Are widgets still considered a high security risk?

Discussion in 'other anti-malware software' started by ratchet, Mar 16, 2015.

  1. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,906
    x64 W7 SP1 Norton Security and Malwarebytes Premium. I did like the temperature sitting on the desktop! Thank you!
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I don't see how they're any more of a risk than any other executable.
     
  3. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,872
    Location:
    Australia
  4. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    The only gadgets I've ever used are the built in clock and CPU/Ram meters in Windows 7. Installing Internet 11 is supposed to kill them but I did that in two almost identical machines and in one, IE 11 is working with both gadgets still active. On the other, the gadgets made IE unstable and I could have them but not use IE 11. Not much of a loss since I don't use it anyway. I removed the gadgets and IE 11 still didn't work and I couldn't put the gadgets back on the desktop. I ended up reverting to IE 9 and restoring the Gadgets. I don't see these two gadgets as much of a security risk.
     
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,872
    Location:
    Australia
    They are the two I use but haven't had any problem with them or IE11 on my two machines. installing IE11 on either machine has never disabled gadgets for me.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Glad you brought this up! Was wondering the same thing recently. I disabled gadgets on my WIN 7 build a couple of years ago when MS first issued the security alert.
     
  7. JohnBurns

    JohnBurns Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    454
    Location:
    Oklahoma City
    Just a suggestion - if you are looking for clocks, weather, etc, you might try Rainmeter - it's free, it very small load on pc and it's very customizable. No Windows registry files are changed by using it. I've used it for years with absolutely no problems. Deviantart has many free skins for customizing it. Some of the desktops I've used in the past are shown on: http://johnburns.deviantart.com/

    You can download Rainmeter at: http://rainmeter.net/
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Quoting the Security Advisory from Technet:
    "Customers should consider the following ways that an attacker could leverage Gadgets to execute arbitrary code:

    • Microsoft is aware that some legitimate Gadgets running in Windows Sidebar could contain vulnerabilities. An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system.
    • An attacker could create a malicious Gadget and then trick a user into installing the malicious Gadget. Once installed, the malicious Gadget could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system.

    In addition, Gadgets can access your computer's files, show you objectionable content, or change their behavior at any time. Gadgets could also potentially harm your computer."


    These concerns are valid for every 3rd party sofware you run. Don't run software you don't trust, that goes for Gadgets as well.

    Indeed, I never understood the fuss about this.
     
  9. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    That MS document is too vague so I can't make out what the actual vuln/exploit is, but I guess it is only exploitable on local. If so, not a much risk as long as you take measure against all common attack paths.
     
  10. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    I thought this had been answered before? We had the same question from the same poster 2 years back....
    https://www.wilderssecurity.com/threads/are-w7s-widgets-still-considered-a-security-risk.340938/

    We have you by the gadgets - A Security Analysis of the Microsoft Windows Sidebar Gadget Platform:
    http://media.blackhat.com/bh-us-12/...nberg_Blackhat_Have_You_By_The_Gadgets_WP.pdf

    The inherent risks with gadgets (especially 3rd-party ones) are all listed under "Gadget Security Model" and "Overview of attack surface".

    Recommended mitigation would be to install gadgets from known trusted sources or remove the sidebar altogether if you do not use gadgets.
     
  11. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Here's one reason why:

    Source is from the same PDF file above.
     
Loading...