Microsoft preps Vista to thwart rogue gadgets

An optional OS update can block buggy or malicious mini-apps

Microsoft Wednesday urged Windows Vista users to download a new security tool that automatically disables suspicious or malicious "gadgets," the small applets that mimic the "widgets" popular on Mac OS X.

Dubbed "Windows Sidebar Protection," the 1MB download was added to Windows Update on Tuesday and classified as a "high-priority" update. Microsoft customers running Vista RTM -- the initial version that launched in late 2006 to businesses and early 2007 to consumers -- saw the update on the list starting Tuesday. The update is optional, but depending on what settings have been selected in Windows' Automatic Updates, it may be downloaded and installed without any additional user interaction.

Windows Sidebar is a Vista-only panel that holds the miniature applications known as gadgets -- small single-purpose tools that, for instance, display the time and date or RSS feeds. The Windows gadgets are composed of HTML and various scripts.

And there's the rub, said Microsoft.

"Vista treats gadgets like it treats all executable code," said the advisory that accompanied the update. "Gadgets are written using HTML and script, but this HTML is not located on an arbitrary remote server as Web pages are. HTML content in the gadget is downloaded first as part of a package of resources and configuration files and then executed from the local computer."

In other words, gadgets could be dangerous, even malicious. The small applications are crafted not only by Microsoft but also by third-party developers and users; Microsoft distributes gadgets on its Web site, but it doesn't vet them.

"The update gives us a mechanism to prevent a malicious gadget from being installed first of all, and if it's installed, to block the gadget [from running]," said Austin Wilson, a director in the Windows client product management group. "We're being proactive here. We looked at the [security] landscape and wanted this in place in case a problem arises in the future."

There are no known vulnerabilities in any existing gadgets, Wilson claimed, stressing that Microsoft knows of no purposefully malicious gadgets, either.

When it detects a flawed, suspicious or malicious gadget, Microsoft will create a "kill bit" file that it will then push to users through Windows Update on the regular once-a-month patch day, said Wilson. Yesterday's update included no kill bit, stressed Wilson, but instead is the tool that generates a unique ID for each gadget, accepts the list from Windows Update and then blocks existing gadgets from running or newly-downloaded gadgets from installing.

After a gadget has been identified as bad, its icon gets swapped out with one labeled "Bad Gadget." The icon also can't be dragged, and the tool tip shows it as a security risk.

The Sidebar security update is already integrated in the bits that were distributed as Vista Service Pack 1's release candidate last month, said Wilson, and it will be included in the final when that launches in the coming weeks.

Microsoft has posted a pair of documents on its support site that go into more detail: KB943411 includes the download links to the 32- and 64-bit versions of the tool; KB941411 walks users through the various dialog boxes they will see when the tool tries to bar or block a gadget.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?