected devices.

I've done a fair bit of research on this today and the general consensus seems to be that the Microsoft fix 'does not correct the vulnerability, but it may help mitigate the risk against known attack vectors by disabling the Windows Sidebar and Gadgets.' http://www.us-cert.gov/current/ If disabling the sidebar doesn't negate all risks then I guess there's hope Microsoft will provide a proper fix that doesn't just remove functionality.

What I do find slightly odd is it's the first time this has surfaced on something that's been around and in use for many years. As far as I recall the sidebar has never been updated or patched in all that time. I also find it slightly strange that this is being reported as a potential vector for exploitation even though there no known exploits. Perhaps the potential for exploitation slipped under the radar although I find that highly unlikely. I can't feeling there's a little more to this than we already know

Steve · Jul 14, 2012, 21:55:51

Quote from: zappaDPJ on Jul 14, 2012, 19:02:56
What I do find slightly odd is it's the first time this has surfaced on something that's been around and in use for many years. As far as I recall the sidebar has never been updated or patched in all that time. I also find it slightly strange that this is being reported as a potential vector for exploitation even though there no known exploits. Perhaps the potential for exploitation slipped under the radar although I find that highly unlikely. I can't feeling there's a little more to this than we already know

My opinion is that the response is out of proportion to the known facts.

zappaDPJ · Jul 15, 2012, 00:01:18

Yeah, that does seem quite likely Steve. Disabling O.S functionality to block a threat is something I've never seen before.

Steve · Jul 15, 2012, 08:36:27

I can see it as a temporary fix, but this seems permanent as they've removed all gadgets from their download section.

Ray · Jul 15, 2012, 09:07:59

Seems somewhat odd to me too, seeing that several of the AV/Firewall suites install a desktop Gadget to tell you what the program is doing, Kaspersky and Norton certainly install one and I'm fairly certain some the others do as well.

Technical Ben · Jul 15, 2012, 11:03:01

Quote from: Glenn on Jul 14, 2012, 17:30:14
They can't win, tell the user once they find the problem and Microsoft is blowing it out of proportion, don't tell the user and they get slaughtered.

No, that is not what I am suggesting. The sidebar is a program just like any other program on the PC. What difference is there? If it has "hooks" in the OS, then it's MS's fault, not the users. Not the sidebar gadgets. So I'd put blame and responsibility to fix it on MS. Other programs can do anything a side bar can (within reason) and has no vulnerabilities associated. For example I have a motherboard driver (which, as it's a driver adds a massive loophole to security if it is ever made poorly) which shows my CPU temp and stuff. So, if the sidebar is a problem, this driver would also be and so would any desktop graphics suite like Windows Blinds etc. So to me, either all programs have a problem or MS really messed up the gadgets! If it's just the gadgets, then it's MS making something with them not work right.

So, for just the gadgets to be a problem, and the only solution to be to disable them, with a weird suggestion MS do not want to fix it, smells fishy. It's either the media sites giving a false impression or MS playing with their customers.

[edit]
Apparently from MS themselves.

QuoteSince Gadgets run with the rights of the current user, the vulnerability could allow exploits all the way up to administrative level.

Soooooo, they were stupid enough to give Gadgets Admin rights as standard.

Unlike normal programs which the user must give rights to (and thus cannot sue MS anymore for broken systems.

).
Hopefully the fix would be to either remove admin rights (so no more vulrabilities) or use the normal program rights and allow the users to set which gadget can/cannot have admin rights. Then you can use the weather gadget (with no admin rights) from the site you found on google, and use that security gadget (with admin rights) from the company you trust explicitly.

gizmo71 · Jul 15, 2012, 11:43:47

Quote from: Technical Ben on Jul 15, 2012, 11:03:01
Other programs can do anything a side bar can (within reason) and has no vulnerabilities associated.

That's not the point. If an OS vulnerability is exposed because the sidebar happens to use a particular API, and there's no easy quick fix to make the API safe, it would be irresponsible for MS not to take action to eliminate an attack vector for at least as long as it takes to get a proper fix out there when that vector is present by default in every Windows 7 install. The fact that some other applications might also expose the vulnerability isn't something that MS have direct control over, and just turning off whatever APIs are involved might be impractical (and would probably gather more criticism and accusations of MS breaking third party software).

From what I've read about this vulnerability, the reality is that these gadgets are really just downloaded programs; if people exercised the same level of caution about what they installed in the sidebar that they would for 'proper' applications they wouldn't be any more vulnerable.

Technical Ben · Jul 15, 2012, 15:00:31

Yep. I'm agreeing with you there, sorry if my post was not clear on it. It's if MS are reluctant to fix it that it becomes suspicious.

There are far too many conflicts of interest in big companies these days. Such as the console part not wanting the pc gaming part doing well.

sparkler · Jul 16, 2012, 09:02:39

i stuck gadgets in a sandbox also i expect metro to get hit as well when windows is released

Steve · Jul 16, 2012, 10:04:42

Aren't Metro Apps the focal point of Windows 8 ?

Technical Ben · Jul 16, 2012, 13:41:56

What's the difference between apps and programs anyhow?!?!

sparkler · Jul 16, 2012, 23:41:43

Quote from: Steve on Jul 16, 2012, 10:04:42
Aren't Metro Apps the focal point of Windows 8 ?

yep they had to put something in to distract from the anti opensource drm they put in and the fact that it collects login details for US government and corporations to sift though

Quote from: Technical Ben on Jul 16, 2012, 13:41:56
What's the difference between apps and programs anyhow?!?!

easy one starts with an a and the other a p also apps are tightly controlled by companies while programs can be created and distributed freely by opensource projects