Microsoft Kills Windows Gadgets Via Security Update

benfrog writes "Microsoft has taken the unusual step of killing the Windows Gadgets feature completely via a security update. According to an advisory issued Tuesday, an attacker could take over a user's system if they are logged in as admin and they install a vulnerable gadget. Microsoft has pulled the plug on its official Gadgets Gallery and is offering a Fix-it that completely disables the Windows Sidebar and Gadgets. Researchers Mickey Shkatov and Toby Kohlenberg are scheduled to give a presentation on the vulnerability at the upcoming Black Hat conference called We Have You By the Gadgets."

Misinformed Title

[Mike+Wag]

Slashdot's title gives the idea that Microsoft is using Windows Update to disable gadgets while in fact they are not. The article, however, is correct so this is just Slashdot trying to be sensationalist.

What Microsoft is giving is 'Fix It' executable on their website. These are entirely optional and are proactively downloaded and enabled by users. They also contain the full info of what they do.

As for the "vulnerability", well, duh. You download executable code, you might get pwnd. Even Chrome warns you that addons can pwn your system.

Re:Misinformed Title

[ackthpt]

Slashdot's title gives the idea that Microsoft is using Windows Update to disable gadgets while in fact they are not. The article, however, is correct so this is just Slashdot trying to be sensationalist.

What Microsoft is giving is 'Fix It' executable on their website. These are entirely optional and are proactively downloaded and enabled by users. They also contain the full info of what they do.

As for the "vulnerability", well, duh. You download executable code, you might get pwnd. Even Chrome warns you that addons can pwn your system.

Some of us are the beneficiaries of updates pushed out to us by IT departments where they take whatever Microsoft puts up, without much reading, because they don't know who they might step on.

But your point is well taken.

Re:Misinformed Title

[fuzzyfuzzyfungus]

I'm no Microsoft fan; but this sort of thing is common enough(especially among what I imagine Slashdot's readership to be), that I'd expect better.

For better or for worse, MS is eyeballs-deep in the corporate market, which generally doesn't give a fuck about the cube drones' desire to have a shiny clock wasting 50 pixels on whatever screen was cheap from Dell 3 years ago; but does care about getting 0wn3d.

For this reason, while they adopt a somewhat milder hand toward home users with autoupdate on, MS more or less continually offers fairly draconian 'apply this to axe $EXPLOITABLE_FEATURE' packages to their IT minions in the corporate world.

Re:Misinformed Title

[Sc4Freak]

This is a fix-it update, which doesn't appear through windows update and isn't pushed out through WSUS...

Re:Misinformed Title

[jellomizer]

But we want Microsoft to be EVIL and Blundering. As we giggle in glee of all of Microsoft Mistakes knowing these are mistakes of Pure Evil. While we use our own Pure OS, which by the nature of the fact that we chose to run it, is Good and infallible (unless it in some ways have been corrupted), but would be quickly purified by the forces of good. While the same problem by Microsoft is part of a devious plot to keep its corruption to an all time high.

Re:Misinformed Title

I know you were modded "Troll", but I just looked at your link and there is a Mike Wag and a Jenny Wag whose userids are only 2 away from each other (2683017 and 2683019). And their comment history shows them commenting only in this thread and saying almost exactly the same thing. Looks fishy to me.

Re:Misinformed Title

[Dog-Cow]

And even if it was, it wouldn't matter. IT departments that push patches indiscriminately deserve any negative feedback they get.

Re:Misinformed Title

[hairyfeet]

Not only is it bullshit I'd say its just one more move to try to get people to move over to Win 8. I mean who DIDN'T KNOW that running an executable as admin is a BAD THING, hmm? Are MSFT honestly trying to get us to believe that they don't even have enough common sense to keep malware off their own damned site? if so their security team should be fucking ashamed of themselves!

Most of my users use gadgets and I will be telling them to simply ignore this, because they already have the gadgets they want. But I'm sure MSFT figured out that if you wanted your OS to be a tweeting twitting FB shitting social OS like Win 8 you could just use the gadgets in Win 7 so what do they do? Why lets get rid of the gadgets! Are you HONESTLY telling me you just NOW figured out gadgets run as admin from untrusted sites could be bad MSFT, really? because I find that frankly unbelievable.I know I won't be giving up MY gadgets and I seriously doubt any of my customers will either.

Just one more dick move by MSFT to get functionality that could compete with Win 8 out of Win 7. I have a feeling as the run up to Win 8 gathers steam we'll all have to watch like hawks for more "security updates" that tie a fucking boat anchor to Win 7 to try to make win 8 look better. If you are gonna spout horseshit MSFT, at least TRY to make it believable horseshit,mmmkay?

Re:Misinformed Title

[gorzek]

Amazing how you figured that out within a minute of this being posted, yet the Slashdot "editors" apparently didn't even bother to check. These people get paid, don't they??

Re:Misinformed Title

[Ossifer]

Don't trust anyone with a seven-digit uid.

Re:Misinformed Title

[rodrigoandrade]

I won't send the to Hell

Please do; I'm afraid I'll not be able to kill Diablo on my own this time.

Re:Misinformed Title

[racermd]

As a former enterprise-grade desktop support staffer (i.e.: one level up from the front-line call-takers), I know there have always been ways to disable the Windows Gadget platform. If not through GPO, at least through most other alternative rights-management schemes. Ultimately, it's as simple as removing the sidebar.exe file from the Program Files folder(s). Alternatively, an anti-malware utility (that's centrally managed, right?) can prevent the executable from starting.

This should not be news to any company large enough to have a (competent) IT staff. Anything that runs applets or other code locally is potentially vulnerable. Disabling the platform entirely is one of the most effective ways of preventing this sort of vulnerability from being any sort of problem on a large-ish network. As such, assuming they're competent, they've already disabled or restricted this functionality long before a formal vulnerability existed.

And, like you said, what IS sorta newsworthy is the subtext - that Microsoft is choosing to eliminate the Gadget platform altogether rather than patch it appropriately. Heading into Windows 8, I'm betting they didn't want to expend the resources necessary to do a proper repair job and, instead, focus developer time on Windows 8, Windows Server 2012, and optimizations on their new tablet platform.

Re:Misinformed Title

[hairyfeet]

This is something I have been wanting to ask for awhile, seriously, WTF does ANYBODY CARE about these so called "shills" anyway? I mean seriously the real shills are so damned easy to spot they may as well be the PHB on Dilbert, they use the same "buzzword bingo" that the corps just looooove to see in print, like "synergy" and "vertical integration" and "user experience' that nobody IRL uses, and if their point is bullshit? Well its not hard to spot actual bullshit and it gets modded down quick enough.

In the meanwhile all this "ZOMFG It a shill ZOMFG!" creates total paranoia and has the unstable seeing shill EVERYWHERE, I mean anybody that has read my history knows I'm just a little shop owner in the middle of bum fuck nowhere but so far I've been told I'm not actually in a little college town in the middle of AR, nope I'm hidden in a sekret bunker under Redmond, which I actually thought would be a hell of a lot more cool and interesting than my boring shop, oh and I'm also sub contracted to Comodo, AMD, Apple (Still haven't figured THAT one out, I don't even own an iPod), Asus, Gigabyte, and Asrock. I just wish someone would tell me where the sekret Swiss bank account is with all that money from subcontracting as I'd like a new truck, thanks.

As for TFA I smell bullshit. Are you seriously telling me that MSFT can't even keep their own fucking website safe? Seriously? they got all those people working there, they can't even scan the fucking executables put on their own damned website? What are they running it on, a badly done FB page?

Considering the fact I've NEVER seen anyone ever get a gadget at ANY site other than MSFT's, and that when you clicked on "get more gadgets online" it took you straight to their page i have to conclude that they simply want gadgets gone because it offers the same tweeting twitting FB shitting social crap that MSFT is pushing for Win 8. I've said it before and I'll say it again...watch out! I have NO doubt that between now and the release of Win 8 that MSFT will push more "security updates" that will be designed to cripple Win 7, because they are scared to death Win 8 is gonna be WinME the second coming.

So triple check every damned update that comes out between now and then, and be sure to have disc images handy, because Ballmer and Sinofsky isn't gonna do anything that would allow Win 8 to flop and the simple fact is unless you have a touchscreen Win 7 will do anything you want. But if a security update were to...ohh I don't know....say kill 30%+ of performance, or take the decent features away, for 'security reasons" of course, why folks might be more likely to buy Windows 8! The fact that MSFT is offering Win 8 pro upgrades on their website for $40 tells me they are running scared, hell they have NEVER offered pro for anywhere near that cheap, so frankly every single thing they say or do between now and then i would look at as suspect. MSFT is on the ropes, stuck in a niche that is flatline and will never be #1 again, and when backed into a corner as we have seen in the past MSFT can be pretty nasty. Just something to think about.

Re:Misinformed Title

[jjjhs]

Go outside.

Re:Misinformed Title

[Khyber]

No, lulz is now a furry/MLP porn website.

Re:Misinformed Title

Tell me something, Mr Elite. How does someone who has never had formal training, but ends up leading a team of even less clued lackys across a few hundred servers/workstations? You think they have time to test patches or arrange their environment for better upgrading? No probably not, they are probably worked to the n'th hour, job prospects for them look slim so they are happy with the $35k year they make and they do enough to keep up with outages, requests, and upper management.

When things are working perfectly fine for 800 days and a malformed patch comes down the line they have every right to bitch.. but don't you dare tell them they deserve the negative feedback. That just feeds into their need to drink away their daily woes.

And fuck you if you don't care about those people, there are hundreds upon thousands of these kind of IT shops out there.

Re:Misinformed Title

How can you patch stupidity? You can't. Randomly installing crap on your computer pwns your computer. You can't repair that very easily.

Re:Misinformed Title

[leucadiadude]

Or anyone with a six-digit one either?

Re:Misinformed Title

don't trust anyone with a uid

Re:Misinformed Title

[JustOK]

No, lulz is now a furry/MLP pr0n website.

FTFY

Re:Misinformed Title

[Ossifer]

Trust is relative, you know...

Re:Misinformed Title

So i can't push a patch that disables the worthless eye-candy that uses internet usages to update the weather app all day.

Then how will i torment my users?

Re:Misinformed Title

[fatphil]

The problem is that there's a flip-side. IT departments who don't push vital patches in time will get negative feedback for delaying.

Re:Misinformed Title

[Trogre]

Especially when Microsoft keep having these frequent "accidents", such as pushing Skype and Silverlight (twice) as security updates over WSUS.

Re:Misinformed Title

[westlake]

As a former enterprise-grade desktop support staffer, I know there have always been ways to disable the Windows Gadget platform. If not through GPO, at least through most other alternative rights-management schemes.

For a single user in Win 7 it is as simple as this:

Search > Windows Features > Turn Windows Features On or Off > Windows Gadget Platform

Re:Misinformed Title

[mister_playboy]

You like to complain about others making hyperbolic posts, yet every single post you make is an exaggerated bluster-filled rant.

Your endless faux outrage is fucking boring. Get a new gimmick and maybe I'll consider reading your comments again.

Re:Misinformed Title

[humanrev]

^^ This post is the reason why I feel embarrassed to be part of the Linux community. It seems to be one of the few communities who actively relish hating a company to the point where any debate is dominated with emotions rather than facts. It's enough to push anyone away from Linux - who the fuck would WANT to become like the above poster?

Re:Misinformed Title

[hairyfeet]

Do I actually care whether you read them or not? that would be a giant NO. What I DO care about is how quickly one "ZOMFG shill!" post can completely fucking derail the conversation, better than any actual shill ever could.

so if you don't care? please do go fuck off, you are wasting both my time and yours with your pointless "I don't care" post. Why don't you post about the weather, or what you had for lunch while you are at it?

Re:Misinformed Title

[Alex+Belits]

Since you obviously work for Microsoft, we hate you, too. Go, kill yourself.

Re:Misinformed Title

[humanrev]

Nah, I look better than you anyway (as per your livejournal). :)

Re:Misinformed Title

[Raenex]

Don't tell me they can't, because the Linux and GNU and FLOSS (in general) community has proven over and over again that they can ["released an Operating System that WORKED, was rock-solid, had bullet-proof security, was small, tight, and fast, was highly customizable, configurable, did it's job quietly and kept the hell out of your way... and never needed to be patched because it had been designed to be secure and uncrashable from the ground up"]

Delusional much? Could you provide a link to this magical, Linux/GNU/FLOSS software so that I may run it? Or alternatively, I could take a few seconds and point out the many flaws, patches, upgrades, and missing features.

Re:Misinformed Title

[tehcyder]

I'm no Microsoft fan

That's a mighty bold statement in this town, partner.

Re:Misinformed Title

[cusco]

that nobody IRL uses

We only wish. You apparently don't work with many marketing people, they not only actually use stupid buzzwords like that but seem to believe that everyone else does. When I was younger and dumber I got into an argument with a marketing flack about "virtual" something or other, and was amazed at the really bizarre things he believed. I learned then not to argue with marketing people, it's as useless as debating with jehovahs witnesses.

Re:Misinformed Title

[doggo]

Amen, brother!

Wrong summary

[Jennifer+Wag]

Microsoft Windows Update does not remove Windows Gadgets. To remove Windows Gadgets, you need to proceed to Microsoft website and download a Fix-It that can be then used to disable Windows Gadgets on your computer.

What?

[trifish]

An attacker could take over a user's system if they are logged in as admin and they install a vulnerable gadget.

I always thought that if an attacker is logged in as admin, he owns the system already.

Why do they talk about a specific attack? There are zillions of them if you have admin rights.

Re:What?

[Sir_Sri]

If the user is running as admin, which on windows lots of users (probably the vast majority of home users) then being able to gain remote control of the system is problematic at best.

It's unfortunate, because I actually find some of the gadgets really handy (weather monitor, CPU monitor etc), but it's not worth getting your computer remotely seized for.

It's not like there aren't other ways to do just about everything gadgets do anyway, it's just a poor mans live tile for small bits of info that are handy on the desktop.

Re:What?

[Mike+Wag]

It's not remotely exploitable. Only if you install such gadget. You shouldn't be installign rand om softww wer anyways.

Re:What?

Did you know a thief could steal all of your valuables if they used a key to unlock your front door?

Re:What?

[gl4ss]

It's not remotely exploitable. Only if you install such gadget. You shouldn't be installign rand om softww wer anyways.

that's even more stupid. if you as an admin install an program you can run it as admin? WHAT SHOCKING NEWS!!!!
will they be uninstalling windows explorer next?

is this their metro push plan? will they be uninstalling metro from win8 once it becomes known that if you install a malicious livetile program then that program can own you?

Re:What?

[dd1968]

"Did you know a thief could steal all of your valuables if they used a key to unlock your front door?" And did you know that if you give the thief the key and tell the thief when you are going to be away from home you are more at risk?

Re:What?

[0racle]

"An attacker could take over a user's system if they (the user) are logged in as admin and they (the user) install a vulnerable gadget."

Clearer?

Re:What?

[Mike+Wag]

They're not uninstalling anything, they're providing you a tool you can use to uninstall gadgets.

Re:What?

[jmorris42]

So? It still resolves down to misunderstanding exactly what is meant by 'admin'. Whoever has admin/root can do whatever they darned well want.... or at least until the DRM hammer falls. But because they don't want end users to understand that they are blowing smoke up everyone's butt and removing a feature most of us consider a waste of cycles and memory but some people actually like.

Re:What?

Did you know a thief could steal all of your valuables if they used a key to unlock your front door?

And did you know that if you give the thief the key and tell the thief when you are going to be away from home you are more at risk?

Did you know that if you are actually at home on a hot date with the thief's mother when you said you'd be gone, and you've had the foresight to label a large bottle of deadly deadly poison as "EYE/BRAIN BLEACH" and leave it sitting in the front room, hilarity is essentially guaranteed?

Re:What?

[TheRealMindChild]

Sidebar Gadgets seem benign, but they are for all intents and purposes an IE window, running in the local zone (by default can create any ActiveX object on the system), with no scripting restrictions. So someone with admin rights can essentially install something that is telling them the weather, but can be quite mean. It isn't an obvious vector.

Re:What?

Did you know a thief could steal all of your valuables if they used a key to unlock your front door?

And did you know that if you give the thief the key and tell the thief when you are going to be away from home you are more at risk?

Did you know that if you are actually at home on a hot date with the thief's mother when you said you'd be gone, and you've had the foresight to label a large bottle of deadly deadly poison as "EYE/BRAIN BLEACH" and leave it sitting in the front room, hilarity is essentially guaranteed?

And did you know the front door we're all talking about is the front door of motor home? Because otherwise, this analogy is non-automotive.

Re:What?

[afidel]

Not on Vista/7/8, on modern Windows Chrome runs as a low integrity processes so there's no ownage unless there's another unpatched privileged escalation attack (which would have to work just as well against any normal user). Firefox addons are a bit vulnerable since Firefox runs as a medium security process but it still doesn't have your admin token.

Re:What?

[omnichad]

Maybe it's bypassing UAC. The article was unclear.

Re:What?

[Sir_Sri]

And I think, to prevent installing them at all.

Seems like it's one of those problems where the entire concept cannot be secured quickly (think I.E. 6).

But we'll know more when the black hat presentation comes.

Re:What?

[treeves]

I think it was poorly worded, but what was meant was that if the USER is logged as admin, he could install a gadget that would give the attacker the ability to gain unwanted access to the system.

Re:What?

[hairyfeet]

Not unless they are on XP, which if they are still running a 12 year old OS they have worse problems, like how damned many patches on top of patches that XP has had. Most of the gadgets anybody would actually want like the weather are included by default in the Win 7 gadget library, don't know about Vista as i don't have a machine with Vista handy at the shop.

There is one that is excellent that isn't included that I will provide the link for, the most excellent Meter Gadgets which include CPU Meter, which integrates nicely with Coretemp so you can monitor core usage, temps, and RAM all from one little sidebar gadget, the network meter which is great if you have a flaky connection as it has all kinds of useful info and tools such as speedtest and signal quality for WiFi,battery meter which is what it says on the tin, and GPU meter which is nice if you are hot rodding your graphics card.

They have several other gadgets there, everything from worldclocks to control gadgets and now that MSFT has pulled their gadgets page (nice how they use it to hawk Win 8, like we want that crap) it might be a good idea to bookmark it if you actually want some useful gadgets that aren't included with gadget library.

Re:What?

[JustOK]

What if someone steals the key from the thief?

Uh

[FrYGuY101]

an attacker could take over a user's system if they are logged in as admin and they install a vulnerable gadget

Am I missing something? Because if the attacker has root privs, you're pretty much screwed no matter what, gadget or no...

Re:Uh

[Dynamoo]

The same goes for installing ANY application. This is a stupid knee-jerk reaction.

Re:Uh

[CowTipperGore]

Oh that's a rich. A Microsoft troll account accusing Google of smearing Microsoft. Good stuff!

Re:Uh

[Marc+Madness]

The featured article explains with a much less confusing use of pronouns:

"An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user," company officials said in an advisory issued Tuesday. "If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system."

Re:Uh

[postbigbang]

Your peaceful informative explanation brings clarity here. What were you thinking?

Dr. Claw's response

[Megane]

"I got you this time, Gadgets!"

Why remove?

[Picass0]

Couldn't MS simply patch their Gadgets engine so it won't run in an account with admin privileges? Maybe present the user with a popup "unable to run, you're an admin, you shouldn't do that on your daily driver account, etc..."

This way users who like widgets will have an incentive to make their Windows profile safer.

Carrot vs Stick. Sometimes the carrot is better.

Re:Why remove?

[VMSBIGOT]

I'm not really sure what the hell the article is talking about. Unless you have disabled UAC, Sidebar.exe is running always under an unprivileged account. Take a look using Process Explorer and you will see that the "administrators" group is denied to that process.

Hell, at least on Windows 8, you can't even try to run it as an administrator. It spawns an unprivileged child process to run it if you do.

uh-oh

[roc97007]

In a previous job, middleware admins had a custom gadget that displayed status on a wide variety of web apps for which the department was responsible. Personally, I wouldn't have done it that way (you never know what Microsoft ...stuff... will hang around and what won't) but I wasn't consulted.

So it occurs to me that, if the Windows admin group pushes out this update, it'll take a mission critical tool offline. I will have to call a former co-worker and see how that goes. Since Windows admin is outsourced, it probably won't even occur to them to tell the user community that they're about to disable gadgets.

Re:uh-oh

[roc97007]

Sounds like ya'll need a change management process.

Yeah, really?

Ok here's how change management works there: Everything, including minor changes to development boxes, has to go through outsourced change management. The meetings are weekly, so if you want to correct a configuration issue in a web server and it's the day after the change meeting, it'll be a minimum one week before the change can be made.

There is only one change meeting for the entire company. It is typically 3 to 4 hours long. It consists of reading through the changes and asking for "approved" or "disapproved" by the board, made up of manager without technical experience. There is no -- repeat no -- mechanism to identify how a random change will affect the resources for which you are responsible. It is entirely up to the workers to recognize that the proposed change involves a resource that affects them.

Soooo.... you can dial into the call, and listen to all four hours of droning, on the off chance that you will recognize an issue, but how well that works depends on how well you know the parts of the architecture for which you are not responsible. And how well you can understand someone who isn't communicating in their native language, over a scratchy connection. (Incidentally, it seems de rigor when you're reading off a change list to speak the change number distinctly and then let your voice fade out when you're saying the details. But I digress.)

For instance, patching is considered junior level work, and the junior admins work their night shift, which is your day shift. It's not uncommon for them to down a server that feeds records to another server, that consolidates data in a database on another server, which feeds your app. Your app has stopped working during office hours and you have no idea why.

So yeah, they have change management, but given the way it operates, it's just a managerial line item, not something actually meant to be useful.

Re:uh-oh

[roc97007]

...the way it used to work, before outsourcing, the people making the changes knew enough about the systems, either through training or experience, that they could predict whom would be affected by a change, and give them a heads-up. This made the actual change meetings mere formalities.

Post outsourcing, the people actually doing the change are very junior people (I'm resisting the urge to say "store clerks") who have no understanding what they're actually doing. Their sole role is to follow written procedures. Since they have no visibility of what the change would affect, they have no idea whom to notify, and that very important communication has ceased to exist. But the outsourcing company can say in reviews that they are complying with the letter of the law -- all changes go through change management, and if you're adversely affected by the change, it's your own fault. You should have picked it out of the 400 changes that week and recognized that collateral damage would take out apps for which you are responsible.

And it's cheaper, to boot. Well, it's not cheaper, but I'm told that's the customer's fault also, because we keep asking for things that weren't in the original contract, like a reasonably agile environment.

Re:Sigh

[the+eric+conspiracy]

> But then thats MS in 2012. Remove and restrict features, charge you for what was free before, and generally be a fucking bunch of dicks.

As Steve Ballmer said, we are not going to let Apple have any market unchallenged.

Re:And nothing of value was lost

[Picass0]

>> "They're never useful"

You shouldn't speak in absolutes. For some people they are. There are widgets that make things simple for everyday people instead of power users. Eg - When you tell your grandma it's more secure to turn her WiFi off in certain situations, a desktop toggle widget makes this a lot easier.

When you think someone's machine is running a bit hot you might be inclined to put temperature monitors where the user can help you keep an eye on things.

Re:And nothing of value was lost

Well, I use some gadgets that are very useful, such as Drive Activity, TopProcess and Clipboarder (this one is a must have for me), I don't think there are alternatives for all of them. And no, they don't distract me in any way.

Re:So stupid...

[EvanED]

And not only that, but it's supposedly temporary, presumably while they work on a better fix.

Re: The gadget gallery is gone

[PraiseBob]

The gadgets still work, but when I click on the "Get more gadgets online", it brings me to a webpage that says Microsoft doesn't host gadgets anymore because they are too busy making Windows 8.

Instead if gives me the really helpful advice to not download gadgets from untrusted sources. This strikes me as unusual, since I was hoping Microsoft would be a trusted source where I could get safe gadgets. Apparently they aren't interested in doing that.

They couldn't have killed them YESTERDAY??

[daboochmeister]

I just spent an all-nighter figuring out why certain VMs wouldn't clone cleanly -- and it ended up being SideShow that was the root problem, preventing sysprep under the covers.

If only I'd known, "just be patient" would have been the best advice.

Re:They couldn't have killed them YESTERDAY??

[omnichad]

Sideshow isn't the same thing as Sidebar, though they are related. Sideshow is a second screen (usually smaller) that is just big enough for a system status widget or other small indicator.

They don't go away unless you want them to go away

[westlake]

I have a couple of extremely useful gadgets installed, and don't want to see them go away.

They don't go away unless you want them to go away.

You don't need the Fix-It Tool.

Search>Windows Features>Turn Windows Features On or Off>Windows Gadget Platform

For security reasons only?

[Black+LED]

I use desktop gadgets in Windows 7 for system monitoring, application launcher, weather report and volume control and have come to rely upon them heavily. I won't be applying this patch, however I can't help but wonder if MS is sneakily trying to kill off gadgets partly to promote the Windows 8 tiles and start screen.

Re:For security reasons only?

[idontgno]

That occurred to me too.

The threat statement comes down to "A program you download, install, and execute may secretly do bad things to your computer with the privileges and permissions of the user who is executing the program."

In the words of the Prophet, "Well, DUH!"

There is nothing distinctive to desktop gadgets in this. So the stated rationale has the whiff of bullshit that usually emanates from acts of Security Theatre.

And that always make me wonder about ulterior motives and what kind of bad faith that powerful aroma is intended to cover up. Your theory, as sketchy as it seems to be (to me), may be plausible (at least in the Byzantine thought processes of Microsoft Marketing... they're so used to FUD-kneecapping their market competitors that even when the competition is themselves, they can't help it.)

Re:For security reasons only?

[JDG1980]

I won't be applying this patch, however I can't help but wonder if MS is sneakily trying to kill off gadgets partly to promote the Windows 8 tiles and start screen.

Judging from the message they've posted on the closed Gadgets Gallery page, it certainly looks that way"

"Because we want to focus on the exciting possibilities of the newest version of Windows, the Windows website no longer hosts the gadget gallery."

Translation: nothing to see here, Windows 7 is yesterday's news, throw away your real PCs and embrace the tabletness of Windows 8!

Re:And nothing of value was lost

[DigiShaman]

Actually, I liked Windows Gadgets. I still using many of the ones offers by http://addgadgets.com./ Specifically the CPU, Network, and GPU meters. Hands-down should be included in the official Windows 7 Gadgets list.

Fit-it

[ISoldat53]

So do I enable the Fix-it solution to disable the gadgets? Or do I disable the Fix-it solution to disable gadgets? Or do I disable the fix-it solution to enable the gadgets after I enable the Fix-it solution to disable gadgets?

Sysinternals.

[westlake]

They're never useful, all they do is eat up CPU time or distract you with constantly-moving readouts. Hate those things.

For fact checking:

Sysinternals > sidebar.exe > Properties

Performance
Performance Graph
GPU Graph

On my system the current load is 0% GPU and 1.5-2% CPU.

The CPU and GPU monitors, almost certainly.

I've been tracking system and GPU cooling in our summer heat waves.

Re: The gadget gallery is gone

[FearTheDonut]

It has been this way for some time - At least as of a few months ago. That message isn't related to what's happening now.

why?

[Simulant]

Can anyone explain how a Gadget is more dangerous than any other piece of software you might download and execute? Microsoft didn't.
I think they just want to get rid of Gadgets. They closed the shop months ago.

tag: timothysucks

[Nimey]

Looks like we're going to have to treat timothy like we treated kdawson until he shapes up.

News flash: Running malicious programs is bad!

[JDG1980]

"An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user," company officials said in an advisory issued Tuesday. "If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system." To be successful, they added, "An attacker would have to convince a user to install and enable a vulnerable Gadget."

In other words: Gadgets are just like any other kind of executable code – they run under the user's credentials and can do things the user doesn't necessarily expect.

Part of me (the paranoid part) thinks that this is a prelude to Windows eventually trying to close off all "untrusted" third-party code in newer versions of Windows, and eventually require everything to either go through the App Store or some sort of corporate app repository. They want to get rid of the desktop and general-purpose computing, they just don't think they can get away with it yet. This is a trial balloon and there has to be strong pushback against it.

Re:News flash: Running malicious programs is bad!

[spitzak]

and eventually require everything to either go through the App Store or some sort of corporate app repository

I think if that was the plan, then you should still get "official Microsoft gadgets" from the Microsoft "app store". But apparently they have been removed from there.

I don't use Windows so I really don't know what is going on, but this does sound mysterious. I mean it is pretty much a "duh" insight that running untrusted software as admin is a problem, and they did not remove *all* software. So this either means an insidious plot of some sort to get rid of gadgets because they don't fit into future marketing, or the rather uncomfortable idea that there is a bug/misfeature such that gadgets actually are more dangerous than normal applications.

Re:And nothing of value was lost

[gman003]

You say absolutes; I say hyperbole.

Re:I want my money back

[Jeng]

I'm sure you'll find lots of lawyers willing to help you, but to have a class-action lawsuit over this is beyond silly.

Re:Sigh

[datavirtue]

You don't need it. I've been using Windows 8 for less than a day and I do not miss the cluttered start menu--I've been using windows for 20 years. I use the Toolbar Address option to quick search on the desktop and it launches everything I need instantly. The new tiles interface is just a cleaner copy of the best android interfaces and it is welcome. Regular users are going to eat this up. I supplied my social network and Exchange accounts and it integrated all of them cleanly into the interface. It took me less time to learn the Windows 8 interface than it did to get comfortable with Windows7! From all of the /. comment as of late I thought for sure I was going to hate windows8, but there is nothing to hate. A cleaner, well designed interface for windows. I bought a Xoom with Android 3 some time ago and fell in love with the easy to use, clean interface and multitasking, Microsoft just took the best from that. After using the Xoom I knew I wanted the same interface on a desktop and it materialized. Best interface available, good stuff.

Re:And nothing of value was lost

[the_bard17]

Absolute or hyperbole; regardless of the word used to describe it, I'd recommend finding a better term than "never useful". It makes you sound like a pretentious asswipe who can't think past his own needs, wants, and preferences.

Unless you are a pretentious asswipe; in which case, carry on.

Re:ironic

[JBMcB]

"JavaScript app (Gadget) and a Metro app (Real executable.)" ... that can be written in Javascript/HTML.

Fuck you MS

[pandronic]

As a once gadget developer I say "Fuck you Microsoft!" and here's why ... when gadgets were all the shit they pushed the gadget gallery and they pushed it hard. OMG, you can program in JS and HTML, you can reuse your webdeveloping skills. I was excited as fuck. So I made a farely popular free gadget. I thought that they would expand their site to make non-free gadgets possible, since the "gadget store" was littered with mentions about a misterious Microsoft currency, but that didn't happen, the updates were approved in more than two weeks, complaints about a dude who copied my gadget and published it in his name went unanswered for years, the docs were shit and incomplete, the gadget site was buggy, the Windows gadget app was buggy, IE9 made it even buggier, my polite post on the dev forum about the future of the Gadget Gallery was censored, really WTF?

Is this how MS will treat their Metro developers if it doesn't have the success the corporate douchebags in Redmond expect it to?

Re:Fuck you MS

[Areyoukiddingme]

You should have realized this would happen when you considered for a moment why Windows Gadgets existed at all. They were an answer to the Google Desktop Sidebar, which was precisely the same thing: gadgets programmed in JS and HTML. Google discontinued Google Desktop a couple of years ago, citing specifically the creation of Windows Gadgets as one of the reasons why. Now that people have forgotten Google Desktop, Windows Gadgets has served its purpose and can be euthanized.

And I am VINDICATED! I said you'll pry my Google Desktop Sidebar from my cold dead hands, and I was RIGHT. I still have my sidebar, and no Fix-It will kill it, now or later.

If there was any question about what Microsoft is doing, this should answer it: rather than trying to make products for customers, they're fighting a war against Apple and Google. If they win on any front, they abandon their "gains" as an expense that isn't worth sustaining. There's a reason why the pundits are calling it "Microsoft's Lost Decade."

Re:I want my money back

[JBMcB]

Not if you are a company that, for some reason, relies on gadget functionality.

Another case in point: there is an obscure function in SQL server that lets you load in data from Excel quickly and easily. It's insanely useful when importing data in from some wierdo 3rd party applications that can't really export in another more useful format.

Thing is, Microsoft stopped shipping the standard Access/Excel ODBC drivers in 64-bit Windows 2003. This essentially made this function useless (you could still import CSV files, poorly - hooray) They didn't document this anywhere, and the examples still exist in the documentation for SQL 2005, even though it didn't work on the 64-bit version.

So enough people complained that they released 64-bit versions of the drivers a few years later. It's completely obscure functionality, but a ton of people used it.

Re:ironic

[pandronic]

Real Metro apps can be written in JS and HTML. Troll much?

Re: The gadget gallery is gone

[locopuyo]

Microsoft stopped hosting gadgets a long time ago because they didn't want to be responsible for them. The get more gadgets link is completely useless. You have to search online to find them and the sites that have them are ridden with advertisements for spyware.

Retain ad-free Pandora gadget functionality

[Pausanias]

If you do remove gadgets, there is only one true loss. The Pandora gadget is extremely useful because it provides the only ad-free frontend to pandora. If you disable Gadgets, you can still access it through this link:

http://internal-tuner.pandora.com/windowsgadget/gadget.jsp

I found the audio to be choppy for some reason under firefox when you navigate away from the tab that contains it... for that reason it should likely be spawned into its own window.

Re:I want my money back

[Jeng]

Gadget functionality can be replicated in a number of ways using different platforms, but only Microsoft could have made an updated 64 bit driver for Access/Excel ODBC.

Ridiculous..

[michealPW]

"an attacker could take over a user's system if they are logged in as admin and they install a vulnerable gadget."

Uhh.. That's ridulous. What CAN'T go wrong if you're logged in as Admin and install/run maliscious code?
Why not just send out a patch that prevents Windows from executing code entirely since, you know, it COULD be dangerous.. :|

Re:Ridiculous..

[JDG1980]

Why not just send out a patch that prevents Windows from executing code entirely since, you know, it COULD be dangerous.. :|

It's called Windows RT.

Lame solution to a fixable problem

[bogie]

I love their solution. Instead of Easily fixing the problem, which btw is definitely possible, they tell you to upgrade to Windows 8 and Metro as an alternative. Um ok...

MS can blow me if they think that's somehow an acceptable alternative.They must really be desperate to get people to buy into Metro if they are pulling stunts like this.

Re:And nothing of value was lost

[Saija]

Hey i have a slide show gadget showing me pictures from my wife, baby and relatives, cheaper than buy some frames or digital frame.

Re:So stupid...

[ilsaloving]

Wow, it seems I struck a nerve with all the Microsoft fanbois. Not only have I been modded troll, but I've got several comments who clearly haven't even bothered to read what I wrote.

FACT A) Microsoft *admits* that the gadget platform is fundamentally flawed.
FACT B) Microsoft has provided an optional patch for you to disable it entirely if you don't want it.

One person says that the disabling of the feature is temporary. There is no citation for this, and this is NOT corroborated in the news articles.

What Microsoft has done is, is abandoned a core feature they advertised as part of their OS. You can either disable it entirely, or you can leave it and live with the security risks. They sold us a product that was not fit for purpose, and now they're going nyah nyah.

I'm sorry fanbois, if you can't deal with the truth, that's YOUR problem. Shooting the messenger doesn't change the fact Microsoft dropped the ball so badly they don't even want to pick it back up again.

Re:And nothing of value was lost

[Picass0]

I didn't think he was pretentious.