Microsoft urges Windows Vista, 7 users to disable desktop gadgets

By on July 11, 2012, 1:30 PM

In a security advisory Tuesday, Microsoft urged Windows Vista and 7 users to download a tool that disables the operating system's sidebar and gadgets. The company warned that insecure gadgets could be used to run arbitrary code on a computer, access its files or display objectionable content. In the event of arbitrary code execution, an attacker could take control of the affected system with the ability to install programs, view, change or delete data, or create new accounts with full user rights.

Unfortunately, Microsoft hasn't detailed the vulnerabilities, when (if?) they'll be addressed or whether systems are actively being exploited in the wild. Some have suggested the advisory is merely an attempt to prepare users for the rumored removal of gadgets in Windows 8. Computerworld offers a more plausible explanation, noting that researchers at the Black Hat security conference in Las Vegas on July 26 plan to outline "interesting attack vectors" for creating malicious Windows gadgets.

As mentioned, Microsoft offers a utility to disable gadgets, but you can also do this manually via Group Policy, which is available on Windows Vista Business, Enterprise and Ultimate as well as Windows 7 Professional, Enterprise and Ultimate. It seems Windows Starter, Home Basic or Home Premium users will simply have to use Microsoft's tool. To disable the sidebar/gadgets manually, open the Group Policy Editor by searching for gpedit.msc via the Start menu or Run, then:

  • Go to Computer Configuration > Administrative Templates > Windows Components > Windows Sidebar (Vista) or Desktop Gadgets (Windows 7)
  • Double click Turn off Windows Sidebar on Vista or Turn off desktop gadgets on Windows 7, select Enabled in the properties and click OK



User Comments: 47

Got something to say? Post a comment
gwailo247, TechSpot Chancellor, said:

Hm. That's kinda not cool. I like my gadgets.

Thanks for giving instructions how to do it in the article!

2 people like this | TomSEA TomSEA, TechSpot Chancellor, said:

I found gadgets to be interesting for about an hour and a half. Then I found them to be really, really annoying. Haven't turned them back on since I had Vista.

madboyv1, TechSpot Paladin, said:

Umm, no. The few gadgets I do use are helpful to me. I'd sooner take the ones I have and lock them down so they can't do what I don't expect. Oh wait, I do that already.

1 person liked this | abysal abysal said:

I'd have to agree, most of the time they're in the back ground anyway, so there's not much use for them. Although on a 2nd monitor they are slightly more useful.

2 people like this | spydercanopus spydercanopus said:

Where is the Inspector Gadget when you need him?

MilwaukeeMike said:

"Unfortunately, Microsoft hasn't detailed the vulnerabilities..."

Only unfortunate if you wanted to use them against someone. All the rest of care about is how to plug the hole.

Staff
Matthew Matthew, TechSpot Staff, said:

Well Mike, I don't plan to hack anyone and I'd like to know where the hole is. The company wouldn't have to write a how-to on exploiting the flaw to tell you whereabouts it is in the software.

Basic information about vulnerabilities is commonly released by large companies -- Microsoft included. This time around, they merely said "omg, we have bugs... delete your gadgets!"

Judging by that presentation scheduled later this month, hackers already know about it anyway.

gwailo247, TechSpot Chancellor, said:

I would have preferred that they fix whatever needs fixing rather than getting rid of them. Besides, half of the ones are using come from MS themselves. Can't those be secure?

fimbles fimbles said:

Dont know what I would do without my gpu observer and cpu monitor.

Im guessing that since these are the only gadgets I use and they are quite old they should be safe?

Technochicken Technochicken, TechSpot Paladin, said:

^Same with me, I use gadgets to monitor gpu, cpu, network, and disk usage, and I'd rather not get rid of them. They are quite old, so hopefully they're okay.

MilwaukeeMike said:

I would have preferred that they fix whatever needs fixing rather than getting rid of them. Besides, half of the ones are using come from MS themselves. Can't those be secure?

They're probably just playing it safe. I'd prefer the reaction to be 'There's a problem with your gadgets, here install this patch.'

Well Mike, I don't plan to hack anyone and I'd like to know where the hole is. The company wouldn't have to write a how-to on exploiting the flaw to tell you whereabouts it is in the software.

Yes, but often these hacks are the result of very creative tricks that aren't terribly difficult to pull off (for an experienced hacker), they're just very unique and haven't been thought of before. While it is interesting to know how they work, I understand why they don't give out the details until they have a fix.

Staff
Matthew Matthew, TechSpot Staff, said:

I'm not saying they don't have valid reasons for withholding the information. Obviously I'm not privy to such knowledge. I'm just defending my stance that it's unfortunate. Many people -- myself included -- would like to know more about the hole, even if it's vague. And to be clear, they haven't released a patch. It's just a tool that disables the gadgets. Perhaps it'll be fixed in next month's Patch Tuesday, but again, no details there either.

Staff
Rick Rick, TechSpot Staff, said:

Yes, the "there's a problem, let's disable it for now" solution is a non-solution. It's merely a work around that doesn't actually address the problem itself.

A more surgical approach should be taken.

Microsoft has already shown their disinterest in desktop gadgets anyway, so it wouldn't surprise me if they are satisfied with simply leaving the feature disabled and unsupported entirely, forever.

Kibaruk Kibaruk, TechSpot Paladin, said:

The only thing I run is a system monitoring gadget, I might simply download something to check from the tray but... I'm way too lazy

Ma_ga said:

Or you could use your already trusted gadgets from a trusted source.

I'm also think it's a strategy to start stripping windows 7 from features.

spectrenad said:

Rainmeter > Gadgets

[link]

tonylukac said:

@Ma_ga: Like they stripped out the picture resizer that was in xp or the red eye remover from vista in 7. Why is defrag so inferior now? Microsoft, why do you reinvent the wheel each release of windows, and especially of items we had 30 years ago in mainframes? All of that is public domain code.

Xclusiveitalian Xclusiveitalian said:

No matter what, turn them off, there really useless and slow down your computer big time, especially during boot up

Press start / Type in "Windows Features" / Click on "Turn windows features on or off" / Uncheck "Windows gadget platform"/ Click Ok

Darth Shiv Darth Shiv said:

My guess is they run under admin privileges and have so have automatic arbitrary execution rights.

Guest said:

So MS is crippling Win7 to get people to move to Win8 it would appear. I smell a class action coming. I paid for the features of Win7, do I get a rebate for having features removed? MS is heading in the wrong direction. BTW, I use dual monitors both at work and home, and I like my gadgets.

Lionvibez said:

I use these 3 CoreTemp, Network Meter, Gpu Observer and don't plan on stopping.

Lionvibez said:

No matter what, turn them off, there really useless and slow down your computer big time, especially during boot up

Press start / Type in "Windows Features" / Click on "Turn windows features on or off" / Uncheck "Windows gadget platform"/ Click Ok

Buy and SSD :P

Zen Zen, TechSpot Paladin, said:

For those who really need any type of monitoring tool or tools on your desktop, hard drive stats, CPU usage, RAM usage, Network speeds, both up and down and a wide range of other various monitoring tools. I would strongly recommend switching from Windows Gadgets and Sidebar, to a program called Rainmeter. I've been using it for about 7-8 years now and is one of the corner stones to my custom desktops.

Rainmeter

http://rainmeter.net/cms/

For what ever reason your a little leery about using something that you do not know, the web site I'm guiding you to have excellent information about the product, and included a wonderful "how to" guide.

EEatGDL said:

That's kind of ridiculous, I think they meant downloaded gadgets, because I mostly use the one of the cost of the US dollar and the one of memory-CPU usage (generally to see quickly the memory usage without opening Resource Monitor or Task Manager).

Benny26 Benny26, TechSpot Paladin, said:

Well, I'm not disabling mine, that's for sure. I only use one gadget and it's very important at the moment, plus I've always liked them anyway. Mine's an old one so hoping it will be alright.

Marnomancer Marnomancer said:

I always considered them crap anyway. Never used them. Looks like I wasn't wrong.

Rainmeter all the way!

Guest said:

Guys missing monitoring gadgets, you can use CPUID HWMonitor for time being : http://www.cpuid.com/softwares/hwmonitor.html

SalaSSin said:

@TomSEA:

Exactly! The only thing that cat clock and inaccurate weather app did was slow down my windows startup even more...

Guest said:

I was never really crazy abou the gadgets, I did try some but found they only slowed things down. The larger issue is Microsoft offers a feature that many people use and their responce to a security issue is don't use the feature. I think they want people to use the Metro interface in Windows 8 and want to get rid of gadgets anyways, which is why they are saying don't use gadgets and why they are not giving additional information. I'm not really crazy about the direction Microsoft is going in general; they seem to be offering fewer choices and just telling users what they can/can't use. This is yet another reason I have been playing around with Ubuntu Desktop 12.04 LTS. I'm slowly learning it and can see it as a viable alternative to Windows, at least on the home front. My only real issue is gaming, which Windows does rule in. If only the gaming industry would start releasing Linux based games, then I'd be set.

Emexrulsier said:

There is a gadget Ive always used shows things like CPU, ram hd stats etc but weirdly also as built in radio streaming (out of context really) its called Computer Status and I love it

Night Hacker Night Hacker said:

I have one gadget running, the weather gadget. I like it, I paid for it as part of Windows 7 and I expect a fix for any vulnerabilities so I can keep using it and any others that I so choose!

Not that I want to come off blaming Microsoft, I shouldn't have to worry about running the OS of my choice as is. I am sick of these scum bags that write the software that takes advantage of these vulnerabilities and would like to see stiffer penalties against them.

DAOWAce DAOWAce said:

Gadgets, what are those?

I remove them from my OS install when I customize it; never cared about dynamic things on my desktop; I just use a blank back background to avoid distractions and minimize system resource consumption. If I want to see things, I'll load up apps specific for them, not a problem.

EXCellR8 EXCellR8, The Conservative, said:

only gadget I use is the Windows CPU meter, which I tricked out to look like actual dash gauges. other than that I really don't use the desktop widgets.

Night Hacker Night Hacker said:

Run! The paranoids are coming!:eek:

HuntForTheWOrst said:

Tbh the were the gadget of my life...for the first 10 munutes then I got id of them and never used them again I dont get the use of them when you can alead see the charger of the battery internet connection time and date without them and the currency's just searchthem up on google :P.

Trillionsin Trillionsin said:

Is it just me or do those people who say "My gadgets are very important to me" but dontpost this gadget that is so very important?

Last time I looked at those gadgets, I couldnt find anything that another program wouldnt take care of for me.

AIDA64

Common guys, list your gadgets so that we can find replacements for your "oh so important" gadgets, and get rid of this useless and annoying feature in Windows.

steve7 steve7 said:

I disabled mine ages ago, Rainmeter FTW!

Dustyn Dustyn said:

So this is really only a security problem if your using 3rd party gadgets not created by Microsoft correct? If you use Microsoft owned and created gadgets your safe? It sounds like it all boils down to whether or not you know just what gadget you are installing, where it came from and do you trust that developer.

Benny26 Benny26, TechSpot Paladin, said:

Common guys, list your gadgets so that we can find replacements for your "oh so important" gadgets, and get rid of this useless and annoying feature in Windows.

"Useless and annoying" is an opinion, an opinion I don't share with you. I don't want you to find me an replacement for something that simply doesn't need replacing, It works fine as it is thanks.(y)

ReederOnTheRun ReederOnTheRun said:

I never really got into my gadgets. They're always in the way, and I never need them enough to warrant them constantly running. It looks like Metro will have apps on it that update when you look at them though. That'll probably be a good improvement.

Night Hacker Night Hacker said:

I only use one of them. A Weather gadget that tells me the temperature. No biggy. Takes you to MSN if you click it. I'm not paranoid about it though, it'll stay. Hey, I'm using Microsoft software, so I'm used to living on the edge.

Guest said:

This is why I use rainmeter...

Guest said:

Microsoft is the biggest letters on the block. They've lied about everything possible you can imagine. Updates to fix certain things have been known to be just lies tricks. they only do things in their interest . It's all about power and money and we are the pons.

If your computer is working fine your gadgets are fine. You should always use backup software anyway. Then you have nothing to worry about. If your computer went down a couple mouse clicks and you're totally restored. Don't use Microsoft backup either. I honestly could tell you about personal lives I've proven from Microsoft but a little Internet research you will have overwhelming evidence the company is a bunch of pigs.

Guest said:

This is rubbish. I use mine on 3 pcs fine with no issues. This is just microsofts really tacky attempt at frightening people off win 7 and on to 8. Not happening, took me ages to recover from the vista fiasco, with us reinstalling XP on all our machines, and now this. No, sorry but 7 works fine, no vulnerabilities if the machines are updated and users stay away from dodgy down loads. So MS can go whistle dixie as far as I am concerned. Windows 8 is not going to be forced onto our machines... hell I might even buy a mac instead...!

Guest said:

This is really informative to secure our system from malfunction gadgets and other vulnerabilities. It will be useful for everyone who are all reading this.

Guest said:

It's sad M$ is not supporting gadgets anymore. I remember when I found out in it's own add page. It said migrate to W8 and use the new app sys instead; I don't think so. I kind of like gadgets overall; at least by principle alone, although I don't use them that much anymore. I like to think of gadgets as "always running links". Now instead of creating a static shortcut; you could make your own pinned sniplet; now called a "gadget"; on it's own taskbar like place. Gadgets are a good idea, with a good and simple implementation. They're great for dynamic content that needs to be updated regularly. I believe the vulnerabilities are an extension of what they're really are; mini web pages. This has been the way of M$ ever since IE. To integrate the internet into the system. Obv not a good idea; security wise, from the start. Unless your biz is made up of constantly selling to the lusers the "new, improved, and fixed" next ver release; of course. And like any executable code; the only one nearly 100% secure (besides the ones that came preinst), it's the one you developed yourself, in site. Eg, 16MB (a typical usage number) don't seem by much nowadays; but a few year's ago it was what video cards had of memory. Anyways, 16MB of a lot of processes, quickly add up to a significant number. So the best one is obv the one not ran at all. So consider that before stating that your megahurtz have been stolen..!

-manigordo

Guest said:

Maybe they could create a hotfix for this problem, just like many others.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.