Windows 7 and Windows Vista users will be pretty familiar with the desktop gadgets that come bundled in the OS. I personally find them quite helpful, they just sit there on my desktop, adding a bit of life to it and providing me with snippets of helpful information. However, it looks like that Microsoft overlooked a big security vulnerability with the desktop gadgets.
Microsoft have issued a Fix It solution which informs us that there’s a security vulnerability with the desktop gadgets which could allow remote code execution.
Mickey Shkatov and Toby Kohlenberg have found that the desktop widgets’ web-based code have flaws that would allow malicious Gadgets, or even hijacked legitimate Gadgets, to compromise a PC without having to go through the usual avenues of attack. Computerworld reports that the researchers are going to disclose information about these vulnerabilities at the annual “Black Hat” Conference on July 26th.
Microsoft’s quick fix for this security solution is to just remove the desktop gadgets all together. We can only assume that Microsoft are going to work on a actual security patch in the very near future, as advising us to remove the feature all together isn’t really a very adequate solution.
This problem is only prevalent in Windows 7 and Windows Vista. Interestingly, Microsoft haven’t mentioned anything about this being a risk the consumer and developer previews of Windows 8. Desktop gadgets will be a feature that won’t make it to the final RTM edition of Windows 8 so we’ve heard so it won’t be a problem there.
So just a heads up to everyone that they may want to apply this “Fix It” if you’re concerned about your security. However I imagine that Microsoft will release a general patch for this soon as they can’t expect much of the general public to know about this vulnerability and actually go through the process of removing the desktop gadgets.