Microsoft Kills Windows Gadgets Via Security Update

benfrog writes "Microsoft has taken the unusual step of killing the Windows Gadgets feature completely via a security update. According to an advisory issued Tuesday, an attacker could take over a user's system if they are logged in as admin and they install a vulnerable gadget. Microsoft has pulled the plug on its official Gadgets Gallery and is offering a Fix-it that completely disables the Windows Sidebar and Gadgets. Researchers Mickey Shkatov and Toby Kohlenberg are scheduled to give a presentation on the vulnerability at the upcoming Black Hat conference called We Have You By the Gadgets."

Misinformed Title

[Mike+Wag]

Slashdot's title gives the idea that Microsoft is using Windows Update to disable gadgets while in fact they are not. The article, however, is correct so this is just Slashdot trying to be sensationalist.

What Microsoft is giving is 'Fix It' executable on their website. These are entirely optional and are proactively downloaded and enabled by users. They also contain the full info of what they do.

As for the "vulnerability", well, duh. You download executable code, you might get pwnd. Even Chrome warns you that addons can pwn your system.

Re:Misinformed Title

[ackthpt]

Slashdot's title gives the idea that Microsoft is using Windows Update to disable gadgets while in fact they are not. The article, however, is correct so this is just Slashdot trying to be sensationalist.

What Microsoft is giving is 'Fix It' executable on their website. These are entirely optional and are proactively downloaded and enabled by users. They also contain the full info of what they do.

As for the "vulnerability", well, duh. You download executable code, you might get pwnd. Even Chrome warns you that addons can pwn your system.

Some of us are the beneficiaries of updates pushed out to us by IT departments where they take whatever Microsoft puts up, without much reading, because they don't know who they might step on.

But your point is well taken.

Re:Misinformed Title

[Sc4Freak]

This is a fix-it update, which doesn't appear through windows update and isn't pushed out through WSUS...

Re:Misinformed Title

[jellomizer]

But we want Microsoft to be EVIL and Blundering. As we giggle in glee of all of Microsoft Mistakes knowing these are mistakes of Pure Evil. While we use our own Pure OS, which by the nature of the fact that we chose to run it, is Good and infallible (unless it in some ways have been corrupted), but would be quickly purified by the forces of good. While the same problem by Microsoft is part of a devious plot to keep its corruption to an all time high.

Re:Misinformed Title

[Dog-Cow]

And even if it was, it wouldn't matter. IT departments that push patches indiscriminately deserve any negative feedback they get.

Re:Misinformed Title

[gorzek]

Amazing how you figured that out within a minute of this being posted, yet the Slashdot "editors" apparently didn't even bother to check. These people get paid, don't they??

Re:Misinformed Title

[rodrigoandrade]

I won't send the to Hell

Please do; I'm afraid I'll not be able to kill Diablo on my own this time.

Re:Misinformed Title

[racermd]

As a former enterprise-grade desktop support staffer (i.e.: one level up from the front-line call-takers), I know there have always been ways to disable the Windows Gadget platform. If not through GPO, at least through most other alternative rights-management schemes. Ultimately, it's as simple as removing the sidebar.exe file from the Program Files folder(s). Alternatively, an anti-malware utility (that's centrally managed, right?) can prevent the executable from starting.

This should not be news to any company large enough to have a (competent) IT staff. Anything that runs applets or other code locally is potentially vulnerable. Disabling the platform entirely is one of the most effective ways of preventing this sort of vulnerability from being any sort of problem on a large-ish network. As such, assuming they're competent, they've already disabled or restricted this functionality long before a formal vulnerability existed.

And, like you said, what IS sorta newsworthy is the subtext - that Microsoft is choosing to eliminate the Gadget platform altogether rather than patch it appropriately. Heading into Windows 8, I'm betting they didn't want to expend the resources necessary to do a proper repair job and, instead, focus developer time on Windows 8, Windows Server 2012, and optimizations on their new tablet platform.

Re:Misinformed Title

[hairyfeet]

This is something I have been wanting to ask for awhile, seriously, WTF does ANYBODY CARE about these so called "shills" anyway? I mean seriously the real shills are so damned easy to spot they may as well be the PHB on Dilbert, they use the same "buzzword bingo" that the corps just looooove to see in print, like "synergy" and "vertical integration" and "user experience' that nobody IRL uses, and if their point is bullshit? Well its not hard to spot actual bullshit and it gets modded down quick enough.

In the meanwhile all this "ZOMFG It a shill ZOMFG!" creates total paranoia and has the unstable seeing shill EVERYWHERE, I mean anybody that has read my history knows I'm just a little shop owner in the middle of bum fuck nowhere but so far I've been told I'm not actually in a little college town in the middle of AR, nope I'm hidden in a sekret bunker under Redmond, which I actually thought would be a hell of a lot more cool and interesting than my boring shop, oh and I'm also sub contracted to Comodo, AMD, Apple (Still haven't figured THAT one out, I don't even own an iPod), Asus, Gigabyte, and Asrock. I just wish someone would tell me where the sekret Swiss bank account is with all that money from subcontracting as I'd like a new truck, thanks.

As for TFA I smell bullshit. Are you seriously telling me that MSFT can't even keep their own fucking website safe? Seriously? they got all those people working there, they can't even scan the fucking executables put on their own damned website? What are they running it on, a badly done FB page?

Considering the fact I've NEVER seen anyone ever get a gadget at ANY site other than MSFT's, and that when you clicked on "get more gadgets online" it took you straight to their page i have to conclude that they simply want gadgets gone because it offers the same tweeting twitting FB shitting social crap that MSFT is pushing for Win 8. I've said it before and I'll say it again...watch out! I have NO doubt that between now and the release of Win 8 that MSFT will push more "security updates" that will be designed to cripple Win 7, because they are scared to death Win 8 is gonna be WinME the second coming.

So triple check every damned update that comes out between now and then, and be sure to have disc images handy, because Ballmer and Sinofsky isn't gonna do anything that would allow Win 8 to flop and the simple fact is unless you have a touchscreen Win 7 will do anything you want. But if a security update were to...ohh I don't know....say kill 30%+ of performance, or take the decent features away, for 'security reasons" of course, why folks might be more likely to buy Windows 8! The fact that MSFT is offering Win 8 pro upgrades on their website for $40 tells me they are running scared, hell they have NEVER offered pro for anywhere near that cheap, so frankly every single thing they say or do between now and then i would look at as suspect. MSFT is on the ropes, stuck in a niche that is flatline and will never be #1 again, and when backed into a corner as we have seen in the past MSFT can be pretty nasty. Just something to think about.

Re:Misinformed Title

Tell me something, Mr Elite. How does someone who has never had formal training, but ends up leading a team of even less clued lackys across a few hundred servers/workstations? You think they have time to test patches or arrange their environment for better upgrading? No probably not, they are probably worked to the n'th hour, job prospects for them look slim so they are happy with the $35k year they make and they do enough to keep up with outages, requests, and upper management.

When things are working perfectly fine for 800 days and a malformed patch comes down the line they have every right to bitch.. but don't you dare tell them they deserve the negative feedback. That just feeds into their need to drink away their daily woes.

And fuck you if you don't care about those people, there are hundreds upon thousands of these kind of IT shops out there.

Re:Misinformed Title

[fatphil]

The problem is that there's a flip-side. IT departments who don't push vital patches in time will get negative feedback for delaying.

Re:Misinformed Title

[mister_playboy]

You like to complain about others making hyperbolic posts, yet every single post you make is an exaggerated bluster-filled rant.

Your endless faux outrage is fucking boring. Get a new gimmick and maybe I'll consider reading your comments again.

Wrong summary

[Jennifer+Wag]

Microsoft Windows Update does not remove Windows Gadgets. To remove Windows Gadgets, you need to proceed to Microsoft website and download a Fix-It that can be then used to disable Windows Gadgets on your computer.

What?

[trifish]

An attacker could take over a user's system if they are logged in as admin and they install a vulnerable gadget.

I always thought that if an attacker is logged in as admin, he owns the system already.

Why do they talk about a specific attack? There are zillions of them if you have admin rights.

Re:What?

[dd1968]

"Did you know a thief could steal all of your valuables if they used a key to unlock your front door?" And did you know that if you give the thief the key and tell the thief when you are going to be away from home you are more at risk?

Uh

[FrYGuY101]

an attacker could take over a user's system if they are logged in as admin and they install a vulnerable gadget

Am I missing something? Because if the attacker has root privs, you're pretty much screwed no matter what, gadget or no...

Re:Uh

[Dynamoo]

The same goes for installing ANY application. This is a stupid knee-jerk reaction.

Re:Uh

[CowTipperGore]

Oh that's a rich. A Microsoft troll account accusing Google of smearing Microsoft. Good stuff!

Re:Uh

[Marc+Madness]

The featured article explains with a much less confusing use of pronouns:

"An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user," company officials said in an advisory issued Tuesday. "If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system."

Dr. Claw's response

[Megane]

"I got you this time, Gadgets!"

Re:Sigh

[the+eric+conspiracy]

> But then thats MS in 2012. Remove and restrict features, charge you for what was free before, and generally be a fucking bunch of dicks.

As Steve Ballmer said, we are not going to let Apple have any market unchallenged.

They couldn't have killed them YESTERDAY??

[daboochmeister]

I just spent an all-nighter figuring out why certain VMs wouldn't clone cleanly -- and it ended up being SideShow that was the root problem, preventing sysprep under the covers.

If only I'd known, "just be patient" would have been the best advice.

For security reasons only?

[Black+LED]

I use desktop gadgets in Windows 7 for system monitoring, application launcher, weather report and volume control and have come to rely upon them heavily. I won't be applying this patch, however I can't help but wonder if MS is sneakily trying to kill off gadgets partly to promote the Windows 8 tiles and start screen.

Re:For security reasons only?

[JDG1980]

I won't be applying this patch, however I can't help but wonder if MS is sneakily trying to kill off gadgets partly to promote the Windows 8 tiles and start screen.

Judging from the message they've posted on the closed Gadgets Gallery page, it certainly looks that way"

"Because we want to focus on the exciting possibilities of the newest version of Windows, the Windows website no longer hosts the gadget gallery."

Translation: nothing to see here, Windows 7 is yesterday's news, throw away your real PCs and embrace the tabletness of Windows 8!

Re: The gadget gallery is gone

[FearTheDonut]

It has been this way for some time - At least as of a few months ago. That message isn't related to what's happening now.

tag: timothysucks

[Nimey]

Looks like we're going to have to treat timothy like we treated kdawson until he shapes up.

Fuck you MS

[pandronic]

As a once gadget developer I say "Fuck you Microsoft!" and here's why ... when gadgets were all the shit they pushed the gadget gallery and they pushed it hard. OMG, you can program in JS and HTML, you can reuse your webdeveloping skills. I was excited as fuck. So I made a farely popular free gadget. I thought that they would expand their site to make non-free gadgets possible, since the "gadget store" was littered with mentions about a misterious Microsoft currency, but that didn't happen, the updates were approved in more than two weeks, complaints about a dude who copied my gadget and published it in his name went unanswered for years, the docs were shit and incomplete, the gadget site was buggy, the Windows gadget app was buggy, IE9 made it even buggier, my polite post on the dev forum about the future of the Gadget Gallery was censored, really WTF?

Is this how MS will treat their Metro developers if it doesn't have the success the corporate douchebags in Redmond expect it to?

Re: The gadget gallery is gone

[locopuyo]

Microsoft stopped hosting gadgets a long time ago because they didn't want to be responsible for them. The get more gadgets link is completely useless. You have to search online to find them and the sites that have them are ridden with advertisements for spyware.