Microsoft Kills Windows Gadgets Via Security Update

benfrog writes "Microsoft has taken the unusual step of killing the Windows Gadgets feature completely via a security update. According to an advisory issued Tuesday, an attacker could take over a user's system if they are logged in as admin and they install a vulnerable gadget. Microsoft has pulled the plug on its official Gadgets Gallery and is offering a Fix-it that completely disables the Windows Sidebar and Gadgets. Researchers Mickey Shkatov and Toby Kohlenberg are scheduled to give a presentation on the vulnerability at the upcoming Black Hat conference called We Have You By the Gadgets."

Misinformed Title

[Mike+Wag]

Slashdot's title gives the idea that Microsoft is using Windows Update to disable gadgets while in fact they are not. The article, however, is correct so this is just Slashdot trying to be sensationalist.

What Microsoft is giving is 'Fix It' executable on their website. These are entirely optional and are proactively downloaded and enabled by users. They also contain the full info of what they do.

As for the "vulnerability", well, duh. You download executable code, you might get pwnd. Even Chrome warns you that addons can pwn your system.

Re:Misinformed Title

[ackthpt]

Slashdot's title gives the idea that Microsoft is using Windows Update to disable gadgets while in fact they are not. The article, however, is correct so this is just Slashdot trying to be sensationalist.

What Microsoft is giving is 'Fix It' executable on their website. These are entirely optional and are proactively downloaded and enabled by users. They also contain the full info of what they do.

As for the "vulnerability", well, duh. You download executable code, you might get pwnd. Even Chrome warns you that addons can pwn your system.

Some of us are the beneficiaries of updates pushed out to us by IT departments where they take whatever Microsoft puts up, without much reading, because they don't know who they might step on.

But your point is well taken.

Re:Misinformed Title

[fuzzyfuzzyfungus]

I'm no Microsoft fan; but this sort of thing is common enough(especially among what I imagine Slashdot's readership to be), that I'd expect better.

For better or for worse, MS is eyeballs-deep in the corporate market, which generally doesn't give a fuck about the cube drones' desire to have a shiny clock wasting 50 pixels on whatever screen was cheap from Dell 3 years ago; but does care about getting 0wn3d.

For this reason, while they adopt a somewhat milder hand toward home users with autoupdate on, MS more or less continually offers fairly draconian 'apply this to axe $EXPLOITABLE_FEATURE' packages to their IT minions in the corporate world.

Re:Misinformed Title

[Sc4Freak]

This is a fix-it update, which doesn't appear through windows update and isn't pushed out through WSUS...

Re:Misinformed Title

I think you'll find that the security community uses the term very actively (and no, by security community I don't mean the myg0t forums), so you're the only one being an ignorant child here.

Re:Misinformed Title

[jellomizer]

But we want Microsoft to be EVIL and Blundering. As we giggle in glee of all of Microsoft Mistakes knowing these are mistakes of Pure Evil. While we use our own Pure OS, which by the nature of the fact that we chose to run it, is Good and infallible (unless it in some ways have been corrupted), but would be quickly purified by the forces of good. While the same problem by Microsoft is part of a devious plot to keep its corruption to an all time high.

Re:Misinformed Title

I know you were modded "Troll", but I just looked at your link and there is a Mike Wag and a Jenny Wag whose userids are only 2 away from each other (2683017 and 2683019). And their comment history shows them commenting only in this thread and saying almost exactly the same thing. Looks fishy to me.

Re:Misinformed Title

[Dog-Cow]

And even if it was, it wouldn't matter. IT departments that push patches indiscriminately deserve any negative feedback they get.

Re:Misinformed Title

[Jesus_C_of_Nazareth]

People pretending do be who they are not is pretty annoying. I won't send the to Hell, but certainly they won't be getting top shelf liquor in Heaven. Good news though. You're getting the good stuff!
JC

Re:Misinformed Title

[Tarlus]

I bet that gets lots of 'lolz'

We call them "lulz" now.

Re:Misinformed Title

[hairyfeet]

Not only is it bullshit I'd say its just one more move to try to get people to move over to Win 8. I mean who DIDN'T KNOW that running an executable as admin is a BAD THING, hmm? Are MSFT honestly trying to get us to believe that they don't even have enough common sense to keep malware off their own damned site? if so their security team should be fucking ashamed of themselves!

Most of my users use gadgets and I will be telling them to simply ignore this, because they already have the gadgets they want. But I'm sure MSFT figured out that if you wanted your OS to be a tweeting twitting FB shitting social OS like Win 8 you could just use the gadgets in Win 7 so what do they do? Why lets get rid of the gadgets! Are you HONESTLY telling me you just NOW figured out gadgets run as admin from untrusted sites could be bad MSFT, really? because I find that frankly unbelievable.I know I won't be giving up MY gadgets and I seriously doubt any of my customers will either.

Just one more dick move by MSFT to get functionality that could compete with Win 8 out of Win 7. I have a feeling as the run up to Win 8 gathers steam we'll all have to watch like hawks for more "security updates" that tie a fucking boat anchor to Win 7 to try to make win 8 look better. If you are gonna spout horseshit MSFT, at least TRY to make it believable horseshit,mmmkay?

Re:Misinformed Title

[gorzek]

Amazing how you figured that out within a minute of this being posted, yet the Slashdot "editors" apparently didn't even bother to check. These people get paid, don't they??

Re:Misinformed Title

[Ossifer]

Don't trust anyone with a seven-digit uid.

Re:Misinformed Title

[datavirtue]

PWN is here to stay!

Re:Misinformed Title

[rodrigoandrade]

I won't send the to Hell

Please do; I'm afraid I'll not be able to kill Diablo on my own this time.

Re:Misinformed Title

Some of us are the beneficiaries of updates pushed out to us by IT departments where they take whatever Microsoft puts up, without much reading, because they don't know who they might step on.

But your point is well taken.

Only on your work computer, which is owned by your employer anyway. That computer is, hopefully, distinct from your personal computer(s).

Re:Misinformed Title

[racermd]

As a former enterprise-grade desktop support staffer (i.e.: one level up from the front-line call-takers), I know there have always been ways to disable the Windows Gadget platform. If not through GPO, at least through most other alternative rights-management schemes. Ultimately, it's as simple as removing the sidebar.exe file from the Program Files folder(s). Alternatively, an anti-malware utility (that's centrally managed, right?) can prevent the executable from starting.

This should not be news to any company large enough to have a (competent) IT staff. Anything that runs applets or other code locally is potentially vulnerable. Disabling the platform entirely is one of the most effective ways of preventing this sort of vulnerability from being any sort of problem on a large-ish network. As such, assuming they're competent, they've already disabled or restricted this functionality long before a formal vulnerability existed.

And, like you said, what IS sorta newsworthy is the subtext - that Microsoft is choosing to eliminate the Gadget platform altogether rather than patch it appropriately. Heading into Windows 8, I'm betting they didn't want to expend the resources necessary to do a proper repair job and, instead, focus developer time on Windows 8, Windows Server 2012, and optimizations on their new tablet platform.

Re:Misinformed Title

You jest, but consider the possibility that Microsoft actually released an Operating System that WORKED, was rock-solid, had bullet-proof security, was small, tight, and fast, was highly customizable, configurable, did it's job quietly and kept the hell out of your way... and never needed to be patched because it had been designed to be secure and uncrashable from the ground up. Try to imagine such a world. How would Microsoft convince you to buy the next version of Windows? How would they keep you from pirating it, since once you got a copy, you could install it and be done with Microsoft for good and all.

These would both bode bleakly for the future of Microsoft, which is why despite having raked in untold billions of dollars, after decimating the software industry, NOT, I say again, NOT by creating a superior product at a lower price, (or higher value per unit price, more to the point,) but by dirty tricks, outright fraud, endless scheming, and the perpetration of lies about their competitors, their BETTERS, despite all the decades that passed since they swindled a Seattle software company out of a clone or port of an Operating System called CP/M, called by them QDOS, for quick-and-dirty operating system... after all that time and all that money, and all the people they lured away or bought (by buying their company when they might have been under contract to that company, or whomever buys it) all the programmers who could have been doing work for the betterment of mankind... they STILL have yet to produce an OS that meets these standards.

Don't tell me they can't, because the Linux and GNU and FLOSS (in general) community has proven over and over again that they can, and they do make better OS's, applications, mostly without the financial resources Microsoft has had, facing an uphill battle against an intrenched but inferior product, against the perceptions of people outside the community who think if it's free it means it's no good, or if it's *NIX it means it will be hard to learn, etc.

So they build in bugs and flaws and rip out things that are or might be useful, (compare the sound recorder applet from Windows 98 or XP to the one in Windows 7. It's a JOKE! This is just one example). Then they make sure to program in or leave behind plenty of security holes and other things that will need to be patched. Consequently, it is commonly held belief that anyone who puts a computer running Windows on the internet, who isn't using the latest updates, etc., needs his head examined. So everyone has to use Windows Update, which means everyone has to register their copies, to keep their systems safe, forming what I would think would be an extremely effective anti-piracy measure.

On the other hand, it could all just be staggering incompetence and ineptitude, and not deliberate... yes, the thing that took thousands of people decades to build, costing the tech industry it's soul, not to mention accreting to Microsoft unimaginable wealth, to cover the costs associated with writing... AND IT STILL DOESN'T WORK. It still needs CONSTANT patching, innumerable updates, has stuff that is still broke or never worked right... and you want to STICK UP FOR THEM?!?

We DON'T... WANT Microsoft to be EVIL and Blundering, THEY ARE!!! And what's worse, what's downright criminal, what I can't imagine is how those jackals sleep at night, and wake up and look at themselves in the morning, being still technically human beings, when in fact they do this ON PURPOSE!!! I don't buy it's just that they can't do it. They could if they wanted, but that'd be contrary to their interests, which is ALL they're looking out for. They couldn't give a half a rat's ass for the interests of the "customers". They fuck their customers, making them pay for the same useless shit over and over again, deliberately buggy insecure crash-prone trashware, that only works if you never ask it to actually do anything, then they smile in our faces and continue to steal from us, knowing they have us over a barrel, and that many of us are unable or unwilling to do anything about it.

And... THAT is why we FUCKING HATE THEM!!!

Thank you. You may resume your regular activities.

Re:Misinformed Title

[hairyfeet]

This is something I have been wanting to ask for awhile, seriously, WTF does ANYBODY CARE about these so called "shills" anyway? I mean seriously the real shills are so damned easy to spot they may as well be the PHB on Dilbert, they use the same "buzzword bingo" that the corps just looooove to see in print, like "synergy" and "vertical integration" and "user experience' that nobody IRL uses, and if their point is bullshit? Well its not hard to spot actual bullshit and it gets modded down quick enough.

In the meanwhile all this "ZOMFG It a shill ZOMFG!" creates total paranoia and has the unstable seeing shill EVERYWHERE, I mean anybody that has read my history knows I'm just a little shop owner in the middle of bum fuck nowhere but so far I've been told I'm not actually in a little college town in the middle of AR, nope I'm hidden in a sekret bunker under Redmond, which I actually thought would be a hell of a lot more cool and interesting than my boring shop, oh and I'm also sub contracted to Comodo, AMD, Apple (Still haven't figured THAT one out, I don't even own an iPod), Asus, Gigabyte, and Asrock. I just wish someone would tell me where the sekret Swiss bank account is with all that money from subcontracting as I'd like a new truck, thanks.

As for TFA I smell bullshit. Are you seriously telling me that MSFT can't even keep their own fucking website safe? Seriously? they got all those people working there, they can't even scan the fucking executables put on their own damned website? What are they running it on, a badly done FB page?

Considering the fact I've NEVER seen anyone ever get a gadget at ANY site other than MSFT's, and that when you clicked on "get more gadgets online" it took you straight to their page i have to conclude that they simply want gadgets gone because it offers the same tweeting twitting FB shitting social crap that MSFT is pushing for Win 8. I've said it before and I'll say it again...watch out! I have NO doubt that between now and the release of Win 8 that MSFT will push more "security updates" that will be designed to cripple Win 7, because they are scared to death Win 8 is gonna be WinME the second coming.

So triple check every damned update that comes out between now and then, and be sure to have disc images handy, because Ballmer and Sinofsky isn't gonna do anything that would allow Win 8 to flop and the simple fact is unless you have a touchscreen Win 7 will do anything you want. But if a security update were to...ohh I don't know....say kill 30%+ of performance, or take the decent features away, for 'security reasons" of course, why folks might be more likely to buy Windows 8! The fact that MSFT is offering Win 8 pro upgrades on their website for $40 tells me they are running scared, hell they have NEVER offered pro for anywhere near that cheap, so frankly every single thing they say or do between now and then i would look at as suspect. MSFT is on the ropes, stuck in a niche that is flatline and will never be #1 again, and when backed into a corner as we have seen in the past MSFT can be pretty nasty. Just something to think about.

Re:Misinformed Title

[jjjhs]

Go outside.

Re:Misinformed Title

[Khyber]

No, lulz is now a furry/MLP porn website.

Re:Misinformed Title

Tell me something, Mr Elite. How does someone who has never had formal training, but ends up leading a team of even less clued lackys across a few hundred servers/workstations? You think they have time to test patches or arrange their environment for better upgrading? No probably not, they are probably worked to the n'th hour, job prospects for them look slim so they are happy with the $35k year they make and they do enough to keep up with outages, requests, and upper management.

When things are working perfectly fine for 800 days and a malformed patch comes down the line they have every right to bitch.. but don't you dare tell them they deserve the negative feedback. That just feeds into their need to drink away their daily woes.

And fuck you if you don't care about those people, there are hundreds upon thousands of these kind of IT shops out there.

Re:Misinformed Title

How can you patch stupidity? You can't. Randomly installing crap on your computer pwns your computer. You can't repair that very easily.

Re:Misinformed Title

[leucadiadude]

Or anyone with a six-digit one either?

Re:Misinformed Title

don't trust anyone with a uid

Re:Misinformed Title

Thank you for this update. I saw this and immediately became agitated as I've configured various gadgets for clients, such as the much loved weather gadget with 3 day forecast and the calendar gadget. Are these submissions not edited? This news post is basically trolling and should be corrected immediately. I've been reading Slashdot since the early days and I get the anti-Microsoft sentiments; but misrepresenting Microsoft with non-truths is not what I want to read.

Re:Misinformed Title

[JustOK]

No, lulz is now a furry/MLP pr0n website.

FTFY

Re:Misinformed Title

[Ossifer]

Trust is relative, you know...

Re:Misinformed Title

So i can't push a patch that disables the worthless eye-candy that uses internet usages to update the weather app all day.

Then how will i torment my users?

Re:Misinformed Title

[fatphil]

The problem is that there's a flip-side. IT departments who don't push vital patches in time will get negative feedback for delaying.

Re:Misinformed Title

Fix It do not get pushed through WSUS. If you are concerned by what updates your IT department pushes, then you might want to voice that concern with the department director. Sounds like they'd push the same updates willy nilly for anything (linux, etc).

Re:Misinformed Title

[Trogre]

Especially when Microsoft keep having these frequent "accidents", such as pushing Skype and Silverlight (twice) as security updates over WSUS.

Re:Misinformed Title

[westlake]

As a former enterprise-grade desktop support staffer, I know there have always been ways to disable the Windows Gadget platform. If not through GPO, at least through most other alternative rights-management schemes.

For a single user in Win 7 it is as simple as this:

Search > Windows Features > Turn Windows Features On or Off > Windows Gadget Platform

Re:Misinformed Title

[mister_playboy]

You like to complain about others making hyperbolic posts, yet every single post you make is an exaggerated bluster-filled rant.

Your endless faux outrage is fucking boring. Get a new gimmick and maybe I'll consider reading your comments again.

Re:Misinformed Title

[humanrev]

^^ This post is the reason why I feel embarrassed to be part of the Linux community. It seems to be one of the few communities who actively relish hating a company to the point where any debate is dominated with emotions rather than facts. It's enough to push anyone away from Linux - who the fuck would WANT to become like the above poster?

Re:Misinformed Title

[hairyfeet]

Do I actually care whether you read them or not? that would be a giant NO. What I DO care about is how quickly one "ZOMFG shill!" post can completely fucking derail the conversation, better than any actual shill ever could.

so if you don't care? please do go fuck off, you are wasting both my time and yours with your pointless "I don't care" post. Why don't you post about the weather, or what you had for lunch while you are at it?

Re:Misinformed Title

[Alex+Belits]

Since you obviously work for Microsoft, we hate you, too. Go, kill yourself.

Re:Misinformed Title

[humanrev]

Nah, I look better than you anyway (as per your livejournal). :)

Re:Misinformed Title

Go, kill yourself.

Thanks for proving his point. But then again, why are you commenting on a website that takes money from microsoft to keep itself running?

Re:Misinformed Title

Thats a bit harsh..

Re:Misinformed Title

[Raenex]

Don't tell me they can't, because the Linux and GNU and FLOSS (in general) community has proven over and over again that they can ["released an Operating System that WORKED, was rock-solid, had bullet-proof security, was small, tight, and fast, was highly customizable, configurable, did it's job quietly and kept the hell out of your way... and never needed to be patched because it had been designed to be secure and uncrashable from the ground up"]

Delusional much? Could you provide a link to this magical, Linux/GNU/FLOSS software so that I may run it? Or alternatively, I could take a few seconds and point out the many flaws, patches, upgrades, and missing features.

Re:Misinformed Title

[tehcyder]

I'm no Microsoft fan

That's a mighty bold statement in this town, partner.

Re:Misinformed Title

[cusco]

that nobody IRL uses

We only wish. You apparently don't work with many marketing people, they not only actually use stupid buzzwords like that but seem to believe that everyone else does. When I was younger and dumber I got into an argument with a marketing flack about "virtual" something or other, and was amazed at the really bizarre things he believed. I learned then not to argue with marketing people, it's as useless as debating with jehovahs witnesses.

Re:Misinformed Title

[doggo]

Amen, brother!

Re:Misinformed Title

If he doesn't realize by his age that he's a stupid ugly fuck with a superiority complex (probably caused by the aforementioned ugliness), he never will.

Wrong summary

[Jennifer+Wag]

Microsoft Windows Update does not remove Windows Gadgets. To remove Windows Gadgets, you need to proceed to Microsoft website and download a Fix-It that can be then used to disable Windows Gadgets on your computer.

Re:Wrong summary

[Dishevel]

Seriously?
You were completely unable to find in humor in the GPs link?
Although it would have been more funny to post the real "Fix-It" link and the under that the Debian "Fixed-It" link.

Re:Wrong summary

The summary didn't say that, but the title implied it

What?

[trifish]

An attacker could take over a user's system if they are logged in as admin and they install a vulnerable gadget.

I always thought that if an attacker is logged in as admin, he owns the system already.

Why do they talk about a specific attack? There are zillions of them if you have admin rights.

Re:What?

[Mike+Wag]

On top of that even Chrome/Firefox addons could be used to pwn the system. Who would have thought that Gadgets have code? Well, duh.

Re:What?

[Sir_Sri]

If the user is running as admin, which on windows lots of users (probably the vast majority of home users) then being able to gain remote control of the system is problematic at best.

It's unfortunate, because I actually find some of the gadgets really handy (weather monitor, CPU monitor etc), but it's not worth getting your computer remotely seized for.

It's not like there aren't other ways to do just about everything gadgets do anyway, it's just a poor mans live tile for small bits of info that are handy on the desktop.

Re:What?

At first I though you were joking, but someone else posted the same thing, so...
I RTFA (advisory)-heh!
If the user is logged in as admin and installs a vulnerable gadget, then an attacker could take over the system.
Yeah, the use of pronouns (singular "they" and all) in TFS is ill-advised.

Re:What?

[Mike+Wag]

It's not remotely exploitable. Only if you install such gadget. You shouldn't be installign rand om softww wer anyways.

Re:What?

Did you know a thief could steal all of your valuables if they used a key to unlock your front door?

Re:What?

[gl4ss]

It's not remotely exploitable. Only if you install such gadget. You shouldn't be installign rand om softww wer anyways.

that's even more stupid. if you as an admin install an program you can run it as admin? WHAT SHOCKING NEWS!!!!
will they be uninstalling windows explorer next?

is this their metro push plan? will they be uninstalling metro from win8 once it becomes known that if you install a malicious livetile program then that program can own you?

Re:What?

[dd1968]

"Did you know a thief could steal all of your valuables if they used a key to unlock your front door?" And did you know that if you give the thief the key and tell the thief when you are going to be away from home you are more at risk?

Re:What?

I always thought that if an attacker is logged in as admin, he owns the system already.

It's the USER logged as Admin, I think.

Re:What?

Eh?

Re:What?

[0racle]

"An attacker could take over a user's system if they (the user) are logged in as admin and they (the user) install a vulnerable gadget."

Clearer?

Re:What?

[Mike+Wag]

They're not uninstalling anything, they're providing you a tool you can use to uninstall gadgets.

Re:What?

[jmorris42]

So? It still resolves down to misunderstanding exactly what is meant by 'admin'. Whoever has admin/root can do whatever they darned well want.... or at least until the DRM hammer falls. But because they don't want end users to understand that they are blowing smoke up everyone's butt and removing a feature most of us consider a waste of cycles and memory but some people actually like.

Re:What?

Did you know a thief could steal all of your valuables if they used a key to unlock your front door?

And did you know that if you give the thief the key and tell the thief when you are going to be away from home you are more at risk?

Did you know that if you are actually at home on a hot date with the thief's mother when you said you'd be gone, and you've had the foresight to label a large bottle of deadly deadly poison as "EYE/BRAIN BLEACH" and leave it sitting in the front room, hilarity is essentially guaranteed?

Re:What?

[TheRealMindChild]

Sidebar Gadgets seem benign, but they are for all intents and purposes an IE window, running in the local zone (by default can create any ActiveX object on the system), with no scripting restrictions. So someone with admin rights can essentially install something that is telling them the weather, but can be quite mean. It isn't an obvious vector.

Re:What?

Did you know a thief could steal all of your valuables if they used a key to unlock your front door?

And did you know that if you give the thief the key and tell the thief when you are going to be away from home you are more at risk?

Did you know that if you are actually at home on a hot date with the thief's mother when you said you'd be gone, and you've had the foresight to label a large bottle of deadly deadly poison as "EYE/BRAIN BLEACH" and leave it sitting in the front room, hilarity is essentially guaranteed?

And did you know the front door we're all talking about is the front door of motor home? Because otherwise, this analogy is non-automotive.

Re:What?

[afidel]

Not on Vista/7/8, on modern Windows Chrome runs as a low integrity processes so there's no ownage unless there's another unpatched privileged escalation attack (which would have to work just as well against any normal user). Firefox addons are a bit vulnerable since Firefox runs as a medium security process but it still doesn't have your admin token.

Re:What?

[omnichad]

Maybe it's bypassing UAC. The article was unclear.

Re:What?

[Sir_Sri]

And I think, to prevent installing them at all.

Seems like it's one of those problems where the entire concept cannot be secured quickly (think I.E. 6).

But we'll know more when the black hat presentation comes.

Re:What?

[treeves]

I think it was poorly worded, but what was meant was that if the USER is logged as admin, he could install a gadget that would give the attacker the ability to gain unwanted access to the system.

Re:What?

[hairyfeet]

Not unless they are on XP, which if they are still running a 12 year old OS they have worse problems, like how damned many patches on top of patches that XP has had. Most of the gadgets anybody would actually want like the weather are included by default in the Win 7 gadget library, don't know about Vista as i don't have a machine with Vista handy at the shop.

There is one that is excellent that isn't included that I will provide the link for, the most excellent Meter Gadgets which include CPU Meter, which integrates nicely with Coretemp so you can monitor core usage, temps, and RAM all from one little sidebar gadget, the network meter which is great if you have a flaky connection as it has all kinds of useful info and tools such as speedtest and signal quality for WiFi,battery meter which is what it says on the tin, and GPU meter which is nice if you are hot rodding your graphics card.

They have several other gadgets there, everything from worldclocks to control gadgets and now that MSFT has pulled their gadgets page (nice how they use it to hawk Win 8, like we want that crap) it might be a good idea to bookmark it if you actually want some useful gadgets that aren't included with gadget library.

Re:What?

[JustOK]

What if someone steals the key from the thief?

Uh

[FrYGuY101]

an attacker could take over a user's system if they are logged in as admin and they install a vulnerable gadget

Am I missing something? Because if the attacker has root privs, you're pretty much screwed no matter what, gadget or no...

Re:Uh

[Dynamoo]

The same goes for installing ANY application. This is a stupid knee-jerk reaction.

Re:Uh

[CowTipperGore]

Oh that's a rich. A Microsoft troll account accusing Google of smearing Microsoft. Good stuff!

Re:Uh

[Marc+Madness]

The featured article explains with a much less confusing use of pronouns:

"An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user," company officials said in an advisory issued Tuesday. "If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system."

Re:Uh

[postbigbang]

Your peaceful informative explanation brings clarity here. What were you thinking?

Re:Uh

Isn't that true of any software installed by the user with admin rights?

Re:Uh

Mike Wag.
I see what you did there.

Re:Uh

And this is true regardless of the OS. When I was at Dial Corp. a UNIX admin ran a "fix" script as root. Uh oh. It totally hosed the system that he ran it on. Was it that HPUX was insecure? No. It was because the corporate powers-that-be handed out root too indiscriminately. But I did find something on Win7 that really caused me grief. I HATE the "Start Navigation" sound on Windows. If you ever change a Theme, there it is again! So I wanted to delete all of the files "Windows Start Navigation.wav." I had to run three separate commands in order to delete one file. And I had to run those same commands on each instance of the file in the C:\Windows\Media directories. Granted I could have written a batch file to do it, but why all of the hoops? Running as Admin, I should be able to delete those, without having to run 3 separate commands as admin to do it. Gotta love those folks in Redmond.

Dr. Claw's response

[Megane]

"I got you this time, Gadgets!"

Re:Dr. Claw's response

THAT EASY JUST send the BSOD code

In other news...

...Microsoft has discovered that a user may be tricked into installed malicious software via the world wide web that could be use to take over the machine and run with permissions of the user. As a result, they are issuing an emergency fix that will completely disable all web traffic... :)

Re:So stupid...

Microsoft has created an OPTIONAL "Fix It" to strip it entirely. If you don't need it, YOU can remove it. And that reduces your attack surface area.

Why remove?

[Picass0]

Couldn't MS simply patch their Gadgets engine so it won't run in an account with admin privileges? Maybe present the user with a popup "unable to run, you're an admin, you shouldn't do that on your daily driver account, etc..."

This way users who like widgets will have an incentive to make their Windows profile safer.

Carrot vs Stick. Sometimes the carrot is better.

Re:Why remove?

Or just create a system account for widgets and run all widgets under the unprivileged system account.

Re:Why remove?

[VMSBIGOT]

I'm not really sure what the hell the article is talking about. Unless you have disabled UAC, Sidebar.exe is running always under an unprivileged account. Take a look using Process Explorer and you will see that the "administrators" group is denied to that process.

Hell, at least on Windows 8, you can't even try to run it as an administrator. It spawns an unprivileged child process to run it if you do.

And nothing of value was lost

[gman003]

Disabling gadgets is one of the first things I do on any new Windows system. They're never useful, all they do is eat up CPU time or distract you with constantly-moving readouts. Hate those things.

Re:And nothing of value was lost

[Picass0]

>> "They're never useful"

You shouldn't speak in absolutes. For some people they are. There are widgets that make things simple for everyday people instead of power users. Eg - When you tell your grandma it's more secure to turn her WiFi off in certain situations, a desktop toggle widget makes this a lot easier.

When you think someone's machine is running a bit hot you might be inclined to put temperature monitors where the user can help you keep an eye on things.

Re:And nothing of value was lost

Well, I use some gadgets that are very useful, such as Drive Activity, TopProcess and Clipboarder (this one is a must have for me), I don't think there are alternatives for all of them. And no, they don't distract me in any way.

Re:And nothing of value was lost

They're never useful

Some guy over there said Slashdot is never useful. Does that mean you will follow your own logic consistently, and stop posting to Slashdot yourself?

Re:And nothing of value was lost

Hey, I post here and I know damn well this place hasn't been "useful", by any definition, for like ten years now.

Re:And nothing of value was lost

[DigiShaman]

Actually, I liked Windows Gadgets. I still using many of the ones offers by http://addgadgets.com./ Specifically the CPU, Network, and GPU meters. Hands-down should be included in the official Windows 7 Gadgets list.

Re:And nothing of value was lost

all they do is eat up CPU time

If your system is discernibly affected by running desktop gadgets, either (A) you're running way too many gadgets; (B) your computer is pitiful... how did you even get it to load a gadget-enabled Windows OS?; or (C) it's not the gadgets, but the botnet trojan you don't realize you have.

or distract you with constantly-moving readouts

Many higher organisms have the ability to consciously suppress instinctive reactions like immediately attacking or fleeing a perceived threat or being easily distracted by predictable movement in their peripheral vision. If you aren't one of those, I commend you on your readiness for the cut-throat Darwinian world of raw survival after the collapse of civilization, but would recommend you seek professional help in regards to compatibility with the world as it exists now.

Re:And nothing of value was lost

[gman003]

You say absolutes; I say hyperbole.

Re:And nothing of value was lost

[the_bard17]

Absolute or hyperbole; regardless of the word used to describe it, I'd recommend finding a better term than "never useful". It makes you sound like a pretentious asswipe who can't think past his own needs, wants, and preferences.

Unless you are a pretentious asswipe; in which case, carry on.

Re:And nothing of value was lost

[Saija]

Hey i have a slide show gadget showing me pictures from my wife, baby and relatives, cheaper than buy some frames or digital frame.

Re:And nothing of value was lost

[Picass0]

I didn't think he was pretentious.

uh-oh

[roc97007]

In a previous job, middleware admins had a custom gadget that displayed status on a wide variety of web apps for which the department was responsible. Personally, I wouldn't have done it that way (you never know what Microsoft ...stuff... will hang around and what won't) but I wasn't consulted.

So it occurs to me that, if the Windows admin group pushes out this update, it'll take a mission critical tool offline. I will have to call a former co-worker and see how that goes. Since Windows admin is outsourced, it probably won't even occur to them to tell the user community that they're about to disable gadgets.

Re:uh-oh

Sounds like ya'll need a change management process.

Re:uh-oh

[roc97007]

Sounds like ya'll need a change management process.

Yeah, really?

Ok here's how change management works there: Everything, including minor changes to development boxes, has to go through outsourced change management. The meetings are weekly, so if you want to correct a configuration issue in a web server and it's the day after the change meeting, it'll be a minimum one week before the change can be made.

There is only one change meeting for the entire company. It is typically 3 to 4 hours long. It consists of reading through the changes and asking for "approved" or "disapproved" by the board, made up of manager without technical experience. There is no -- repeat no -- mechanism to identify how a random change will affect the resources for which you are responsible. It is entirely up to the workers to recognize that the proposed change involves a resource that affects them.

Soooo.... you can dial into the call, and listen to all four hours of droning, on the off chance that you will recognize an issue, but how well that works depends on how well you know the parts of the architecture for which you are not responsible. And how well you can understand someone who isn't communicating in their native language, over a scratchy connection. (Incidentally, it seems de rigor when you're reading off a change list to speak the change number distinctly and then let your voice fade out when you're saying the details. But I digress.)

For instance, patching is considered junior level work, and the junior admins work their night shift, which is your day shift. It's not uncommon for them to down a server that feeds records to another server, that consolidates data in a database on another server, which feeds your app. Your app has stopped working during office hours and you have no idea why.

So yeah, they have change management, but given the way it operates, it's just a managerial line item, not something actually meant to be useful.

Re:uh-oh

[roc97007]

...the way it used to work, before outsourcing, the people making the changes knew enough about the systems, either through training or experience, that they could predict whom would be affected by a change, and give them a heads-up. This made the actual change meetings mere formalities.

Post outsourcing, the people actually doing the change are very junior people (I'm resisting the urge to say "store clerks") who have no understanding what they're actually doing. Their sole role is to follow written procedures. Since they have no visibility of what the change would affect, they have no idea whom to notify, and that very important communication has ceased to exist. But the outsourcing company can say in reviews that they are complying with the letter of the law -- all changes go through change management, and if you're adversely affected by the change, it's your own fault. You should have picked it out of the 400 changes that week and recognized that collateral damage would take out apps for which you are responsible.

And it's cheaper, to boot. Well, it's not cheaper, but I'm told that's the customer's fault also, because we keep asking for things that weren't in the original contract, like a reasonably agile environment.

Sigh

[AdmV0rl0n]

Seriously has Sinofsky's mits written all over this.
They killed this in 8, and it just means they have bullshit justification by saying 'it was insecure'.

Yes, run as admin and download/run executable can own your machine. (For the past 30 years. Its not new. )
Nobody should be running as Admin. And partially even when you do the OS impedes this to some degree.

I suspect what is likely is that Gadgets may be flawed to a level where UAC and OS protection can't cover off enough, and its unhinged. But they should be promoting not running as Admin and not promoting running like XP and throwing sticky plasters at bad practice.

I don't really use gadgets often, and its always seemed fairly limited to the odd decent one. But I have to say its a very bullshit and garbage reason to kill a feature/API.

But then thats MS in 2012. Remove and restrict features, charge you for what was free before, and generally be a fucking bunch of dicks.

And Sinofsky, give me back my start button and menu, you c***.

Re:Sigh

[the+eric+conspiracy]

> But then thats MS in 2012. Remove and restrict features, charge you for what was free before, and generally be a fucking bunch of dicks.

As Steve Ballmer said, we are not going to let Apple have any market unchallenged.

Re:Sigh

[datavirtue]

You don't need it. I've been using Windows 8 for less than a day and I do not miss the cluttered start menu--I've been using windows for 20 years. I use the Toolbar Address option to quick search on the desktop and it launches everything I need instantly. The new tiles interface is just a cleaner copy of the best android interfaces and it is welcome. Regular users are going to eat this up. I supplied my social network and Exchange accounts and it integrated all of them cleanly into the interface. It took me less time to learn the Windows 8 interface than it did to get comfortable with Windows7! From all of the /. comment as of late I thought for sure I was going to hate windows8, but there is nothing to hate. A cleaner, well designed interface for windows. I bought a Xoom with Android 3 some time ago and fell in love with the easy to use, clean interface and multitasking, Microsoft just took the best from that. After using the Xoom I knew I wanted the same interface on a desktop and it materialized. Best interface available, good stuff.

Re:Sigh

I have a Xoom and I think the UI is awful. It is a bit better with cornerstone.

Still nowhere near as nice as focus follows mouse. (On Windows or the X Window System).

Maybe if I had 4 monitors so I could run everything I need full screen it might be ok.

I think Android is total garbage. (Still use it because of stuff you can only have as root apps and you don't really have the choice to use those sort of things with iOS or WP7). I might get a W8 phone if I get those sort of options.

If Android integrated with Linux like WP7 or iOS do with their respective host OS's it would be better. Webapps are junk.

Re:Sigh

There was nothing to 'get comfortable' with in Windows 7 since it was pretty much the same as XP for the most part. Win 8 is horrible though -- you have to work around the fact that the 'start menu' covers the entire screen. Win 8 is fine for "consuming stuff", but I'm finding it hard to "produce stuff" with all the bouncing back and forth between desktop+start+stupid_things_that_are_metro

Re:Sigh

You don't need it. I've been using Windows 8 for less than a day and I do not miss the cluttered start menu--I've been using windows for 20 years. I use the Toolbar Address option to quick search on the desktop and it launches everything I need instantly.

That's great for a Microsoft schill who knows what they want to astroturf, but what about the users (read: idiots) who don't know what that thing is called but remember the little icon? Oh right, go fuck yourselves. Thanks for coming out..

Re:So stupid...

So which kind of idiot are you anyway? The kind that doesn't pay attention long enough to realize that this has nothing to do with automatic updates, or the kind of idiot that installs every MS iFixit application without looking at what it does and therefore feels robbed of a Windows feature?

ironic

[spongman]

Does anyone else find it ironic that Metro is little more than Gadgets running in a full-screen Start Menu.

Re:ironic

Does anyone else find it moronic that you apparently don't know the functional difference between a JavaScript app (Gadget) and a Metro app (Real executable.)

Re:ironic

[JBMcB]

"JavaScript app (Gadget) and a Metro app (Real executable.)" ... that can be written in Javascript/HTML.

Re:ironic

[pandronic]

Real Metro apps can be written in JS and HTML. Troll much?

Re:So stupid...

[EvanED]

And not only that, but it's supposedly temporary, presumably while they work on a better fix.

Re: The gadget gallery is gone

[PraiseBob]

The gadgets still work, but when I click on the "Get more gadgets online", it brings me to a webpage that says Microsoft doesn't host gadgets anymore because they are too busy making Windows 8.

Instead if gives me the really helpful advice to not download gadgets from untrusted sources. This strikes me as unusual, since I was hoping Microsoft would be a trusted source where I could get safe gadgets. Apparently they aren't interested in doing that.

They couldn't have killed them YESTERDAY??

[daboochmeister]

I just spent an all-nighter figuring out why certain VMs wouldn't clone cleanly -- and it ended up being SideShow that was the root problem, preventing sysprep under the covers.

If only I'd known, "just be patient" would have been the best advice.

Re:They couldn't have killed them YESTERDAY??

[omnichad]

Sideshow isn't the same thing as Sidebar, though they are related. Sideshow is a second screen (usually smaller) that is just big enough for a system status widget or other small indicator.

They don't go away unless you want them to go away

[westlake]

I have a couple of extremely useful gadgets installed, and don't want to see them go away.

They don't go away unless you want them to go away.

You don't need the Fix-It Tool.

Search>Windows Features>Turn Windows Features On or Off>Windows Gadget Platform

For security reasons only?

[Black+LED]

I use desktop gadgets in Windows 7 for system monitoring, application launcher, weather report and volume control and have come to rely upon them heavily. I won't be applying this patch, however I can't help but wonder if MS is sneakily trying to kill off gadgets partly to promote the Windows 8 tiles and start screen.

Re:For security reasons only?

[idontgno]

That occurred to me too.

The threat statement comes down to "A program you download, install, and execute may secretly do bad things to your computer with the privileges and permissions of the user who is executing the program."

In the words of the Prophet, "Well, DUH!"

There is nothing distinctive to desktop gadgets in this. So the stated rationale has the whiff of bullshit that usually emanates from acts of Security Theatre.

And that always make me wonder about ulterior motives and what kind of bad faith that powerful aroma is intended to cover up. Your theory, as sketchy as it seems to be (to me), may be plausible (at least in the Byzantine thought processes of Microsoft Marketing... they're so used to FUD-kneecapping their market competitors that even when the competition is themselves, they can't help it.)

Re:For security reasons only?

Right... otherwise by their logic, if I am running as an admin and install a bad program... it will take over my system. This is not new. Poorly hidden marketing ploy.

Re:For security reasons only?

[JDG1980]

I won't be applying this patch, however I can't help but wonder if MS is sneakily trying to kill off gadgets partly to promote the Windows 8 tiles and start screen.

Judging from the message they've posted on the closed Gadgets Gallery page, it certainly looks that way"

"Because we want to focus on the exciting possibilities of the newest version of Windows, the Windows website no longer hosts the gadget gallery."

Translation: nothing to see here, Windows 7 is yesterday's news, throw away your real PCs and embrace the tabletness of Windows 8!

Re:For security reasons only?

Well, duh... the real lesson here is don't use an account that has privileges for everyday tasks, or as we say in the *NIX world, if you're doing your day-to-day user-land activities (surfing the web, typing, playing games, etc.) logged in as root, you're a moron. To check to see if you're using the wrong type of account, do this:

Open a terminal window
type the command "cd /"
type the command "rm -rf *"

If you're using the correct kind of account, little damage will result. If you're using the wrong kind of account, break out the system-discs and whatever you use for backups... hope they're recent.

Well, as always...

clear as MUD whenever M$ gets around to doing things.

They have an ENABLE and a DISABLE option in the FIX IT section but no explanation as to whether the ENABLE is a reference to the FIX or the GADGET! Does clicking on the enable button actually enable the fix [thus, disabling the gadget functionality] or does it enable the gadget functionality [thus, disabling the fix] again? Is it really that difficult to actually explain the whole of something anymore?

I use gadgets

I have 3 analog clocks set to different time zones, plus the weather and calander. I also use Microsoft's end of XP support countdown. Also Android still uses gadget like apps on the home screen and Macs have dashboard. I will probably have to go third party in the future but Microsoft has supported gadget like software since Windows 98's active desktop.

Fit-it

[ISoldat53]

So do I enable the Fix-it solution to disable the gadgets? Or do I disable the Fix-it solution to disable gadgets? Or do I disable the fix-it solution to enable the gadgets after I enable the Fix-it solution to disable gadgets?

Sysinternals.

[westlake]

They're never useful, all they do is eat up CPU time or distract you with constantly-moving readouts. Hate those things.

For fact checking:

Sysinternals > sidebar.exe > Properties

Performance
Performance Graph
GPU Graph

On my system the current load is 0% GPU and 1.5-2% CPU.

The CPU and GPU monitors, almost certainly.

I've been tracking system and GPU cooling in our summer heat waves.

Re: The gadget gallery is gone

[FearTheDonut]

It has been this way for some time - At least as of a few months ago. That message isn't related to what's happening now.

why?

[Simulant]

Can anyone explain how a Gadget is more dangerous than any other piece of software you might download and execute? Microsoft didn't.
I think they just want to get rid of Gadgets. They closed the shop months ago.

Windows 8 Metro has gadgets

Isn't Windows 8 Metro has those tile gadgets? Same threat?

tag: timothysucks

[Nimey]

Looks like we're going to have to treat timothy like we treated kdawson until he shapes up.

News flash: Running malicious programs is bad!

[JDG1980]

"An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user," company officials said in an advisory issued Tuesday. "If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system." To be successful, they added, "An attacker would have to convince a user to install and enable a vulnerable Gadget."

In other words: Gadgets are just like any other kind of executable code – they run under the user's credentials and can do things the user doesn't necessarily expect.

Part of me (the paranoid part) thinks that this is a prelude to Windows eventually trying to close off all "untrusted" third-party code in newer versions of Windows, and eventually require everything to either go through the App Store or some sort of corporate app repository. They want to get rid of the desktop and general-purpose computing, they just don't think they can get away with it yet. This is a trial balloon and there has to be strong pushback against it.

Re:News flash: Running malicious programs is bad!

[spitzak]

and eventually require everything to either go through the App Store or some sort of corporate app repository

I think if that was the plan, then you should still get "official Microsoft gadgets" from the Microsoft "app store". But apparently they have been removed from there.

I don't use Windows so I really don't know what is going on, but this does sound mysterious. I mean it is pretty much a "duh" insight that running untrusted software as admin is a problem, and they did not remove *all* software. So this either means an insidious plot of some sort to get rid of gadgets because they don't fit into future marketing, or the rather uncomfortable idea that there is a bug/misfeature such that gadgets actually are more dangerous than normal applications.

You too can disable the gadget platform!

Assuming Win7, open an admin command prompt.

C:\> dism /online /disable-feature /featurename=WindowsGadgetPlatform

Also removable in the UI through "Programs and Features", "Turn Windows features on or off".

Re:I want my money back

[Jeng]

I'm sure you'll find lots of lawyers willing to help you, but to have a class-action lawsuit over this is beyond silly.

Fuck you MS

[pandronic]

As a once gadget developer I say "Fuck you Microsoft!" and here's why ... when gadgets were all the shit they pushed the gadget gallery and they pushed it hard. OMG, you can program in JS and HTML, you can reuse your webdeveloping skills. I was excited as fuck. So I made a farely popular free gadget. I thought that they would expand their site to make non-free gadgets possible, since the "gadget store" was littered with mentions about a misterious Microsoft currency, but that didn't happen, the updates were approved in more than two weeks, complaints about a dude who copied my gadget and published it in his name went unanswered for years, the docs were shit and incomplete, the gadget site was buggy, the Windows gadget app was buggy, IE9 made it even buggier, my polite post on the dev forum about the future of the Gadget Gallery was censored, really WTF?

Is this how MS will treat their Metro developers if it doesn't have the success the corporate douchebags in Redmond expect it to?

Re:Fuck you MS

[Areyoukiddingme]

You should have realized this would happen when you considered for a moment why Windows Gadgets existed at all. They were an answer to the Google Desktop Sidebar, which was precisely the same thing: gadgets programmed in JS and HTML. Google discontinued Google Desktop a couple of years ago, citing specifically the creation of Windows Gadgets as one of the reasons why. Now that people have forgotten Google Desktop, Windows Gadgets has served its purpose and can be euthanized.

And I am VINDICATED! I said you'll pry my Google Desktop Sidebar from my cold dead hands, and I was RIGHT. I still have my sidebar, and no Fix-It will kill it, now or later.

If there was any question about what Microsoft is doing, this should answer it: rather than trying to make products for customers, they're fighting a war against Apple and Google. If they win on any front, they abandon their "gains" as an expense that isn't worth sustaining. There's a reason why the pundits are calling it "Microsoft's Lost Decade."

Re:I want my money back

[JBMcB]

Not if you are a company that, for some reason, relies on gadget functionality.

Another case in point: there is an obscure function in SQL server that lets you load in data from Excel quickly and easily. It's insanely useful when importing data in from some wierdo 3rd party applications that can't really export in another more useful format.

Thing is, Microsoft stopped shipping the standard Access/Excel ODBC drivers in 64-bit Windows 2003. This essentially made this function useless (you could still import CSV files, poorly - hooray) They didn't document this anywhere, and the examples still exist in the documentation for SQL 2005, even though it didn't work on the 64-bit version.

So enough people complained that they released 64-bit versions of the drivers a few years later. It's completely obscure functionality, but a ton of people used it.

Re: The gadget gallery is gone

[locopuyo]

Microsoft stopped hosting gadgets a long time ago because they didn't want to be responsible for them. The get more gadgets link is completely useless. You have to search online to find them and the sites that have them are ridden with advertisements for spyware.

Brilliant logic.

From MS's website:

Because we want to focus on the exciting possibilities of the newest version of Windows, the Windows website no longer hosts the gadget gallery.

Gadgets installed from untrusted sources can harm your computer and can access your computer's files, show you objectionable content, or change their behavior at any time.

They're worried about gadgets installed from untrusted sources, so they removed most people's only known trusted source of gadgets?

Re: The gadget gallery is gone

[nmb3000]

The gadgets still work, but when I click on the "Get more gadgets online", it brings me to a webpage that says Microsoft doesn't host gadgets anymore because they are too busy making Windows 8.

Instead if gives me the really helpful advice to not download gadgets from untrusted sources. This strikes me as unusual, since I was hoping Microsoft would be a trusted source where I could get safe gadgets. Apparently they aren't interested in doing that.

Yeah, it's pretty lame the way they handled this. It's very clearly a move to push people at Windows 8 by removing "value-add" stuff from Win7 and Vista.

If you're looking for gadgets, most of the old ones (and a bunch of new ones) have been hosted here:

http://gallery-live.com/

Retain ad-free Pandora gadget functionality

[Pausanias]

If you do remove gadgets, there is only one true loss. The Pandora gadget is extremely useful because it provides the only ad-free frontend to pandora. If you disable Gadgets, you can still access it through this link:

http://internal-tuner.pandora.com/windowsgadget/gadget.jsp

I found the audio to be choppy for some reason under firefox when you navigate away from the tab that contains it... for that reason it should likely be spawned into its own window.

Re:I want my money back

[Jeng]

Gadget functionality can be replicated in a number of ways using different platforms, but only Microsoft could have made an updated 64 bit driver for Access/Excel ODBC.

Ridiculous..

[michealPW]

"an attacker could take over a user's system if they are logged in as admin and they install a vulnerable gadget."

Uhh.. That's ridulous. What CAN'T go wrong if you're logged in as Admin and install/run maliscious code?
Why not just send out a patch that prevents Windows from executing code entirely since, you know, it COULD be dangerous.. :|

Re:Ridiculous..

[JDG1980]

Why not just send out a patch that prevents Windows from executing code entirely since, you know, it COULD be dangerous.. :|

It's called Windows RT.

Lame solution to a fixable problem

[bogie]

I love their solution. Instead of Easily fixing the problem, which btw is definitely possible, they tell you to upgrade to Windows 8 and Metro as an alternative. Um ok...

MS can blow me if they think that's somehow an acceptable alternative.They must really be desperate to get people to buy into Metro if they are pulling stunts like this.

Re: The gadget gallery is gone

If you're looking for gadgets, most of the old ones (and a bunch of new ones) have been hosted here:....

Oooh, new shiny malware. Thanks!

Re:So stupid...

[ilsaloving]

Wow, it seems I struck a nerve with all the Microsoft fanbois. Not only have I been modded troll, but I've got several comments who clearly haven't even bothered to read what I wrote.

FACT A) Microsoft *admits* that the gadget platform is fundamentally flawed.
FACT B) Microsoft has provided an optional patch for you to disable it entirely if you don't want it.

One person says that the disabling of the feature is temporary. There is no citation for this, and this is NOT corroborated in the news articles.

What Microsoft has done is, is abandoned a core feature they advertised as part of their OS. You can either disable it entirely, or you can leave it and live with the security risks. They sold us a product that was not fit for purpose, and now they're going nyah nyah.

I'm sorry fanbois, if you can't deal with the truth, that's YOUR problem. Shooting the messenger doesn't change the fact Microsoft dropped the ball so badly they don't even want to pick it back up again.