Win7 and Vista sidebar/gadget vulnerability

[blueball]

Taking a sledgehammer to crack a nut?
===============================================================


This is a security bulletin from the MCT-SafeComputing-List.
A copy of the text of this email for verification - which may include
further updates is at:
http://safecomputing.open.ac.uk/latest_bulletins.htm

Bulletin ID (also shown on web version): DCLR-8W5B4A

-----------------------------------------------------------------------------------------------
B U L L E T I N
Microsoft is proceeding with plans to remove the Windows 'Sidebar and
Gadget' platform from Windows Vista and Windows 7 because it allegedly
contains serious security vulnerabilities which will be disclosed at a
forthcoming security conference.

Microsoft has said that it has discovered that some Vista and Win7 gadgets
don’t adhere to secure coding practices and should be regarded as causing
risk to the systems on which they’re run. They intend to provide a 'Fix it'
utility to help system administrators to disable Gadgets and the Sidebar
across their enterprises.

if an attacker successfully exploited a Gadget vulnerability they could run
arbitrary code in the context of the current user

Domestic users will also be affected by vulnerabilities about to be
revealed in the Sidebar and Gadgets interface, and may decide not to use
them as a precaution. A link to the Microsoft FixIt utility which will
disable the interface is shown below

The Sidebar and Gadgets interface will not be present in Windows 8 when it
is released.
-------------------------------------------------------------------------------------------------------------------

W E B L I N K S
ZDNet:
http://www.zdnet.com/security-flaws-...ts-7000000724/

Ars Technica:
http://arstechnica.com/security/2012...ndows-gadgets/

The Verge:
http://www.theverge.com/2012/7/11/31...-vulnerability

Microsoft Gadgets:
http://windows.microsoft.com/en-us/w...dgets-overview

Microsoft Bulletin:
http://technet.microsoft.com/en-us/s...19662#section1
Microsoft FixIt: http://support.microsoft.com/kb/2719662
-------------------------------------------------------------------------------------------------------------------

[Apex]

So insted of fixing it they are removing it, way to go M$.

[Phage]

Reading that it seems that vulnerabilities would be introduced by gadgets written by 3rd parties. Accordingly, they are assuming the lowest common denominator and allowing the public to remove the functionality if they feel it's necessary.

I'm OK with that.