Microsoft preps Vista to thwart rogue gadgets

An optional OS update can block buggy or malicious mini-apps

Microsoft Wednesday urged Windows Vista users to download a new security tool that automatically disables suspicious or malicious "gadgets," the small applets that mimic the "widgets" popular on Mac OS X.

Dubbed "Windows Sidebar Protection," the 1MB download was added to Windows Update on Tuesday and classified as a "high-priority" update. Microsoft customers running Vista RTM -- the initial version that launched in late 2006 to businesses and early 2007 to consumers -- saw the update on the list starting Tuesday. The update is optional, but depending on what settings have been selected in Windows' Automatic Updates, it may be downloaded and installed without any additional user interaction.

Windows Sidebar is a Vista-only panel that holds the miniature applications known as gadgets -- small single-purpose tools that, for instance, display the time and date or RSS feeds. The Windows gadgets are composed of HTML and various scripts.

And there's the rub, said Microsoft.

"Vista treats gadgets like it treats all executable code," said the advisory that accompanied the update. "Gadgets are written using HTML and script, but this HTML is not located on an arbitrary remote server as Web pages are. HTML content in the gadget is downloaded first as part of a package of resources and configuration files and then executed from the local computer."

In other words, gadgets could be dangerous, even malicious. The small applications are crafted not only by Microsoft but also by third-party developers and users; Microsoft distributes gadgets on its Web site, but it doesn't vet them.

"The update gives us a mechanism to prevent a malicious gadget from being installed first of all, and if it's installed, to block the gadget [from running]," said Austin Wilson, a director in the Windows client product management group. "We're being proactive here. We looked at the [security] landscape and wanted this in place in case a problem arises in the future."

There are no known vulnerabilities in any existing gadgets, Wilson claimed, stressing that Microsoft knows of no purposefully malicious gadgets, either.

When it detects a flawed, suspicious or malicious gadget, Microsoft will create a "kill bit" file that it will then push to users through Windows Update on the regular once-a-month patch day, said Wilson. Yesterday's update included no kill bit, stressed Wilson, but instead is the tool that generates a unique ID for each gadget, accepts the list from Windows Update and then blocks existing gadgets from running or newly-downloaded gadgets from installing.

After a gadget has been identified as bad, its icon gets swapped out with one labeled "Bad Gadget." The icon also can't be dragged, and the tool tip shows it as a security risk.

The Sidebar security update is already integrated in the bits that were distributed as Vista Service Pack 1's release candidate last month, said Wilson, and it will be included in the final when that launches in the coming weeks.

Microsoft has posted a pair of documents on its support site that go into more detail: KB943411 includes the download links to the 32- and 64-bit versions of the tool; KB941411 walks users through the various dialog boxes they will see when the tool tries to bar or block a gadget.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?