While Gadgets work a lot like Web pages, running on the desktop, they aren't subject to many of the restrictions that normal Web pages encounter. Shaktov and Kohlenberg give one frightening example: By default, Gadgets can call up any ActiveX control. Gadgets run with standard user privileges and are prohibited from requesting UAC approval for any Administrator actions -- but the Gadget can run a locally installed application, and that application can raise a UAC prompt.
Perhaps the biggest vulnerability lies in the way Gadgets are given free rein when interacting with the Internet. Browsers have built-in protection against cross-domain hijacking, code injection, or man-in-the-middle attacks. Gadgets don't have any of that protection.
More damning, antivirus products aren't particularly adept at identifying malicious Gadgets. "[B]y design a gadget can perform actions exactly like a traditional compiled executable but operate under a completely different scope within the Sidebar process. Simply put, a gadget can do all that an executable can, without being considered as executable by the antivirus software," according to Shaktov and Kohlenberg's paper.
All of that leads to three recommendations:
- If you use Gadgets, only use Gadgets from trusted sources.
- If you develop Gadgets, get out of the business and move on to Metro.
- If you don't use Gadgets, use Microsoft's FixIt to make it impossible to accidentally install one.
Although other people have come to different conclusions, to me the takeaway is pretty simple: If you stick with the Gadgets that Microsoft developed years ago -- the analog clock, CPU meter, currency converter, and weather Gadgets for example -- you're fine. But if you're using Gadgets from a third party, you're taking a gamble.
My favorite example is the stock ticker. Several financial firms offer stock ticker Gadgets, and I'm sure they were developed with all good intent. But I'm deleting mine because I'm not entirely sure its Internet connection is safe. If someone figured out how to run a code injection through the real-time feed on that Gadget, it could hurt.
It isn't a question of intent. There are hundreds of perfectly usable Gadgets that aren't malicious, don't use hijackable techniques, and were created with the purest of motivations. But unless they were made with strict security controls in mind, they might be subverted. That's just too big a risk.
This story, "Time to kill (most) Windows Gadgets," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.