back to article Disable Gadgets NOW says Redmond

Microsoft has advised Vista and Windows 7 users to put Gadgets and the Windows Sidebar to the sword, following the revelation of yet-to-be-detailed remote code execution vulnerabilities in the features. Redmond issued this advisory ahead of an upcoming Black Hat presentation by Mickey Shkatov and Toby Kohlenberg. The two have …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Gadgets were always horrid and tacky. Did anyone really use them?

    1. Wade Burchette
      Flame

      I do

      I have a clock, a CPU meter, my daily Dilbert cartoon, the current moon phase, and where the sun is currently shining on the earth.

      1. Tom 13

        Re: I do

        I didn't like the clock, but I found the calendar useful.

      2. Anonymous Coward
        Anonymous Coward

        Re: I do

        I have 5 clocks. Any other thick people out there, who have to cope with talking to people over multiple timezones with a better solution than my 5 desktop clocks?

        1. HeNe
          Joke

          Re: I do

          Yeah. Make everyone in those other offices use GMT when they're designating conference-call dates and times.

        2. Mephistro
          Joke

          Re: I do

          "who have to cope with talking to people over multiple timezones with a better solution than my 5 desktop clocks?"

          Yeah! Compile a list of the time differences in all those locations relative to your base. Something like this:

          " Geneva +2, Madrid +1, Tuvalu -17,..."

          Then you can put it in a post-it note in your gadgets and... Oh wait!

        3. Russ Pitcher

          Re: I do

          On Windows 7 if you adjust the date/time from the taskbar you can add two zones using the Additional Clocks tab. The additional times appear when you hover over the clock.

          Other than that you can use ZoneTick to show pretty much what you want on the taskbar.

      3. Rick Giles
        Joke

        Re: I do

        Why would you need to know where the sun is? If you're in IT, people are trying to blow sunshine up your skirt all the time...

    2. stucs201

      I actually prefered them in vista to win 7

      To me the vista sidebar made some sense, a place to dock small accessory programs with the maximise behaviour of other programs tweaked to ensure that both your main program and gadgets stay un-obscured and usable.

      Getting rid of the sidebar in win 7 made gadget behaviour not really any different to things like the clock which was provided in windows 3.0.

      (I realise its unusual to say nice things about vista, but don't worry I can't think of any others).

      1. Blitterbug
        Happy

        Re: I actually prefered them in vista to win 7

        You aren't alone in finding nothing really wrong with Vista (assuming SP2) but the gadget bar did cause probs. I like to bung my recycle bin @ bottom right of the screen in Win7. Can't do that in Vista. Actually you can kind of position it there (at least, I've managed it) but then you can't right-click to empty! Awesome foolishness or what.

    3. system11

      I did - I like the little weather applet and the mini system monitor.

    4. Anonymous Coward
      Anonymous Coward

      Of course!

      That's the best way to install Xeyes and thus pretend I'm using (Linu)X!

      1. JohnG

        Re: Of course!

        "That's the best way to install Xeyes and thus pretend I'm using (Linu)X!"

        Xeyes is included in Cygwin/X

    5. Anonymous Coward
      Anonymous Coward

      I don't

      but guess I don't need to have a clock, what with having on in the bottom right hand corner (as well as on my desk phone, and my mobile phones), no need for a cpu one, (using up the cpu) I know when my machines running slow; for weather, I look out the window .

      As for side bar, always found rocketdock to be more stable and more useful.

    6. Piro Silver badge
      Pint

      I don't now..

      But when I used Vista at work I had the whole sidebar filled with Sticky Notes. The only actually useful gadget. The rest are just silly. Who cares how much CPU time or RAM I'm using?

      1. Timmay
        Facepalm

        Re: I don't now..

        @ Piro - exactly, back when an extra 5MHz on your processor was a decent wedge of an increase, or eeking out an extra 20MB of memory was the difference between something running and not, I might have cared. Nowadays we have such a glut of compute power, so who really cares, other than when something is going wrong?!

        1. Mephistro
          Linux

          Re: I don't now.. (@ Timmay)

          "Nowadays we have such a glut of compute power, so who really cares, other than when something is going wrong?!"

          Sorry to disagree. There are a good many programs that have serious trouble handling shortages of CPU or RAM, causing either BSODs or program failures. Nevertheless, you point of view seems to have been prevalent among developers, who seldom bother to optimize their code*. The result is that doing lots of common tasks-e.g. word processing, compiling executables, searching for files- with your flashy new computer takes just as long as it did twenty years ago.

          *:I know it's just economy. Optimizing code costs time and money, and companies using too much of those in optimizing their code will probably make less money and be less competitive, and probably disappear. This sounds as a good argument for OSS.

    7. Chris Miller

      National Rail Enquiries - saves me dashing for a train that's actually running late/cancelled.

    8. 404
      Devil

      Once upon a time...

      The Magic 8 Ball widget was useful for techsupport/lunch questions - the analog Magic 8 Ball took up valuable desk space.....

    9. Anonymous Coward
      Anonymous Coward

      @AC

      The gadgets are even quite well programmed.

      I keep a weather & picture gadget on my desktop, even though I don't use a wide screen monitor. I'm especially impressed with the picture gadget because it doesn't only use what's on my PC; it can access my network storages as well.

      As such it /truly/ shows me snapshots of /all/ my favourite pictures.

      I'm not going to give up on this. And just learning that this will be stripped from Win8 as well (the previews still had this) is yet /another/ reason for me to completely ignore it.

    10. Richard Bragg

      GPU gadget really useful

      When my PC started to misbehave playing a game then suddenly the screen going blank and 3 little beeps on restart. Googling suggested GPU overheat. Install nice little gadget. Start game play, then switch out to desktop and there is temperature of GPU climbing far too high. Quick clean on fans on graphics card and retry and GPU temperature stays OK whatever I stress it with.

      Maybe there are other tools but this was nice a small and just sat there doing what I needed.

    11. asdf
      FAIL

      but

      Even if nobody did use them they had to have them because Mac OS X had them. Vista is simply Microsoft copying Mac OS X poorly. Lucky the came to their senses and realized with 90%+ of the market they do best copying themselves but doing it better.

  2. cyke1

    yea i have gadgets for twitter, weather, cpu load/temp/ram uasage, network info, gpu load/temp/etc.

  3. SparkPlug
    Pint

    Been there, done that (long time ago)

    As in, started doing that with all new Vista boxes back in the day.

    1. Silverburn
      Thumb Up

      Re: Been there, done that (long time ago)

      Yep - Item 2 on the clean build action list "Switch off all the unneccessary crap". Gadgets and sidebar disabled, never to return.

      Item 1: install AV

      Item 3: Run windows update & reboot. Repeat for items 4,5,6,7,8,9...

      1. AndrueC Silver badge
        Stop

        Re: Been there, done that (long time ago)

        ..General:Enable accelerator underlining, minimum keyboard repeat delay, increase speed of key repeat. Turn off bitmap on work machines to free up RAM. Turn off fancy graphical desktop effects on virtual machines. Turn off Clear Type. Disable powersaving/screen savers on Virtual Machines.

        ..Explorer:One click opening, display full path in title, one thread per window, don't hide extensions of known file types.

        ..Servers:Nuke IESec. Disable shtudown prompts.

        ..Domain controllers:Nuke password requirements (I only ever set up test domains so security is not a problem).

        I swear that with every new version of Windows there's more and more shit that has to be disabled or tweaked every time I create a new machine. Due to testing requirements that happens quite a lot :(

  4. Anonymous Coward
    WTF?

    My spin goes up to 11

    The MS "Gadget Gallery" page goes beyond coyly suggesting that gadgets from "untrusted sources" are problematic. They've vaped all of the official ones too - but it's ok, it's because...

    Because we want to focus on the exciting possibilities of the newest version of Windows, the Windows website no longer hosts the gadget gallery.

    You can now use your HTML5, CSS3, and JavaScript skills to build Metro style apps for Windows 8 Release Preview. To get started developing Metro style apps, go to Windows Dev Center.

    So either they're blythely lying about the threat perimeter or they're so desperate for Win8 migration that they've killed a (admittedly crappy, but that doesn't distinguish it much from Metro) feature of the current commercial release.

    1. stucs201

      Re: My spin goes up to 11

      I too am suspicious that they're just trying to kill off gadgets.

      Its a shame really, I think they missed an oportunity. When I first heard Windows 8 was going to have closer ties to Windows Phone I hoped for something rather different than what we've got: I thought they might have implemented a way to run a phone application as a gadget on a desktop/laptop (possibly with recompilation).

      1. Dan 55 Silver badge
        Windows

        Re: My spin goes up to 11

        Gadgets are the new Active Desktop. I love Microsoft technology that's here just for one or two releases then suddenly disappears. It really makes users feel like they're using a stable platform and developers willing to invest in it.

        (Is there a sarcasm icon somewhere?)

    2. h4rm0ny

      Re: My spin goes up to 11

      They had that notice up about a month ago at least. It's almost certainly not a response to this, therefore. I think they're just getting people to do things under Metro instead.

    3. Anonymous Coward
      Anonymous Coward

      @Mongo

      Would make perfect sense...

      Scare the public out of using Gadgets from 3rd parties (the only way you can get these now) and then get them all onto the metro bandwagon (where "gadgeteers" can only distribute their gadgets when coughing up some big bucks to MS to be included with their metro marketplace).

    4. Chika
      Flame

      Re: My spin goes up to 11

      "So either they're blythely lying about the threat perimeter or they're so desperate for Win8 migration that they've killed a (admittedly crappy, but that doesn't distinguish it much from Metro) feature of the current commercial release."

      I think you have nailed it there. Chances are that, if there really is a "security flaw" in gadgets, they don't want to spend the time needed to correct the problem and, even if there isn't a flaw, they are all too keen to push us all onto the blatant crap that is Metro.

      In other words, and as I've mentioned before, Microsoft are done with giving us choices and just want to net-nanny us, all for "the greater good."

      ...the greater good, the greater good, the greater good, the greater good, the greater good, etc...

    5. Fatman

      Re: Metro style apps for Windows 8

      Amounts to rev 3 of the Micro$oft Gallery of Shit programming.

      Anyone care to identify rev 1 and 2???

  5. Steen Eugen Poulsen
    FAIL

    New fangled Microsoft strategy...

    "Remove our software, it's so buggy we don't know how to fix it."

    I don't think they ran this idea by the PR department...

    1. g e
      Joke

      Re: New fangled Microsoft strategy...

      Surely 'Upgrade to Windows8 - the most secure Windows yet!' would be the line :o)

    2. JDX Gold badge

      Re: New fangled Microsoft strategy...

      If they know a threat is already out there or will be out there before they can test a fix to the insanely high levels of QA such things need, this is the sensible thing to tell people.

    3. Fatman

      Re: New fangled Microsoft strategy...

      "Remove our software, it's so buggy we don't know how to fix it."

      You know, I followed that strategy a few years ago when I scraped WindBlowZE eXtremely Pathetic from the hard drive of a H^HDell Optiplex.

      In its place went Ubuntu, and I never looked back.

      Recently, I picked up an Acer with WindblowZE 7 on it; physically removed that hard drive, and placed in in a biohazard bag. I went out an got a 2 TB drive, and Ubuntu 12.04, along with a test install of 12.10 have so much room to play!! It is so hard to believe that Ubuntu only needs less than 6 GB of hard drive space for an install. Yet, the (Acer) OEM reinstall discs amount to 3 DVD's. Talk about bloatware!!!

      I wish more people would succumb to this strategy and ditch WindblowZE, the world would be a better and safer place if they did.

  6. ScottK
    Holmes

    So basically...

    ...install a program from an untrusted source (which in this case just happens to be a gadget) and it will have access to resources on your computer, with your access rights.

    This is new how?

  7. Anonymous Coward
    Anonymous Coward

    Microsoft are desperate to start shutting stuff down in Win7 nudging people towards 8

    Who remembers the removing of the address toolbar in XP because of 'licencing' or some crap

    (It re-appeared in Win7)

    transparent is transparent

    Agree with ScottK also

    1. TeeCee Gold badge
      Facepalm

      The Address Bar disappeared in XP SP3 'cos some arsehat of a Eurocrat couldn't tell the difference between a browser address bar and a seperate .dll that invokes the default browser (whatever that may be) when a web address is entered. Thus it fell foul of the integration shenanigans and took a holiday while the Redmond legal eagles translated a detailed technical proof of "it isn't part of the browser at all" into fuckwit-friendly language for them.

      Reinstating the browseui.dll from SP2 puts it back with no ill effects.

  8. Don Jefe
    Pirate

    Egg Meet Face

    Jesus. This is just a bit much. I spend months selling a company on 750+ seats and for better or worse the Gadgets pretty much sealed the deal. Now they've got to disable them to be secure??? Gah! I'm seriously considering not even telling my clients.

    Damn it. Gadgets are such a benign thing. Why in God's name would those ass/blackhats attack that? My Grams likes her Gadgets & now I'm supposed to tell her she can't have them unless she upgrades.

    Feckin hackers think they are cute. Where I'm from we just belt people like that square in the gob & let them think about their actions while they look for their missing tooth. If I thought I could find them I'd charter a flight to Russia & curb stomp them all, one at a time. Shitbricks.

    End of rant. Thanks for reading.

    1. Anonymous Coward
      Anonymous Coward

      @Don Jefe

      "Where I'm from we just belt people like that square in the gob & let them think about their actions while they look for their missing tooth."

      Liverpool? Great rant by the way!

      "If I thought I could find them I'd charter a flight to Russia & curb stomp them all, one at a time."

      Trouble is that quite a lot of the criminal hacker gangs are based there anyway, judging by the many articles here on El Reg that suggest that to be the case. Sending more over there would only make it worse. Perhaps we should cut all the wires heading that way!?!

    2. toadwarrior

      Re: Egg Meet Face

      Everyone on the internet is a tough guy ( with a big dick) but let's face it, if they came to your mother's basement to have a word with you then you'd probably wet yourself.

      The world doesn't revolve around your gram but there is an easy solution. Get OS X or linux. Bothare far more secure and not nearly as soul destroying as windows.

      1. LinkOfHyrule
        Mushroom

        I wouldnt wet myself, I'm not into that

        I'd rather have a fight (and a penis measurement session) in a basement than use OSX.

      2. JDX Gold badge

        Re: Egg Meet Face

        I'd use W7 over OSX any day - I DO run both. I never ran a graphical version of Linux to compare.

      3. Don Jefe
        Meh

        Re: Egg Meet Face

        My mother passed on 14 years ago & she never had a basement. Fucko. How old are you? Maybe 22?

    3. Blitterbug
      Happy

      Re: Egg Meet Face

      @ Mr J,

      Fear not. I think MS are saying that whilst the Gadget platform yeilds a juicy attack vector for asshats, it's gadgets from 'unknown' sources that 'could' compromise your system. I for one (awesome cliche) will remove my default MS-branded clock and weather jobbies when they pry them from my cold, dead hands...

    4. rixt53
      FAIL

      Re: Egg Meet Face

      Methinks your rage is misdirected. One would think that the "world's largest software company" would be more competent. I suppose history, however, would prove sufficient to allay such suspicions.

  9. Eddy Ito

    Now I'm confused

    I thought metro was the new sidebar.

    1. Blitterbug
      Happy

      Re: I thought metro was the new sidebar.

      You sir are a comedy genius

      1. TeeCee Gold badge
        Coat

        Re: I thought metro was the new sidebar.

        No the comedic genius is in Redmond, that's just a retelling of a well-worn MS joke......

  10. Anonymous Coward
    FAIL

    Ooooo Really.

    “Gadgets installed from untrusted sources can harm your computer and can access your computer’s files, show you objectionable content, or change their behavior at any time,” Microsoft notes.

    Uhhh Huhhhh

    And what about the trusted sources?

    "Shave that dogs head and bring it to me!" said Microsoft.

    "What? You mean Dougal?" asked Florence.

    "No I meant Mr Zippity." said Microsoft.

    "But I am not a dog!" said Zippity, looking rather alarmed.

    Microsoft and their bullshit - it's never ending.

    1. Fred M

      Re: Ooooo Really.

      '"But I am not a dog!" said Zippity, looking rather alarmed.'

      "I'm also not called Zippity", said Zebedee, looking rather irritated.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: Ooooo Really.

        «Je suis appelé ni Zippity ni Zébédée», a déclaré Zébulon

        1. TeeCee Gold badge

          Re: Ooooo Really.

          Vous etes un cheese eating surrender monkey et je claim mon cinq livres!

          (Avec apologies au Kilometres Kington en retard).

        2. Chika
          Happy

          Re: Ooooo Really.

          I've only one response to that.

          Pollux.

  11. Suricou Raven

    Executing code from untrustworthy places can be dangerous?

    I guess we can all thank Microsoft's newest employee, Captain Obvious.

    This isn't even a security flaw - it's the gadget stuff doing what it's supposed to. Just because Microsoft calls them gadgets doesn't mean they stop being programs. Still, I don't think many people ever used them. It does sound plausible that MS is killing them off though as part of their shift to Metro, with it's increased use of web-based HTML5/javascript rather than native code.

    1. h4rm0ny

      Re: Executing code from untrustworthy places can be dangerous?

      "with it's increased use of web-based HTML5/javascript rather than native code."

      Minor note: On Windows8, HTML5+Javascript+CSS, are native code. They compile!

      1. Lexxy

        Re: HTML5+Javascript+CSS, are native code

        Native. Scored 0.81 on Verity's list of business buzzwords... I can see why. But out of interest, just what does Windows 8 compile HTML+JS+CSS into, h4rm0ny?

        1. h4rm0ny

          Re: HTML5+Javascript+CSS, are native code

          "But out of interest, just what does Windows 8 compile HTML+JS+CSS into, h4rm0ny?"

          Same thing that C# or C++ or VB get turned into to when you write a Metro application - compiled low-level binary code just as if you wrote a C program on Linux or similar.

    2. multipharious

      Re: Executing code from untrustworthy places can be dangerous?

      Exactly.

      There is a Microsoft MSDN article from 2007 I found this morning while poking around looking for some writeups of the SDL. Just above the SDL introduction, there is an article called "Inspect your Gadget" that uses the exact same wording as the Security Advisory. The interesting bit is that this article speculates the attack vector and the precise vulnerability.

      http://msdn.microsoft.com/en-us/library/bb498012

      My guess is that the researchers were poking around and found the following sentence:

      "Today, the Windows Vista Sidebar hosts Gadgets built from HTML, JavaScript, and potentially ActiveX controls, and because Gadgets are HTML, they are subject to Cross-site Scripting style bugs. These bugs are extremely serious because script in the Sidebar is capable of running arbitrary code in the context of the locally logged-on user."

  12. nuked
    Flame

    I had a dream once...

    ...where a company sold a product across the globe. But due to what most experts would classify as at best, complete negligence, and at worst, deliberate intent; this product's design enabled the theft of billiions of pounds worth of data/funds/property.

    The company were sued naturally and because of the overwhelming evidence against them, they either had to remedy their appalling products immediately and for free, or better still, had to compensate to such a degree that they could never again afford to inflict their misery upon the world.

    I then woke up to the bat-f**k insane place that we live in where a zero-day exploit discovered almost weekly, enabling complete remote control, is pretty much expected and accepted.

    1. h4rm0ny

      Re: I had a dream once...

      "But due to what most experts would classify as at best, complete negligence, and at worst, deliberate intent; this product's design enabled the theft of billiions of pounds worth of data/funds/property."

      Explain to me how a user installing software from an untrusted source in Linux would be any different? In both this case and the Linux case, the software has access to user-space and can access the user's data. At least from what we know of this issue.

  13. Robert Heffernan
    FAIL

    Kill off the crap

    If Microsoft are killing off useless unloved windows features why is metro still in windows 8. There is so much I like about windows 8 just its all under the hood, the way they butchered the desktop and tacked on metro is what killed it for me.

    They are so caught up in the whole idea of converging platforms they failed to realise that phones, tablets and the desktop are completely different things that need their own platform. You can commonise a lot between the phone and tablet but there is nothing common* between the tablet and desktop. Merging them is just plain dumb.

    *Sure on some devices a common kernel and API layer will work but the UI definitely won't work.

    1. Simon Aspland

      Re: Kill off the crap

      It's not about converging platforms, it's about selling Windows Phone and Surface devices.

      By getting users 'used' to Metro on their desktop PC, the Phone/Tablet with the Metro interface becomes the natural choice for them to choose when they buy one.

      This all falls down of course when the users hate Metro on their desktop so much that they refuse to by a phone with it... that's my hope at least :)

    2. h4rm0ny

      Re: Kill off the crap

      "they failed to realise that phones, tablets and the desktop are completely different things that need their own platform"

      Serious question - why? I want to be able to syncrhonize and manage the same data on all three. As a developer, I love the idea of being able to write applications for all three at once. Win8 works fine on the Desktop - I've been using the release candidate for a while and using Metro instead of the Start menu has presented me no difficulties and everything else I've used has remained compatible from Win7. So why shouldn't some group release a platform that can seamlessly transition between all three?

      I might not want to do major editing work on a tablet, but I still want to be able to pull up a Word document and make some minor changes here and there. I even do that on my phone from time to time! And as well as consistent capability, consistent interface is a big plus for many people.

      1. Chika
        Mushroom

        Re: Kill off the crap

        And that requires that every damn bit of hardware must run the same OS, GUI and software? Do I really have to run my desktop system as though it were a vastly oversized smartphone? There are already ways to seamlessly synchronise these different platforms without butchering the interface experience.

        (...the greater good, the greater good, the greater good...)

      2. Dave 126 Silver badge

        Re: Kill off the crap

        Okay, one interface works with mice and keyboards, one with fingers. Fingers don't have the accuracy of mice and keyboards, but do allow gestures- and you can't drop them on the ground (unless you're looking at a recipe on your tablet whilst cutting onions). Appl// Mangoes and oranges.

        Having a different UI doesn't mean you can't do the same things- you just do them differently, suited to the tools in hand.

        I note that iPads have sold well, though they don't work like Windows or OSX.

        Hmm... I wonder if there's an Android App that presents your smartphone's call and text functions in the style of a Nokia 3210/6210 etc interface? : D

        On that note, it would be nice if MS could upgrade the underlying OS without touching the UI- or at least give people the choice. My less tech-savy friends and family do get confused/annoyed when something they have spent some time getting used to suddenly changes.

      3. Robert Heffernan

        @h4rm0ny

        I am a dev too, and like you, I like the idea of being able to develop for multiple platforms at once. Which is why having the same OS API layer between devices is a great idea.

        The thing is, the UI layer should be specific to the device at hand. Touch on the desktop has never taken off because it's not suitable to the tasks required of a desktop system. People say it's because the support wasn't there. There has been touch support on the desktop for ages just no one wanted it because who wants to spend all day with their arms stretched out and leaving finger marks all over the screen when the keyboard and mouse is a much better user experience.

        On a tablet or phone held in your hand, a touch based UI makes perfect sense. Which is why between the Desktop and the Phone/Tablet, you need to design a UI that works best for the platform.

    3. croc
      Mushroom

      Re: Kill off the crap

      Commonize? COMMONIZE?? Damned marketing droids...

  14. eJ2095

    Well Does that mean

    I got to look out the window now for the current weather? and the location of the sun and who gives a monkeys about the moon location during the day??

    1. Claverhouse Silver badge

      Re: Well Does that mean

      NASA, for one.

  15. Anonymous Coward
    Anonymous Coward

    When I read the title of the article, I thought this was going to be Microsoft asking everyone to get rid of their Android and iPhone "gadgets."

  16. Anonymous Coward
    Anonymous Coward

    Why is it all the cool new features Microsoft add to Windows end up being a security risk?

    It suggests they can't design secure reliable software, perhaps they concentrate on making the core of Windows better instead of adding loads of eye candy that nobody really wants?

    1. g e
      Facepalm

      What I don't get

      Is that they still don't seem to have changed coding methodology based on the analysis of previous failings exactly like this.

      ActiveX, anyone ???

    2. Nigel 11
      Mushroom

      It's a cultural thing. Microsoft not getting security is like banks not getting that it's my money, not theirs.

      The only answer in both cases is the same. Take your custom elsewhere!

      1. Dave 126 Silver badge

        >Take your custom elsewhere!

        Alas, not possible if you are tied to the platform by the software you use for work. For many of us, this reality renders the question of Mac/Win/Lin entirely moot.

        1. Mikel
          Facepalm

          There's a word for being controlled by your habits

          And it's not "professional".

  17. Charlie Clark Silver badge
    FAIL

    Ijeets

    Gadgets were just another "me too" feature that MS copied from Apple in Vista. While the basic idea making it easy to have customised and easy to install front-ends to web services has merits, it never made a great deal of sense as a programming paradigm for an operating system.

    Things have changed since then with the move towards a lasting plurality of platforms making platform-independent programming more valuable. The web run times have come on in leaps and bounds, but the fundamental principle of putting these things in the best sandbox you can come up with has not changed and Microsoft's insistence on embedding the browser runtime into the OS is as misplaced now as it ever was.

  18. Craig 12

    I like having an analogue clock and flip-style calendar in the corner :(

    1. Platelet

      I like having an analogue clock and flip-style calendar in the corner :(

      So switch to rainmeter (http://rainmeter.net/cms/About). It has the same inherent risks as windows gadgets but at least it will still be there come windows 8 and you can find pre-vetted skins at http://rainmeter.deviantart.com/

  19. Jason Bloomberg Silver badge
    Unhappy

    FUD?

    Due to a lack of explanation of the vulnerability it does stink of "turn it off now, and you won't miss it when you upgrade to Windows 8".

    They've done this before (with STL headers I think), where they admitted there were serious vulnerabilities with apps using those but did not specify the circumstances those vulnerabilities applied to, making it hard for anyone (users and developers alike) to assess what the risk level was.

  20. Anonymous Coward
    Facepalm

    they are not entirely useless for business purposes

    We've developed plenty of internal gadgets that provide desktop reporting and alert on remote apps/processes.

    Many of our freelancers also use this http://www.getharvest.com/widget

    So I'm pretty damn annoyed to see them go TBH

  21. Anonymous Coward
    Anonymous Coward

    hmm...

    Announced the day after patch Tuesday, so deliberately calculated to do as much damage as possible. Wankers.

    Also - As Android owners keep reminding us - install software from an untrusted location and what do you get?

  22. fourThirty
    Facepalm

    the moaning bandwagon must be close to capacity...

    If you don't like the features of Windows 8, simple, don't upgrade. It is not compulsory, and nobody is forcing you to do so...

    Also, they suggest removing the gadgets, they aren't saying you have to otherwise you'll suffer from a plauge of locusts for forty days and forty nights....

    You would have to assume that being on a tech forum, some of us have a little common sense. if you know the source of your third party software is pukka you shouldn't have a problem...

    1. Anonymous Coward
      Anonymous Coward

      Re: the moaning bandwagon must be close to capacity...

      That is of course assuming MS won't simply finish them off in a next "security" update.

      Besides; MS asked for the "moaning" themselves. Remember; The metro crapola was allegedly build thanks to user input from previous Windows versions indicating major problems with the start menu...

      So if people are not ok with new "improvements" on Windows I think they're doing the right thing to moan about it. Best on the MS fora themselves but why stop there?

      1. Hoagiebot
        Windows

        Re: the moaning bandwagon must be close to capacity...

        "That is of course assuming MS won't simply finish them off in a next "security" update."

        That is my fear exactly, ShelLuser. I am one of those people here who actually liked Windows Sidebar Gadgets, and I still have four of them running in my sidebar as I type this. Heck, I even bought a couple of books about programming Windows Sidebar Gadgets so that I could create a few of my own. Sidebar Gadgets can be really handy as long as you can find gadgets that suit your purposes and appeal to your personal sense of taste.

        Now that Microsoft has decided to become hell-bent on getting rid of the little gadgets and have labeled them as a "security risk," they very well may end up posting an "Important" update during the next patch Tuesday that eliminates Windows Sidebar Gadgets from Windows Vista and 7 automatically, without asking the user first. And how will most Windows users even know that an "Important" update will remove their gadgets before it has already happened? First of all, many users use Microsoft's recommended setting of having automatic updates. Should Microsoft push a gadget-killing update out, these people will just turn on their PC one morning and find that their gadgets are mysteriously gone.

        Even people like myself that like to review updates before installing them may still inadvertently lose their Sidebar Gadgets should such an update go out, since so many Windows updates are only generically described as:

        "A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain access to information. You can help protect your system by installing this update from Microsoft."

        How many "Important" updates with similar descriptions were sent out during this last patch Tuesday? Five? Unless you start reading the associated knowledge base articles for every patch from now on, you could still easily let a gadget-killer update through. And while I am capable of reading these knowledge base articles if I have to, several members of my family all use gadgets on their Windows laptops, and they'll get plastered by such an update for sure leaving me to have to clean up the mess and try to get their gadgets back. I sincerely hope that Microsoft leaves Windows Sidebar Gadgets alone-- I don't want Microsoft to take the easy way out and not bother to fix the flaws in the gadget platform and just kill them outright because Steven Sinofsky has suddenly decided that they are passé!

      2. Dave 126 Silver badge

        Re: the moaning bandwagon must be close to capacity...

        >user input from previous Windows versions indicating major problems with the start menu..

        The only anecdotal complaints I've heard about the Win7 start menu is from a friend who doesn't like it because it isn't the WinXP start menu...

        (that and control panel and system settings options are accessed differently, in what he perceives to be an attempt to screw him about. He's a bit of an IT canary.)

        1. Suricou Raven

          Re: the moaning bandwagon must be close to capacity...

          I have a complaint: The search is very unpredictable! It's also laggy for me, because it covers some spun-down drives. Whenever I use it, I find I have to wait for the spinup before Windows presents the result I seek.

          1. Anonymous Coward
            Anonymous Coward

            Re: the moaning bandwagon must be close to capacity...

            @Suricou Raven: Let me guess - you disabled indexing?

  23. Blacklight

    Shame...

    I too have a clock, but as I have a Logitech G19 with an LCD clock on it, I could remove it.

    I also wrote my own gadget, as Windows 7 Home Premium didn't do "location aware printing", so I wrote one that changed my default laptop printer based on which WLAN I was connected to. Not overly elegant, but it worked, and was a fun task.

  24. A J Stiles
    Linux

    Hmm

    The whole world is slowly moving away from pre-compiled native code (which depends on a specific processor architecture and possibly even an addressing schema) in favour of interpreted or just-in-time compiled code (which depends only on a specific runtime environment).

    Of course, Unix has had shell scripts since time immemorial; and Linux was already building on that heritage with Perl and Python before Java came along. Mac OS X also makes heavy use of interpreted code. But it's still nice to see Microsoft slowly catching up to the rest of the world.

    If anyone should be worried by this direction, Intel should be .....

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmm

      Windows has always had scripting environments...

  25. TeeCee Gold badge
    Facepalm

    “Gadgets installed from untrusted sources can harm your computer..."

    So MS drop their online gadget repository in favour of a pageload of gushing bullshit extolling the virtues of 8. Users are forced to look elsewhere for gadgets. Some of the "elsewheres" prove to be pushing crud.

    As MS, is the correct fix:

    a) Admit you fucked up and reinstate the vanilla site?

    b) Say that gadgets are inherently insecure and that they should be disabled?

    NB: If (b), you may need to come up with some bullshit to explain why installing a bent gadget is in some way worse than installing A N Other piece of bent software, to ensure that your red-headed stepchild (Win 8) isn't seen to be just as vulnerable.....

  26. Andy Fletcher

    Suggestions...

    Given the gadgets currently available, I think there would be some merit to add:

    1. Fire/Smoke detector. Alerts you if your computer is on fire.

    2. Localised tremor meter. Alerts you if an earthquake is happening.

    3. Gravitaional collapse monitor. Let's you know if the sun has imploded.

    and possibly most useful:

    4. Fart detector. When you let one go, it measures the probability of the stench reaching others in your office, so you know when to shout out "who let that one go?".

    1. Anonymous Coward
      Anonymous Coward

      Re: Suggestions...

      4 is so puerile and unbecoming of this forum.

      I'd have surround sound speakers and microphone array to identify the source of the noise and based on a three dimensional scan of the room use sound anti-phased playback to shift the apparent source to an adjacent cubicle / office / bod.

      Should there be any associated unpleasantness I assume careful driving of multiple case fans and stealth Dyson air movers could deal with that.

      --

      Here's the thing, I can now feel a few people mentally working on the subroutines and algorithms, I love the register.

      1. Dave 126 Silver badge

        Re: Suggestions...

        >2. Localised tremor meter. Alerts you if an earthquake is happening.

        reminds me of plans to create a distributed seismometer by using the G-sensors in laptops- obviously ignoring a machine that was out of step with its geographical neighbours. A fairly sensible plan it seemed.

  27. This post has been deleted by its author

  28. Matt_payne666

    thats one hotfix I wont be running... I have used one widget for a while now - a little calendar which shows my next 3 appointments...

    I could have outlook runinng all the time, or i could have an open browser window, but persistant diary is invaluable... im a forgetful sod! oh, my calendar is synced with my iphone, but having to open an app and hope its synced is far too much like hard work (I miss my WM mobiles with calendar on the lock and home screens)

  29. Spoonsinger
    Childcatcher

    So...

    MS basically close down the gadget website at the end of 2011 - thus making the thousands of more or less the same gadgets - unavailable, (unless you go to the developers website). At the same time they introduce Metro, which is basically full screen gadgets. Now a 'vulnerability' has been found - by them - in the sidebar code which they 'suggest' you disable, rather than them disabling it in an update. Not going into the whole 'well what about other applications which access the internet? Why not just tell people to disable the whole TCP/IP stack?", Why wait six+ months, if they knew about this, to inform the average punter. Also are desktop gadgets the main selling feature of windows 7?, (rather than improved speed over Vista and improved security over XP).

    Just wondering like.

    Paris - because..... (ok that isn't Paris but she's getting on - which actually should merit a Paris icon).

  30. Lallabalalla
    Holmes

    “Gadgets installed from untrusted sources can harm your computer"

    For which read "Anything installed from untrusted sources can harm your computer"

    Well, no shit, sherlock!

  31. john devoy

    strange timing

    Isn't it strange that these gadgets only become a security issue as win7 is ready to be phased out for win8.

  32. Richard Bragg

    Please provide a definition of "untrusted"

    "Untrusted" by whom. Our friends in Redmond's idea of who to trust isn't necessarily the same as anyone else in the world.

  33. Mark Dowling

    I had the indexing gadget

    very handy. Clear for some time though that MS had lost all interest, and with google desktop gone so is any likelihood of that changing.

  34. eulampios
    WTF?

    @Redmond's apologists

    >>Gadgets installed from untrusted sources can harm your computer and can access your computer’s files

    This is basically true about most of 3-d parties software Windows user install on their system every day. How do you verify whether the source is legitimate? MS doesn't provide any check-summing and/or pgp tools in the vanilla Windows.

    >> Since Gadgets run with the rights of the current user, the vulnerability could allow exploits all the way up to administrative level.

    up to means including? right, does it imply that admin rights are granted to the first user by default and there is no mechanism similar to "sudo", where the user's session is simply the admin's session? We've been told many times by the Redmond's apologists that there is "runas" and it's cool!

    1. Anonymous Coward
      Anonymous Coward

      Re: @Redmond's apologists

      MS doesn't supply checksumming and pgp in the base install of Windows, but they do supply executeables and drivers which are signed. It's just a different way of achieving the same end.

      If you're running as Administrator, software you run will be under the Administrator's user context. Duh. If you are running like this, you'd also be a fool.

      No, this does not imply that admin rights are granted to the first user by default, but if you configure your machine to run as administrator - and you have to actively configure it to run as such, unlike say RHEL or CentOS which allow you to logon as root by default - you will execute code as Administrator. Again, you'd be a fool. There is runas, which is similar to sudo, but not the same, there is also UAC, which is similar to sudo, but not the same. They basically do the same things, in different ways.

      Why does explaining how some features in an operating system work when compared to another operating system make the person doing it an apologist for the manufacturer of said OS? Personally I really like learning about new things, particularly in IT, other people may be bored by new information, not me.

      PS. You forgot to tell us all how great and infallible the repos are as per your usual MO.

  35. Richard Cartledge
    Thumb Down

    As they copied Dashboard from Apple, a week after Apple sidelined Dashboard, citing that everyone does this stuff on a mobile device now, Redmond copy by letting of of gadgets.

  36. eulampios

    @AC 16:13

    Dearest AC, why don't you comment as wisely on the article's statement: Since Gadgets run with the rights of the current user, the vulnerability could allow exploits all the way up to administrative level.

    Please tell us what you feel, thanks!

    >>unlike say RHEL or CentOS which allow you to logon as root by default

    Not the case with "Ubuntu for human beings". I'd like to draw your attention to the fact, that be that RHEL, CentOS or pure Debian (or LMDE), the all are not necessarily designed for the Windows users/admins ... aka lamers (they still so not disable AutoRun on the desktops).

    >>You forgot to tell us all how great and infallible the repos are

    I'll remind you: all of my LMDE/Ubuntu/Debian use aptitude that checks both md5(or sha-1) sums and verifies the pgp(gnupg) signatures automatically for all the packages and updates. When I'd need to install something from source, I do all of the above manually.

    If not being apologetic about Windows why wouldn't you take off your AC mask?

    1. Anonymous Coward
      Anonymous Coward

      Re: @AC 16:13

      Clearly, if you're running as an administrator, anything which runs in your user context with have administration rights. What they're saying is that the gadgets run in the logged on user's context and if you're logged on as an administrator that is an administrative context. You can run applications/processes in a less privileged context if they're for example a sandboxed web browser or an application initiated from a runas command which calls the app under a different, less privileged user's context.

      Now we get to the crux of the matter: "not necessarily designed for the Windows users/admins ... aka lamers". After all your protestations about running as administrator and how Windows is insecure and inherently Linux is better, what it actually boils down to is that you think you're better than people who use Windows, just because you use Linux. Well, guess what? you're conning yourself if you think that your choice of OS makes you inherently smarter. Personally, I use Windows, Linux, OSX, AIX, Solaris and a little HPUX, pretty much every day at work, does that make me better than mainframe or OS/400 users? No. Not at all, it just means that I know different systems. It also means I hate it when people lord it over me about how one system is better than another because it's usually done from a point of view of a lot of knowledge about one system comparing a little knowledge of another.

      Like I said above - MS cryptographically sign their updates and executables. Other companies can as well, should they choose.

      I've commented here since before there were comments and you had to email the authors. I comment as AC ever since someone told me in a security related comments thread that they thought they knew who I was and where I lived and that they'd try to check out my employers security.

      1. Medium Dave
        Paris Hilton

        Re: @AC 16:13

        "I comment as AC ever since someone told me in a security related comments thread that they thought they knew who I was..."

        Handing out enough personal information for you to be unwillingly identified from the other ~2.5 billion internet users doesn't really make you look like a security guru.

        "... and that they'd try to check out my employers security."

        Don't see why why that should be a problem, unless it's full of bloody great holes. In which case I'd suggest a little less time waxing lyrical about MS security on El Reg, and a little more time in the server room with a copy of "Firewalls for Dummies". ISBN: 978-0-7645-4048-6.

        Paris, 'coz we 've all seen her "personal information".

    2. This post has been deleted by its author

    3. Fatman

      Re: Windows users/admins

      When one speaks of those who use WindblowZE, they are called (L)users, and rightfully so.

      Also, good point about the repos, most WindblowZE (l)users do not realize that.

      And a final point about the use of repos, if all of your software is installed from a repository, then any and all updating is automatically handled by the repository; instead of the current situation of having to check each vendor's web site for any updates. In the WindblowZE world, to me this is a royal pain in the ass!

  37. Robert E A Harvey

    FFS

    They've been bolloxing up security for years. Will they ever learn?

    1. Mikel

      Re: FFS

      They're making more money than ever. Why would they care?

  38. Sailfish
    Alien

    What is Metro if not Gadgets Writ Large?

    just sayin'

  39. eulampios

    @ac 17:15

    Let me explain the "lamers" word for you. In many occasion including some "Certified Windows" services and many Windows geeks I hear most common troubleshooting advice "Got .... a problem - reboot, if the issue does not go away, reinstall Windows! ".

    >>Like I said above - MS cryptographically sign their updates and executables. Other companies can as well, >>should they choose.

    Here's an analogy of our dispute:

    -- I say, that Ferrari is expensive so there is noway overwhelming majority of people can afford it.

    -- You seem to misunderstand: Everyone can afford as many Ferrari's as one wants, should he/she choose to get very rich!

  40. zen1
    Mushroom

    Hey Ballmer!

    How about making fucking OS that works, is fast; oh here's a novel thought: isn't one giant threat vector! So why don't drop all the cutesy bells and whistles and make something work, I mean you'd figure after 8 or 9 times it would much better, or am I asking too much?

  41. Mikel
    FAIL

    This is the last time though

    We promise. The rest is good now.

  42. Anonymous Coward
    Anonymous Coward

    'Microsoft security' is just like 'military intelligence' or 'chaste prostitute'

    An oxymoron.

  43. Benjamin 4
    Joke

    Excuse me while I feel quite smug...

    For running XP and consequently not needing to do anything to combat this.

    (Joke alert so that people understand that I am not advocating running XP for security reasons)

  44. TheWeddingPhotographer

    whats the difference?

    Whats the difference between a gadget from a third party, or any other third party software?

    MS are drawing a line, but the implication is that philosophically all non MS approved SW is bad, so cant be used

  45. Folamour

    does it is safe or not to use gadget mine dont came from microsoft, i have applied the patch but they still continue to work,

    so does there is a list of thrusted devlopper ? or this technologie is globally usure (its a shame) ?

    thanks a lot

  46. Chika
    Coat

    Peanuts

    Noticed that Windows 8 CP has gadget capability...

    (the greater good, the greater good, the greater good...)

This topic is closed for new posts.

Other stories you might like