Microsoft preps Vista to thwart rogue gadgets

An optional OS update can block buggy or malicious mini-apps

Microsoft Wednesday urged Windows Vista users to download a new security tool that automatically disables suspicious or malicious "gadgets," the small applets that mimic the "widgets" popular on Mac OS X.

Dubbed "Windows Sidebar Protection," the 1MB download was added to Windows Update on Tuesday and classified as a "high-priority" update. Microsoft customers running Vista RTM -- the initial version that launched in late 2006 to businesses and early 2007 to consumers -- saw the update on the list starting Tuesday. The update is optional, but depending on what settings have been selected in Windows' Automatic Updates, it may be downloaded and installed without any additional user interaction.

Windows Sidebar is a Vista-only panel that holds the miniature applications known as gadgets -- small single-purpose tools that, for instance, display the time and date or RSS feeds. The Windows gadgets are composed of HTML and various scripts.

And there's the rub, said Microsoft.

"Vista treats gadgets like it treats all executable code," said the advisory that accompanied the update. "Gadgets are written using HTML and script, but this HTML is not located on an arbitrary remote server as Web pages are. HTML content in the gadget is downloaded first as part of a package of resources and configuration files and then executed from the local computer."

In other words, gadgets could be dangerous, even malicious. The small applications are crafted not only by Microsoft but also by third-party developers and users; Microsoft distributes gadgets on its Web site, but it doesn't vet them.

"The update gives us a mechanism to prevent a malicious gadget from being installed first of all, and if it's installed, to block the gadget [from running]," said Austin Wilson, a director in the Windows client product management group. "We're being proactive here. We looked at the [security] landscape and wanted this in place in case a problem arises in the future."

There are no known vulnerabilities in any existing gadgets, Wilson claimed, stressing that Microsoft knows of no purposefully malicious gadgets, either.

When it detects a flawed, suspicious or malicious gadget, Microsoft will create a "kill bit" file that it will then push to users through Windows Update on the regular once-a-month patch day, said Wilson. Yesterday's update included no kill bit, stressed Wilson, but instead is the tool that generates a unique ID for each gadget, accepts the list from Windows Update and then blocks existing gadgets from running or newly-downloaded gadgets from installing.

After a gadget has been identified as bad, its icon gets swapped out with one labeled "Bad Gadget." The icon also can't be dragged, and the tool tip shows it as a security risk.

The Sidebar security update is already integrated in the bits that were distributed as Vista Service Pack 1's release candidate last month, said Wilson, and it will be included in the final when that launches in the coming weeks.

Microsoft has posted a pair of documents on its support site that go into more detail: KB943411 includes the download links to the 32- and 64-bit versions of the tool; KB941411 walks users through the various dialog boxes they will see when the tool tries to bar or block a gadget.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?