Microsoft Security Advisory (2719662)

Thanks for this.

 

Thanks, Ron - fixed via Services and MSCONFIG.

 

Microsoft fix kills Windows Gadgets, warns it could lead to PC hijacks

Article

 

Isn't this the same as the original excellent post of Ronjor?

 

The article cites the same MS Technet findings and recommendations, otherwise, it is not.

 

I made the registry changes and exported so I could distribute to other machines. I don't see them fixing this ever, since they are wanting to kill gadgets anyway.

 

Windows 8 will not support desktop gadgets, for reason cited in this thread, that have yet to be substantiated by Microsoft as written correctly.

It has been reported in many instances the Fit-it's are inverted.

 

Is 50906 "Enable" or "Disable"?
The headings and explanations show conflicating results.

 

We are not sure, meaning, those in the security community, have implemented both, some desktop gadget functionality is removed, yet desktop gadgets can still be enabled, this is a fix that does not completely work.
I cannot say with 100 % certainty, which is which, or, what will do what.

 

i know some love those gadgets but imo good riddance. i dont use them nor will i ever. over the life of vista and 7 i have seen so many issues from them causing problems with various clients im personally glad to see them go.

 

I'm not using any Gadgets, so does that mean I need to do anything?
And I have no idea where to find Sidebars (I looked in Accessories), so where is it?

 

Please re-read further up the thread for a detailed explanation.

 

I did read the thread and as a result of reading the thread I have two questions...
1. I'm not using any Gadgets, so does that mean I need to do anything?
2. I have no idea where to find Sidebars (I looked in Accessories), so where is it?

 

Assuming Windows 7: desktop gadgets overview, Desktop gadgets FAQ, Microsoft Answers

 

The vulnerabilities discussed in the Advisory involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets.
Does anyone know if I still need to disable Gadgets if I am not running any of them?

 

The sidebar is still executed as cited here regardless of what fix-it used.
See:

Code:

O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows 
Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

Best bet is to not run any desktop gadgets on Vista or Windows 7 regardless if you have run them or not.

 

I would just get rid of them altogether. Go to control panel, Programs and features, turn Windows features on or off, uncheck Windows gadget platform, reboot when prompted, done. No more gadgets.

 

That's one of the first things I do when I install Windows 7 clean.

 

@ xxJackxx ...
Thanks, that was very clear! I did as you suggested.
To date, I have been relying upon the description from Microsoft that states, "An attacker would have to convince a user to install and enable a vulnerable Gadget."

 

Don't run them regardless if you have run them or not?

 

Which may be easier to have happen than one would suspect. If you for example install something like Norton Internet Security (or many other products) it installs a desktop gadget as part of the installation and opens it. An attacker would not need to prompt "Hey, install this gadget and run it too", they could slip it into many other processes. I'm sure most of the folks here would not get into that situation to begin with, but it probably wouldn't be any harder than it would be to slip a browser toolbar into your system. Better safe than sorry.

 

Well, I'm not very knowledgeable on the topic, but it would seem that the operative phrase is "vulnerable Gadget."
Doesn't seem to me that NIS would install a vulnerable gadget on a user's system.
Bottom line, though, is as you stated... better safe than sorry.

 

I don't expect they would, the point was ANY installer could install and run a gadget. That was just an example of how one can appear without you being specifically asked to install one.

 

Thanks, I also followed your instructions to get rid of them, did not even try them out in my new laptop with W7.

Bo