Time to kill (most) Windows Gadgets

Good-bye, Gadgets: A Microsoft Security Advisory and FixIt disables Windows Gadgets in Vista and Windows 7

Gadgets, those little mini apps that sit on the Windows desktop, have a small but devoted following. But it's clear that Microsoft now views Gadgets as security vulnerabilities that should be done away with posthaste.

Earlier this month Microsoft released Security Advisory 2719662 which, together with an associated FixIt, disables Windows Sidebar and Gadgets on Vista and Windows 7 machines. The intent is to "help protect customers from vulnerabilities that involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets. In addition, Gadgets installed from untrusted sources can harm your computer and can access your computer's files, show you objectionable content, or change their behavior at any time."

The Security Advisory thanks former Intel employees Mickey Shaktov and Toby Kohlenberg, who last week at the Black Hat conference gave a presentation (PDF) called "We have you by the gadgets," which delved into many security problems with Gadgets and the Windows Sidebar program that supports them.

Microsoft, which has been gunning for Gadgets for a long time, shut down support for third-party Gadgets last October. Of course, it's in Microsoft's best interests to move people away from the old Gadgets and on to Windows 8's Metro Start screen, which takes the Gadgets concept into a new dimension. At the time Microsoft dropped Gadget support, the old Gadget website said, "With Windows Developer Preview [the current version of Windows 8 at the time], developers can create rich app experiences where customers focus on their important tasks. Apps are at the center of the Windows Developer Preview experience and are alive with activity and vibrant content. Users immerse themselves in your full-screen app while Windows gracefully gets out of the way."

That piece of marketing fluff has been replaced by a slightly less breathless, "Because we want to focus on the exciting possibilities of the newest version of Windows, the Windows website no longer hosts the gadget gallery... Some info for developers: You can now use your HTML5, CSS3, and JavaScript skills to build Metro-style apps for Windows 8 Release Preview."

Many people have written to me, asking if they really, really need to kill all their Windows Gadgets. Some people like having multiple analog clocks on their desktops; others appreciate the simplicity of the dual-dial Windows activity monitor; more than a few have a favorite stock ticker Gadget that keeps them on top of the market while only taking up a small part of the Windows desktop.

While Microsoft has a vested interest in getting Windows customers to move to Windows 8, many people figure they aren't going to be upgrading any time soon. So why, they ask, should they ditch Gadgets they've been using for years, when there haven't been any major warnings -- much less infections -- until now?

It's a fair question, and to get a straight answer I took a close look at Shaktov and Kohlenberg's paper. Here's what I found.

Gadgets are generally written in HTML, XML, CSS, and/or JavaScript. "Gadgets should be thought of as essentially being a website that is run from the Windows desktop with some advanced capabilities and additional APIs being made available to increase functionality." All Windows 7 Gadgets run together inside a single process called Sidebar, and the Sidebar process provides them with all necessary services.

1 2 Page 1
Page 1 of 2