Microsoft has advised Vista and Windows 7 users to put Gadgets and the Windows Sidebar to the sword, following the revelation of yet-to-be-detailed remote code execution vulnerabilities in the features. Redmond issued this advisory ahead of an upcoming Black Hat presentation by Mickey Shkatov and Toby Kohlenberg. The two have …
MS basically close down the gadget website at the end of 2011 - thus making the thousands of more or less the same gadgets - unavailable, (unless you go to the developers website). At the same time they introduce Metro, which is basically full screen gadgets. Now a 'vulnerability' has been found - by them - in the sidebar code which they 'suggest' you disable, rather than them disabling it in an update. Not going into the whole 'well what about other applications which access the internet? Why not just tell people to disable the whole TCP/IP stack?", Why wait six+ months, if they knew about this, to inform the average punter. Also are desktop gadgets the main selling feature of windows 7?, (rather than improved speed over Vista and improved security over XP).
Just wondering like.
Paris - because..... (ok that isn't Paris but she's getting on - which actually should merit a Paris icon).
“Gadgets installed from untrusted sources can harm your computer"
For which read "Anything installed from untrusted sources can harm your computer"
Well, no shit, sherlock!
Isn't it strange that these gadgets only become a security issue as win7 is ready to be phased out for win8.
Please provide a definition of "untrusted"
"Untrusted" by whom. Our friends in Redmond's idea of who to trust isn't necessarily the same as anyone else in the world.
I had the indexing gadget
very handy. Clear for some time though that MS had lost all interest, and with google desktop gone so is any likelihood of that changing.
>>Gadgets installed from untrusted sources can harm your computer and can access your computer’s files
This is basically true about most of 3-d parties software Windows user install on their system every day. How do you verify whether the source is legitimate? MS doesn't provide any check-summing and/or pgp tools in the vanilla Windows.
>> Since Gadgets run with the rights of the current user, the vulnerability could allow exploits all the way up to administrative level.
up to means including? right, does it imply that admin rights are granted to the first user by default and there is no mechanism similar to "sudo", where the user's session is simply the admin's session? We've been told many times by the Redmond's apologists that there is "runas" and it's cool!
Re: @Redmond's apologists
MS doesn't supply checksumming and pgp in the base install of Windows, but they do supply executeables and drivers which are signed. It's just a different way of achieving the same end.
If you're running as Administrator, software you run will be under the Administrator's user context. Duh. If you are running like this, you'd also be a fool.
No, this does not imply that admin rights are granted to the first user by default, but if you configure your machine to run as administrator - and you have to actively configure it to run as such, unlike say RHEL or CentOS which allow you to logon as root by default - you will execute code as Administrator. Again, you'd be a fool. There is runas, which is similar to sudo, but not the same, there is also UAC, which is similar to sudo, but not the same. They basically do the same things, in different ways.
Why does explaining how some features in an operating system work when compared to another operating system make the person doing it an apologist for the manufacturer of said OS? Personally I really like learning about new things, particularly in IT, other people may be bored by new information, not me.
PS. You forgot to tell us all how great and infallible the repos are as per your usual MO.
As they copied Dashboard from Apple, a week after Apple sidelined Dashboard, citing that everyone does this stuff on a mobile device now, Redmond copy by letting of of gadgets.
Dearest AC, why don't you comment as wisely on the article's statement: Since Gadgets run with the rights of the current user, the vulnerability could allow exploits all the way up to administrative level.
Please tell us what you feel, thanks!
>>unlike say RHEL or CentOS which allow you to logon as root by default
Not the case with "Ubuntu for human beings". I'd like to draw your attention to the fact, that be that RHEL, CentOS or pure Debian (or LMDE), the all are not necessarily designed for the Windows users/admins ... aka lamers (they still so not disable AutoRun on the desktops).
>>You forgot to tell us all how great and infallible the repos are
I'll remind you: all of my LMDE/Ubuntu/Debian use aptitude that checks both md5(or sha-1) sums and verifies the pgp(gnupg) signatures automatically for all the packages and updates. When I'd need to install something from source, I do all of the above manually.
If not being apologetic about Windows why wouldn't you take off your AC mask?
Re: @AC 16:13
Clearly, if you're running as an administrator, anything which runs in your user context with have administration rights. What they're saying is that the gadgets run in the logged on user's context and if you're logged on as an administrator that is an administrative context. You can run applications/processes in a less privileged context if they're for example a sandboxed web browser or an application initiated from a runas command which calls the app under a different, less privileged user's context.
Now we get to the crux of the matter: "not necessarily designed for the Windows users/admins ... aka lamers". After all your protestations about running as administrator and how Windows is insecure and inherently Linux is better, what it actually boils down to is that you think you're better than people who use Windows, just because you use Linux. Well, guess what? you're conning yourself if you think that your choice of OS makes you inherently smarter. Personally, I use Windows, Linux, OSX, AIX, Solaris and a little HPUX, pretty much every day at work, does that make me better than mainframe or OS/400 users? No. Not at all, it just means that I know different systems. It also means I hate it when people lord it over me about how one system is better than another because it's usually done from a point of view of a lot of knowledge about one system comparing a little knowledge of another.
Like I said above - MS cryptographically sign their updates and executables. Other companies can as well, should they choose.
I've commented here since before there were comments and you had to email the authors. I comment as AC ever since someone told me in a security related comments thread that they thought they knew who I was and where I lived and that they'd try to check out my employers security.
Re: Windows users/admins
When one speaks of those who use WindblowZE, they are called (L)users, and rightfully so.
Also, good point about the repos, most WindblowZE (l)users do not realize that.
And a final point about the use of repos, if all of your software is installed from a repository, then any and all updating is automatically handled by the repository; instead of the current situation of having to check each vendor's web site for any updates. In the WindblowZE world, to me this is a royal pain in the ass!
Re: @AC 16:13
"I comment as AC ever since someone told me in a security related comments thread that they thought they knew who I was..."
Handing out enough personal information for you to be unwillingly identified from the other ~2.5 billion internet users doesn't really make you look like a security guru.
"... and that they'd try to check out my employers security."
Don't see why why that should be a problem, unless it's full of bloody great holes. In which case I'd suggest a little less time waxing lyrical about MS security on El Reg, and a little more time in the server room with a copy of "Firewalls for Dummies". ISBN: 978-0-7645-4048-6.
Paris, 'coz we 've all seen her "personal information".
They've been bolloxing up security for years. Will they ever learn?
They're making more money than ever. Why would they care?
What is Metro if not Gadgets Writ Large?
Let me explain the "lamers" word for you. In many occasion including some "Certified Windows" services and many Windows geeks I hear most common troubleshooting advice "Got .... a problem - reboot, if the issue does not go away, reinstall Windows! ".
>>Like I said above - MS cryptographically sign their updates and executables. Other companies can as well, >>should they choose.
Here's an analogy of our dispute:
-- I say, that Ferrari is expensive so there is noway overwhelming majority of people can afford it.
-- You seem to misunderstand: Everyone can afford as many Ferrari's as one wants, should he/she choose to get very rich!
How about making fucking OS that works, is fast; oh here's a novel thought: isn't one giant threat vector! So why don't drop all the cutesy bells and whistles and make something work, I mean you'd figure after 8 or 9 times it would much better, or am I asking too much?
This is the last time though
We promise. The rest is good now.
'Microsoft security' is just like 'military intelligence' or 'chaste prostitute'
Excuse me while I feel quite smug...
For running XP and consequently not needing to do anything to combat this.
(Joke alert so that people understand that I am not advocating running XP for security reasons)
whats the difference?
Whats the difference between a gadget from a third party, or any other third party software?
MS are drawing a line, but the implication is that philosophically all non MS approved SW is bad, so cant be used
does it is safe or not to use gadget mine dont came from microsoft, i have applied the patch but they still continue to work,
so does there is a list of thrusted devlopper ? or this technologie is globally usure (its a shame) ?
thanks a lot
Noticed that Windows 8 CP has gadget capability...
(the greater good, the greater good, the greater good...)