Thread: Microsoft preps Vista to thwart rogue gadgets

Microsoft urges Windows Vista users to download a new security tool that automatically disables suspicious or malicious "gadgets," the small applets that mimic the "widgets" popular on Mac OS X.

Dubbed "Windows Sidebar Protection," the 1MB download was added to Windows Update on Tuesday and classified as a "high-priority" update. Microsoft customers running Vista RTM -- the initial version that launched in late 2006 to businesses and early 2007 to consumers -- saw the update on the list starting Tuesday. The update is optional, but depending on what settings have been selected in Windows' Automatic Updates, it may be downloaded and installed without any additional user interaction.

Windows Sidebar is a Vista-only panel that holds the miniature applications known as gadgets -- small single-purpose tools that, for instance, display the time and date or RSS feeds. The Windows gadgets are composed of HTML and various scripts.

And there's the rub, said Microsoft.

"Vista treats gadgets like it treats all executable code," said the advisory that accompanied the update. "Gadgets are written using HTML and script, but this HTML is not located on an arbitrary remote server as Web pages are. HTML content in the gadget is downloaded first as part of a package of resources and configuration files and then executed from the local computer."

In other words, gadgets could be dangerous, even malicious. The small applications are crafted not only by Microsoft but also by third-party developers and users; Microsoft distributes gadgets on its Web site, but it doesn't vet them.

"The update gives us a mechanism to prevent a malicious gadget from being installed first of all, and if it's installed, to block the gadget [from running]," said Austin Wilson, a director in the Windows client product management group. "We're being proactive here. We looked at the [security] landscape and wanted this in place in case a problem arises in the future."

There are no known vulnerabilities in any existing gadgets, Wilson claimed, stressing that Microsoft knows of no purposefully malicious gadgets, either.

When it detects a flawed, suspicious or malicious gadget, Microsoft will create a "kill bit" file that it will then push to users through Windows Update on the regular once-a-month patch day, said Wilson. Yesterday's update included no kill bit, stressed Wilson, but instead is the tool that generates a unique ID for each gadget, accepts the list from Windows Update and then blocks existing gadgets from running or newly-downloaded gadgets from installing.

After a gadget has been identified as bad, its icon gets swapped out with one labeled "Bad Gadget." The icon also can't be dragged, and the tool tip shows it as a security risk.

The Sidebar security update is already integrated in the bits that were distributed as Vista Service Pack 1's release candidate last month, said Wilson, and it will be included in the final when that launches in the coming weeks.

Microsoft has posted a pair of documents on its support site that go into more detail: KB943411 includes the download links to the 32- and 64-bit versions of the tool; KB941411 walks users through the various dialog boxes they will see when the tool tries to bar or block a gadget.