Microsoft Security Advisory (2719662)

ronjor · #1 July 11th, 2012, 02:59 PM

Quote:

Vulnerabilities in Gadgets Could Allow Remote Code Execution

General Information
Executive Summary

Microsoft is announcing the availability of an automated Microsoft Fix it solution that disables the Windows Sidebar and Gadgets on supported editions of Windows Vista and Windows 7. Disabling the Windows Sidebar and Gadgets can help protect customers from vulnerabilities that involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets. In addition, Gadgets installed from untrusted sources can harm your computer and can access your computer's files, show you objectionable content, or change their behavior at any time.

An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Applying the automated Microsoft Fix It solution described in Microsoft Knowledge Base Article 2719662 disables the Windows Sidebar experience and all Gadget functionality.

Recommendation. Customers who are concerned about vulnerable or malicious Gadgets should apply the automated Fix It solution as soon as possible. For more information, see the Suggested Actions section of this advisory.

https://technet.microsoft.com/en-us/...visory/2719662

Breakfastofchumps · #2 July 11th, 2012, 03:02 PM

Thanks for this.

siljaline · #3 July 11th, 2012, 04:27 PM

Thanks, Ron - fixed via Services and MSCONFIG.

siljaline · #4 July 12th, 2012, 01:19 AM

Microsoft fix kills Windows Gadgets, warns it could lead to PC hijacks

Quote:

Microsoft has warned that a Gadgets feature included in Vista and later versions of Windows could allow attackers to hijack end-user machines and has taken the unusual step of issuing an temporary update that allows it to be completely disabled.

"An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user," company officials said in an advisory issued Tuesday. "If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system." To be successful, they added: "An attacker would have to convince a user to install and enable a vulnerable Gadget."

Article

gerardwil · #5 July 12th, 2012, 02:43 AM

Quote:

Originally Posted by siljaline

Microsoft fix kills Windows Gadgets, warns it could lead to PC hijacks
Article

Isn't this the same as the original excellent post of Ronjor?

siljaline · #6 July 12th, 2012, 04:36 AM

The article cites the same MS Technet findings and recommendations, otherwise, it is not.

Quote:

Originally Posted by gerardwil

Isn't this the same as the original excellent post of Ronjor?

xxJackxx · #7 July 12th, 2012, 09:41 AM

I made the registry changes and exported so I could distribute to other machines. I don't see them fixing this ever, since they are wanting to kill gadgets anyway.

siljaline · #8 July 16th, 2012, 05:32 PM

Windows 8 will not support desktop gadgets, for reason cited in this thread, that have yet to be substantiated by Microsoft as written correctly.

It has been reported in many instances the Fit-it's are inverted.

Thankful · #9 July 16th, 2012, 05:53 PM

Quote:

Originally Posted by siljaline

Windows 8 will not support desktop gadgets, for reason cited in this thread, that have yet to be substantiated by Microsoft as written correctly.

It has been reported in many instances the Fit-it's are inverted.

Is 50906 "Enable" or "Disable"?
The headings and explanations show conflicating results.

siljaline · #10 July 16th, 2012, 06:02 PM

We are not sure, meaning, those in the security community, have implemented both, some desktop gadget functionality is removed, yet desktop gadgets can still be enabled, this is a fix that does not completely work.
I cannot say with 100 % certainty, which is which, or, what will do what.

Quote:

Originally Posted by Thankful

Is 50906 "Enable" or "Disable"?
The headings and explanations show conflicating results.

zfactor · #11 July 16th, 2012, 11:37 PM

i know some love those gadgets but imo good riddance. i dont use them nor will i ever. over the life of vista and 7 i have seen so many issues from them causing problems with various clients im personally glad to see them go.

Page42 · #12 July 17th, 2012, 05:02 PM

I'm not using any Gadgets, so does that mean I need to do anything?
And I have no idea where to find Sidebars (I looked in Accessories), so where is it?

siljaline · #13 July 17th, 2012, 05:58 PM

Please re-read further up the thread for a detailed explanation.

Quote:

Originally Posted by Page42

I'm not using any Gadgets, so does that mean I need to do anything?
And I have no idea where to find Sidebars (I looked in Accessories), so where is it?

Page42 · #14 July 17th, 2012, 06:45 PM

I did read the thread and as a result of reading the thread I have two questions...
1. I'm not using any Gadgets, so does that mean I need to do anything?
2. I have no idea where to find Sidebars (I looked in Accessories), so where is it?

siljaline · #15 July 17th, 2012, 11:05 PM

Assuming Windows 7: desktop gadgets overview, Desktop gadgets FAQ, Microsoft Answers

Page42 · #16 July 17th, 2012, 11:49 PM

The vulnerabilities discussed in the Advisory involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets.
Does anyone know if I still need to disable Gadgets if I am not running any of them?

siljaline · #17 July 22nd, 2012, 11:56 PM

The sidebar is still executed as cited here regardless of what fix-it used.
See:

Code:

O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows 
Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

Best bet is to not run any desktop gadgets on Vista or Windows 7 regardless if you have run them or not.

xxJackxx · #18 July 23rd, 2012, 12:53 PM

Quote:

Originally Posted by Page42

Does anyone know if I still need to disable Gadgets if I am not running any of them?

I would just get rid of them altogether. Go to control panel, Programs and features, turn Windows features on or off, uncheck Windows gadget platform, reboot when prompted, done. No more gadgets.

m00nbl00d · #19 July 23rd, 2012, 12:59 PM

Quote:

Originally Posted by xxJackxx

I would just get rid of them altogether. Go to control panel, Programs and features, turn Windows features on or off, uncheck Windows gadget platform, reboot when prompted, done. No more gadgets.

That's one of the first things I do when I install Windows 7 clean.

Page42 · #20 July 23rd, 2012, 01:06 PM

Quote:

Originally Posted by xxJackxx

I would just get rid of them altogether. Go to control panel, Programs and features, turn Windows features on or off, uncheck Windows gadget platform, reboot when prompted, done. No more gadgets.

@ xxJackxx ...
Thanks, that was very clear! I did as you suggested.

To date, I have been relying upon the description from Microsoft that states, "An attacker would have to convince a user to install and enable a vulnerable Gadget."

Page42 · #21 July 23rd, 2012, 01:09 PM

Quote:

Originally Posted by siljaline

Best bet is to not run any desktop gadgets on Vista or Windows 7 regardless if you have run them or not.

Don't run them regardless if you have run them or not?

xxJackxx · #22 July 23rd, 2012, 02:45 PM

Quote:

Originally Posted by Page42

To date, I have been relying upon the description from Microsoft that states, "An attacker would have to convince a user to install and enable a vulnerable Gadget."

Which may be easier to have happen than one would suspect. If you for example install something like Norton Internet Security (or many other products) it installs a desktop gadget as part of the installation and opens it. An attacker would not need to prompt "Hey, install this gadget and run it too", they could slip it into many other processes. I'm sure most of the folks here would not get into that situation to begin with, but it probably wouldn't be any harder than it would be to slip a browser toolbar into your system. Better safe than sorry.

Page42 · #23 July 23rd, 2012, 04:50 PM

Quote:

An attacker would have to convince a user to install and enable a vulnerable Gadget.

Well, I'm not very knowledgeable on the topic, but it would seem that the operative phrase is "vulnerable Gadget."
Doesn't seem to me that NIS would install a vulnerable gadget on a user's system.
Bottom line, though, is as you stated... better safe than sorry.

xxJackxx · #24 July 24th, 2012, 08:44 PM

Quote:

Originally Posted by Page42

...Doesn't seem to me that NIS would install a vulnerable gadget on a user's system...

I don't expect they would, the point was ANY installer could install and run a gadget. That was just an example of how one can appear without you being specifically asked to install one.

bo elam · #25 July 28th, 2012, 10:18 PM

Quote:

Originally Posted by xxJackxx

I would just get rid of them altogether. Go to control panel, Programs and features, turn Windows features on or off, uncheck Windows gadget platform, reboot when prompted, done. No more gadgets.

Thanks, I also followed your instructions to get rid of them, did not even try them out in my new laptop with W7.

Bo

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search