Microsoft reveals first Vista gadget bugs

Microsoft Tuesday patched several Windows Vista gadgets, the first time it's had to fix the small applications, prompting one researcher to mark the date as the real "arrival of the next-generation of vulnerabilities."

The three bugs detailed in one of the nine bulletins issued Tuesday could let attackers inject their own malicious code into a victim's Vista-powered PC, said Microsoft. Three of Vista's bundled gadgets -- the small applications that sit on the desktop, usually pulling information from other programs or off the Web -- are flawed: the RSS, contacts and weather gadgets. The vulnerabilities in the RSS and weather gadgets are particularly dangerous, since both are enabled by default in a standard Vista installation.

"If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget or added a malicious contacts file in the Contacts Gadget or a user clicked on a malicious link in the Weather Gadget an attacker could potentially run code on the system," Microsoft reported in the bulletin.

Although the bugs can result in remote code executing on the target machine -- a characteristic that usually pegs the vulnerability as "critical" -- Microsoft ranked them one step lower, as "important," in part because Vista's revised account rights settings should deflect the worst kind of damage.

Most third-party researchers, however, fixed attention not so much on the bugs themselves but on the fact that they lived inside Vista's gadgets.

"Six months ago, around the time of Vista release we started talking about the new types of vulnerabilities we might see," said Amol Sarwate, the manager of Qualys' vulnerability research lab. "These vulnerabilities are a testament that this next generation has finally arrived."

Tyler Reguly, a Toronto-based researcher with nCircle Network Security, also tapped the gadget vulnerabilities as among the most interesting of Tuesday. "There was actually an article almost two years ago quoting a researcher at Trend Micro who said that RSS would be the botnets' next stomping ground," said Reguly in a posting to the nCircle blog. "This vulnerability could be proof of that. When you subscribe to an RSS feed you are implicitly trusting that feed. This vulnerability takes advantage of that trust relationship, inserting malicious code into something that you are 'blindly' trusting."

Like Sarwate, Reguly thinks that the RSS gadget bug is a harbinger of bad things to come. "It's a scary thought. This isn't like clicking a link in Internet Explorer...this action has been pre-approved. I'm interested to see where this will lead us."

VeriSign iDefense, which originally reported the RSS bug to Microsoft in March, also spelled out how a hacker could wreak the most havoc with the vulnerability. "If an attacker can find some way to inject data into a trusted feed then they will be able to exploit any subscribers to the feed," the company said in its own advisory, also published Tuesday. iDefense credited Aviv Raff, a security researcher who works for Finjan and is noted for rooting out bugs in Web browsers. In the past, Raff has disclosed vulnerabilities in Apple's Safari and Mozilla's Firefox.

But while these patches are the first to fix Microsoft's tools, flawed gadgets aren't new. Late last month, for example, Yahoo Widgets, a competing gadget platform, was tagged with a critical vulnerability in an associated ActiveX control.

Microsoft's gadget patches can be grabbed via one of the developer's update services.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?