Disable Windows Sidebar and Gadgets NOW on Vista and Windows 7. Microsoft warns of security risk

Filed Under: Featured, Malware, Microsoft, Vulnerability

Users of Windows Vista and Windows 7 have been advised to completely disable their Windows Sidebar and Gadgets, in response to what appears to be a serious security risk.

The Windows Sidebar is a vertical bar that can appear at the side of your desktop, containing mini-programs (known as gadgets) that can provide a number of functions such as a clock, the latest news headlines, weather report and so forth.

Windows 7 Sidebar gadgets

A security advisory issued by Microsoft's security team advises that vulnerabilities exist that could allow malicious code to be executed via the Windows Sidebar when running insecure Gadgets.

The warning comes ahead of a talk scheduled for Black Hat later this month by Mickey Shkatov and Toby Kohlenberg. Shkatov and Kohlenberg's talk, entitled "We have you by the gadgets", threatens to expose various attack vectors against gadgets, how malicious gadgets can be created, and the flaws they have found in published gadgets.

Gadgets talk at Black Hat

"We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets."

If the researchers have managed to find ways to exploit existing gadgets that's particularly worrying.

Clearly Microsoft is worried about the security researchers' findings, and has issued a "Fix It Tool" which will protect Windows 7 and Vista users by entirely disabling the Windows Sidebar and Gadgets functionality.

Yes, that's right. Microsoft hasn't issued a security patch to fix the vulnerability. They're suggesting you completely nuke your Windows Sidebar and Gadgets.

Which is bad news if you found those sidebar gadgets useful. You better find a new way to tell what time it is, or catch the latest from your favourite RSS feeds.

Sorry if it causes you any pain, but I would recommend you follow Microsoft's advice if you run Windows 7 or Vista and apply their "Fix It tool" as soon as possible. It may be a sledgehammer to crack a nut - but it's a nut that needs smashing, and fast.

Interestingly, Microsoft has dropped Gadgets from the upcoming Windows 8. In retrospect, that was probably a very good idea.

Did you use Gadgets in your Windows sidebar? Will you miss them? Leave a comment below and let us know if you found them useful, or whether you won't be mourning their demise.

, , , , , , ,

You might like

108 Responses to Disable Windows Sidebar and Gadgets NOW on Vista and Windows 7. Microsoft warns of security risk

  1. This, genuinely, is the first security advisory I feel reluctant to put in. I actually find some mileage with the calendar and weather tool, since I dont really have a desk calendar and I work in a cavernous cubicle farm, with no way of seeing what the weather outside is like.

    Still. Better safe than sorry. I suppose looking up on RainMeter to replace the functionality I miss might be a good idea, now…

    • Telgar · 715 days ago

      This is actually the dumbest security advisory I have ever read. All you have to do to avoid this is NOT DOWNLOAD ANY WIDGETS. You cannot be hacked by a widget if you dont download them. Just keep the default microsoft ones or ones you know to be trustworthy and your safe. I hate people that go over the top nuclear on a threat.

      • xua19 · 60 days ago

        You obviously don't understand what the vulnerability is. Not only can dangerous apps be made, but the existing sidebar gadgets (clock, calendar, whatever) can be exploited by malware on your computer to gain full access to it. Without gadgets, the malware might be on your computer, but it certainly isn't going to achieve anything without the admin rights which a vulnerable gadget would give it if it was enabled.

    • RustBelt · 553 days ago

      "... I actually find some mileage with the calendar and weather tool ..."

      Check out the Wx, Calendars, etc at http://www.timeanddate.com/
      AND "file" the location in your Faves; limited functionality when not online.

    • Why Why · 213 days ago

      Gadgets vs Windows. Windows itself could be exploited. Does that mean M$ will stop supporting Windows?

  2. Guest0454 · 810 days ago

    Again MS reacting hardly on an unknown issue, instead of looking into it closely... The sole problem may be third-party gadget, which, in my opinion not a majority of W7 users installs.

    • Unfortunately there's not very much information coming in about this from Microsoft at the moment. But it's quite possible that the researchers have shared their findings with Microsoft, and that MS knows more than they are currently sharing (perhaps to avoid more people exploiting the vulnerabilities).

      Also, note that the researchers claim that they have found ways to "misappropriate" existing gadgets.

      • wendell conn · 395 days ago

        so here it is a year later. I have just enabled a few gadgets and now I am reading about their vulnerability. Any updates on whether all gadgets are vulnerable? "How could an attacker exploit the vulnerability?
        An attacker would have to convince a user to install and enable a vulnerable Gadget." This is from Microsoft. From this doesn't it seem that only some gadgets are vulnerable? and what about running them from the desktop rather than the sidebar? got no reply from Microsoft. Thanks.

        • Impalafarmer · 219 days ago

          I've just installed Windows 7 Professional 64 Bit. It still comes with gadgets. You can drag them anywhere on your desktop, there is no "sidebar". If these gadgets are so vulnerable, why would Microsoft still include them on a recent build (December 2013) of Windows 7? I like knowing the temperature, time & date at a glance myself. I think as long as you don't download any "bad gadgets" you'll probably be OK. I bought & installed Windows 7 Pro 64 Bit because I CAN'T STAND Windows 8. My desktop PC is just that, a COMPUTER, not a cell phone. I have a cheap Walmart Black Friday doorbuster notebook with Windows 8 and I hate it, I dumped all the stupid "app tiles" and use the desktop. You know, like a computer?

          • jpoulis · 176 days ago

            Exactly! For real work and real computing, you need a real computer - not a postcard size screen. The two are not interchangeable. Thank you!

  3. Bob · 810 days ago

    I will miss my clock and weather gadgets, but as tariqk says ...

  4. Matt · 810 days ago

    It might be the lack of caffeine affecting my thinking but which of the 2 fixes am I suppose to download if I want to disable the sidebar completely?

  5. Richard Connor · 810 days ago

    Microsoft has mislabeled the fix options. Select the disable option to enable the fix.
    This could be a problem for users who do not check for the gadget availibility after a fix.

    • Richard Connor · 810 days ago

      That is the 50906 msi

      and thanks for the alert.

  6. Wendy · 810 days ago

    I will miss the sticky notes. Nothing else.

    • Adam · 810 days ago

      Try a program called Stickies on PortableAppsA

    • sharp · 810 days ago

      I have my Gadgets and Sidebar disabled, but Sticky notes still works fine. It's an application in %windir%system 32stikynot.exe

      It's what I call the normal version, over the gadget sticky note version I saw once and was like eww how did they manage to ruin it as a gadget.

  7. Bob · 810 days ago

    I found out the hard way myself ...

  8. Laurette · 810 days ago

    I never use the gadgets to begin with. But, I also have never heard of this alleged threat. Oh well...onward and upward!

  9. guest · 810 days ago

    Funny just decided to try these out - yesterday! At least I haven't gotten used to them yet!

  10. rocketmaster · 810 days ago

    After Microsoft fixes it, can i enable Gadgets again?

  11. Mark · 810 days ago

    This news saddens me... :(
    Gadgets are such a useful way to see my CPU and GPU usage.

    • Robert Wurzburg · 810 days ago

      If you have an Intel motherboard, even if the BIOS is from another computer
      mfr. like Gateway, etc. then it's possible to go to Intel's website and install a
      monitoring program like Intel Desktop Utilities.

      Find the Intel motherboard number in your BIOS setup screen, or on the
      motherboard itself. Numbers start with AA-xxxxxxx or CS-xxxxxxx.

      The other thing you can do is keep the Task Monitor open on Performance
      to see at least some of the functions you want like CPU useage, etc.

  12. I love my gadgets. I keep track of weather in 6 cities and have my network, CPU, hard disk drive, and GPU monitoring running. Since I run my laptop sort of close to the edge of its performance, it is very useful for me to know (quickly) when something is leaking.

    My wife uses the analog clock, weather for about 4 cities, and the calendar.

    It is disappointing that the solution is to simply turn them off, and it is also unusual that Microsoft is dropping support so quickly. Normally features hang around forever.

    Is it likely that after the presentation on the vulnerabilities that a patch to, you know, fix the problem will come out?

    • Ginger · 707 days ago

      I use every one of those I've added! My clock is international so I know what time it is for the people I talk to overseas. I have the Twitter gadget & the weather one...I will miss them all so much. Why couldn't Windows come up with a solution for all the moth holes they seem to have in everything...I mean besides just kill it! Laziness?

    • RustBelt · 553 days ago

      There is a fix for the time app available; you can select a second clock to display in the taskbar - I have mine set for 'my' CDT and a second for HK (Hong Kong) time.
      There are lots more available

  13. Kristie · 810 days ago

    I use the Outlook Appointments mod. I will miss it greatly. It lists all of my appts in an agenda format so I don't have to actually open my calendar to see what my next 5 apps are.

  14. lrm537 · 810 days ago

    Can't we just disable this in "Turn Windows features on or off"

  15. barbara · 810 days ago

    How di I disable the Windowsa sidebar/gadgets?? I'm very new to the computer..thanks

  16. robotman321 · 810 days ago

    Lame! I use two GPU monitors along with a CPU monitor cause it's a lot easier to watch than Task Manager ! Lameeee

  17. Alexander Tan · 810 days ago

    OMG. Is there an alternative for NETWORK METER? That's the only gadget I use and I find it very useful. Too bad I'll have to turn it off.... :-(

  18. Robert Wurzburg · 810 days ago

    I have my Gadgets disabled, never used them. You might have to turn off Aero to do
    this first. Aero is such a waste of resources, I effectively disabled it in my settings and
    use the Windows Classic Theme. You need that setting, and to turn off Aero features
    by disabling (unchecking) cetain settings in your graphics. That will disable Aero and
    Gadgets completely, as Gadgets use the Aero interface.

  19. Ken Uhlik · 810 days ago

    I did not like them to begin with.(i disabled them 2 years ago)but if you like them ,you can always use Opera browser.(i don't use them there either,some of them take over like a Hitler)

  20. dragonfae · 810 days ago

    Won't miss a darn thing. When we were stuck with Windows 7 (bought a new laptop a year or so ago) I turned off the sidebar when setting the machine up, (I'm mostly an "old school" purist when it comes to computers)

  21. Lee Ann · 810 days ago

    Quandry - how does a person know which fix to use?

  22. JimboC · 810 days ago

    Apologies, the file path to the Sticky Note Application should have read as follows:

    %windir%system32StikyNot.exe

    In a more recognizable format:
    C:WindowsSystem32StickyNot.exe

    Thanks.

  23. JimboC · 810 days ago

    To access and download the fix, simply visit the following knowledge base article:
    http://support.microsoft.com/kb/2719662

    Enabling the workaround will disable Windows Sidebar and Gadgets. In other words you want the first Fixit article with the number 50907.

    For your information (good news for those that use sticky notes), under Windows 7, Sticky Notes is still available after applying this fix since it is a separate Windows application and is not a gadget application (located at %windir%system32StikyNot.exe ).

    However, on the 2x Windows 7 64 bit SP1 PCs that I have enabled this workaround on, it simply closes the gadgets that were in use and they can easily be displayed again (I rebooted after applying the workaround).

    The method that worked for me was the registry fix described in the Security Advisory (see the section: Suggest Actions->Workarounds->Disable the Sidebar in the system registry). This permanently disables the gadgets, you can’t re-enable them.

    Link to the security advisory:
    http://technet.microsoft.com/en-us/security/advis...

    I can’t say that I will miss gadgets. They were a memory hog, using about 50 MB (3 gadgets in use) on the Windows 7 64 bit SP1 PCs that I have seen (which were not my PCs). I too, am a little old fashioned and want my large 27 inch screen to be used for my applications and not for doubling up on items, e.g. having an analogue clock when you already have a digital clock in the lower right corner of the screen.

    If you want a CPU monitor, use RealTemp or CoreTemp. For GPUs, use GPU-Z, EVGA Precision or MSI Afterburner.

    I hope this helps. Thanks.

  24. KDS · 810 days ago

    An earlier post said that the workarounds were mislabled, yet the preceding post does say to enable the workaround (50907) to disable the sidebar and gadgets. My question is this. After enabling the workaround and restarting my computer, gadgets still showed up on the desktop. I would have expected them to be gone. Have I used the correct "fix it"?

    • winx · 810 days ago

      Same issua with Windows Vista home premimum x32. After 50907 nothing has been happenened.

  25. Cathy Liebgold · 810 days ago

    Darn it! I really liked the gadgets that I used! Keeping track of the GPU temp, the temperature and a couple of others. I hope they get this fixed. I want to use them again. I will have to look for third party gadgets and hope they don't have malware installed with them.

  26. Soshimo · 810 days ago

    I used gadgets when I first got Win7 but a lot of them were buggy and they didn't integrate well with my already existing systems and procedures (I use a custom temperature monitoring software that integrates with custom notification hardware I built - the cpu/gpu gadgets had no idea what that was). After that they just used up valuable desktop real estate. I like a clean desktop and the gadgets just seemed to clutter it up.

  27. winx · 810 days ago

    "To enable or disable this Fix it solution, click the Fix it button or link under the Enable heading or under the Disable heading. Click Run in the File Download dialog box, and then follow the steps in the Fix it wizard."

    We must DISABLE to get it work !!! Confusing...

  28. JimboC · 810 days ago

    Hi KDS,

    Sorry for the confusion. I have used many Microsoft Fix It Security Workarounds in the past, enabling the workaround would always disabled the functionality in question as intended.

    However, as was previously pointed out, it appears they were mislabelled. I also fell for this, hence my reason for using the registry steps to disable the sidebar/gadgets which worked. I have confirmed that the workarounds were mis-labelled, using the disable workaround worked as intended, gadgets no longer work.

    @Cathy Liebgold: Using the security workaround will disable all gadgets, including 3rd party gadgets. You will either have to find full applications that carry out the function as your current gadgets or find an online website/service that offers the information that the gadgets currently provide to you.

    Windows 8 apps will most likely offer the same functionality as gadgets but as a Metro UI app, so all is not lost.

    Also, hoping that something does not contain malware is not enough. Verify the source of any software you download as trust-worthy, scan the file with your anti-virus/anti-malware software as a minimum security pre-caution.

    A good additional check is to examine the Properties of the file (right click it and choose Properties), then look for a Digital Signature tab in this Properties window (not all files will have a digital signature). Check that the digital signature issued belongs to the company that you expected and that the signature is still showing as “OK” i.e. not tampered with.

    I will try to contact Microsoft via their website to mention this error in their documentation. I hope this helps. Thanks.

  29. Sootie · 810 days ago

    From the orignial post it says that they might be able to develop new gadgets that contain malware or vunerabilitys, I cant see any issue with keeping the gadgets that you have had installed for years. Gadgets are just mini web pages and any webpage can contain malware, not really a revalation.

    I only use the windows weather gadget and the CPU temp one anyway and I wouldnt really miss them as I have apps covering them almost all the time anyway but they are still staying there until I see a real reason to remove them.

    Also to the people not using aero and calling it a resource hog, it does use more resources but I am at least twice as efficent using aero peek and the other win 7 taskbar enhancements and unless you have a computer from 2005 then you should be able to run win 7 with aero.

  30. Jon · 810 days ago

    The loss of the sidebar is of little concern to me as I only currently use the clock, but a few years ago I downloaded some gadgets that are only in the gallery (not running).

    Will my computer be affected next time I use it? As I am unable to get there until tomorrow. I have AVG by the way.

  31. Chicago Mary · 810 days ago

    I will miss the two gadgets I use(d).

  32. Shiny317 · 810 days ago

    Oh no, the calender and clock has to be disabled... how will I know the date or time? Oh that's right, it is, will be and always ever has been in the system tray anyway. I remember now why I turned off the pointless Gadgets in the first place.

  33. powerwriter · 810 days ago

    I use the calendar, clock and Quotes by IDC for the current stock market indexes. I will miss my gadgets!

  34. MikeP · 809 days ago

    I'm confused!
    I ran the Enable version of the MS Fix-it and rebooted. The sidebar and gadgets are still there!
    I ran the Disable version and rebooted. The sidebar and gadgets are still there!
    So what is meant to change?
    I suspect I'll have to resort, reluctantly, to hacking the registry which is always nerve-wracking and I always take a full back-up just in case things go wrong.

  35. JimboC · 809 days ago

    @Mike

    You are right in your approach, simply back up the registry and follow the step by step instructions of the security advisory slowly and you should be fine:
    http://technet.microsoft.com/en-gb/security/advis...

    See the section: Suggested Actions->Workarounds->Disable the Sidebar in the system registry.

    What you are experiencing is in contrast to what happened to me, the Disable Fix It tool actually carried out these registry changes for me, while the Enable Workaround removed the changes.

    If you feel that I can help explain in anyway, please let me know.

    @Sootie
    I stated that the gadgets were a resource hog since having 3 gadgets open causes Sidebar.exe (located at C:Program FilesWindows SidebarSidebar.exe) to use about 50 MB of RAM on a 64 bit Windows 7 SP1 PC. Since the gadgets consist of a collection of CSS, XML, HTML and Javascript files do you not think that 50 MB is a little heavy just to have 3 of these running?

    From what I can tell from recent blog posts and new articles, Microsoft have chosen to disable gadgets since there is the potential to introduce malware by the malicious downloading of new gadgets or exploiting the weaknesses of existing gadgets. If the flaws to be demoed at BlackHat are serious enough, it could result in scenarios of people only needing to visit a malicious website (not intentionally) which could cause the silent download of a malicious gadget or use of an existing gadgets with the potential to cause further harm. Such links to these websites arriving via the usual methods of spam, instant messages or social engineering techniques from social networks etc.

    It could be that to effectively mitigate against the potential threat required too many changes to Windows to warrant doing so and it was considered best to simply disable gadgets. In support of this point, in January of 2008, Microsoft realised an update to improve the security of the Windows Sidebar for Windows Vista:
    http://technet.microsoft.com/en-gb/security/advis...

    Its purpose was to block potentially malicious gadgets while still allowing legitimate ones to run. Since new methods of exploiting gadgets are to be unveiled at BlackHat, to me it seems clear that rather than use resources to fix the flaws to be demoed at BlackHat, it is simply best to disable them. While the gadgets that you are using now are legitimate they may not be built according to modern security best practices (e.g. the Microsoft Security Development Lifecycle).

    Since Microsoft credits the authors of the presentation to be given at BlackHat with assisting them in making this decision (you can this credit at the end of the Security Advisory), Microsoft must deem the issues to be discussed serious enough to take action now. I look forward to finding out exactly how serious later this month when the presentation is given, I will be following the security blogs closely to find out.

    A little more information on their decision to disable can be seen in the following blog post:
    http://blogs.technet.com/b/msrc/archive/2012/07/1...

    If the decision was taken to keep gadgets after the above flaws were demoed and Microsoft took the time and resources to fix all of the flaws, it may require too much re-coding of existing gadgets which the developers of those existing gadgets are not going to waste resources on to re-code when such gadgets are going to be scrapped in favor of the new Metro UI apps when Windows 8 arrives in the coming months.

    A similar decision was taken when a flaw in Windows Explorer was announced in April 2006:
    http://technet.microsoft.com/en-us/security/bulle...

    If you check the FAQ of this security bulletin you will see that a similar decision was taken with regard to Windows 98, 98 SE and Windows ME while the update was available for Windows 2000, XP and Server 2003. Too much re-coding was required for the older versions of Windows and was deemed not necessary for the diminishing benefit it would have. A similar comparison can be made between the shift from gadgets to Windows 8 apps.

    For details of the new coding practices for Windows 8 Apps, you can refer to the following Channel 9 video:
    http://channel9.msdn.com/events/BUILD/BUILD2011/A...

    ------------------------------
    Off-Topic:

    My own PC uses a Core i7 2600K (quad core CPU with 8 threads due to SMP) and 16 GB of RAM so, I can spare the extra RAM overhead but I don’t tolerate such high RAM usage from such small applications. Yes, Windows Aero could be described as a resource hog too but it actually uses comparatively little RAM for all of the functionality and usability it provides.

    When I say Windows Aero, I mean dwm.exe (Desktop Window Manager) which uses about 45 MB on my PC while explorer.exe uses about 115 MB. I consider Windows 7 very efficient and Windows 8 is even better. Full details of Windows 8 memory usage is available from the following link:
    http://blogs.msdn.com/b/b8/archive/2011/10/07/red...
    ------------------------------
    I hope this clarifies why Microsoft MAY have taken the decision to do this. I am simply basing my argument on what I have seen them do with other security updates over the years.

    Thank you.

    • poopship · 656 days ago

      16 gigs of ram and you're nitpicking over 50mb? 50mb of ram that will be free to use if you actually ever need to use it. come on dude.

  36. Jedsshed · 809 days ago

    I guess, since this is just an “Advisory” (and not a “Bulletin”), the Windows 7 users have not been notified?? Does this mean Microsoft does not take this as a threat?

    • JimboC · 809 days ago

      Hi Jedsshed,

      Microsoft does take this threat seriously and I think they have done a good job. They have closed off a potential point of attack before such attack details are given and made available to the public and the wider security audience.

      This advisory is for Windows Vista and Windows 7 users. They have not been notified explicitly unless you have signed up for Security Advisory alerts via email from the following link. You can also sign up for security blog and security bulletins notifications via email too:
      http://technet.microsoft.com/en-us/security/dd252...

      I take your point though; it is more difficult than it should be to find out about such important security changes. I have monitored these blogs and websites for many years, which is how I have come to know so much about Microsoft’s approach to security as my previous posts demonstrate.

      I never considered how anyone would find out about this advisory if they do not monitor the blogs, I have simply become too used to knowing where to look! I suppose this is what the Sophos Naked Security blog is for! Namely to monitor any changes for us and let us know what action to take.

      Thanks again to Graham Cluley for keeping us informed.

      Here are the links to the Microsoft blogs that I monitor on a regular basis. I have only included the most relevant blogs:

      Microsoft Security Response Center: http://blogs.technet.com/msrc/

      Microsoft TechNet Security Center: http://www.microsoft.com/technet/security/default...

      Microsoft Security Research and Defense: http://blogs.technet.com/b/srd/

      Microsoft Malware Protection Center: http://blogs.technet.com/b/mmpc/

      By the way, just to clarify, when I say “monitor” blogs, I simply mean visiting them and reading anything interesting, I am NOT a moderator or admin for those blogs. I am just an average user like you.

      I hope this helps. Thanks.

  37. Jake · 809 days ago

    Thanks for yet another bug filled security product Microsoft. On to Ubuntu!

    • Phoneutria · 292 days ago

      Just disable every Windows feature possible and I bet you get Windows as secure and with same features as Ubuntu.

  38. Chris Taylor · 809 days ago

    From the advisory;

    "Disabling the Windows Sidebar and Gadgets can help protect customers from vulnerabilities that involve the execution of arbitrary code by the Windows Sidebar when running insecure Gadgets" - and this differs from needing to protect me from a vulnerability in any insecure application exactly how?

    "In addition, Gadgets installed from untrusted sources can harm your computer and can access your computer's files, show you objectionable content, or change their behavior at any time." and this differs from any other application exactly how?

    "An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights." and this differs from an attacker who successfully exploits a vulnerability exactly how?

    A gadget is no more inherently insecure than ANY other application!

    • JimboC · 809 days ago

      Hi Chris,

      The answer to all 3 questions is: there is no difference between this vulnerability and another vulnerability. The same methods of exploitation will be used, but just to a gadget and not a traditional application.

      By traditional application, I mean a Windows Portable Executable (PE) file with a .exe extension or an application that is a DLL but runs by using RunDll32.exe).

      Given that the details of the upcoming Black Hat presentation are not yet known, I can’t say for sure if a gadget is less secure than an another application.

      Right now though, you are correct, a gadget is no less secure but it is another means of attack that you should protect yourself against by disabling gadgets as per Microsoft’s recommendation. I realize constant patching/updating is frustrating but believe me malware infecting your computer is far more frustrating!

      Gadgets consist of a collection of CSS, XML, HTML and JavaScript files:

      Source: http://msdn.microsoft.com/en-us/library/windows/d...

      For those interested, the difference between a .exe and a DLL file is explained in the following MSDN magazine article:
      http://msdn.microsoft.com/en-us/magazine/cc301805...

      Thanks.

  39. David · 809 days ago

    So because you can run a gadget that may contain malware, the gadget functionality is to be disabled.
    Presumably
    Because you can view a compromised pdf, the acrobat reader functionality is also to be disabled
    Because you can download a compromised file, the download functionality is also to be disabled
    because the TCP/IP permits downloading of compromised files, TCP/IP is also to be disabled.
    Or have I missed something:
    Is this "fix" just a means to enable corporates to stop their employees "playing" with gadgets?

  40. JimboC · 809 days ago

    Hi everyone,

    Good news, the relevant knowledge base article for this advisory has now been corrected. The 2 workarounds were mislabelled which explains the unexpected behavior:
    http://support.microsoft.com/kb/2719662

    I posted in a thread on the TechNet forums about this and it was fixed by a forum moderator (at least that is who it appears to be).
    http://social.technet.microsoft.com/Forums/en-US/...

    Thanks.

  41. AAK · 809 days ago

    If I'm running:
    - Decent AV
    - Decent Firewall
    - Windows Defender
    - NAT router

    What is the likelihood of me getting hacked by leaving them enabled?

  42. Guest · 809 days ago

    When I had vista I used the sidebar often but it crashed at times and I can understand the vulnerability issue. I don't have them with Win 7. Ironically I looked for a few to download before this happened. Glad I didn't. However, I miss the sidebar...

  43. Ameer · 808 days ago

    I will really miss the 'all CPU meter and temperatures' gadget :(

  44. Donna Mac · 808 days ago

    A friend of mine did the "fix" but is telling me after she did the Microsoft fix she lost all of her photos, documents, etc. How can that happen?

    • JimboC · 806 days ago

      Hi Donna,

      That is unexpected behaviour; please contact Microsoft Support to resolve this:
      http://support.microsoft.com/gp/assistsupport

      Since this support is in relation to a Microsoft Security update, your friend should not be charged for this support.

      I have installed this update on 4 different computers and it works as expected with no loss of data.

      I hope this helps. Thank you.

  45. Michael ET · 808 days ago

    Good thing i am on linux!!

  46. Beyond the Pale · 802 days ago

    I lost my Kaspersky gadget. (Yeah, it's still down there next to date and time)

    Best buy's geek squad said it was perfectly fine to keep the Kaspersky gadget, since it wasn't downloaded from the internet.

    Since I received such wonderful assurances from the geek squad, I immediately ran the fix. Using the correct (and still mislabeled) one.

    AAAAAGGGGHHHH! What more can they screw up? (yeah, best not to answer that...)

    • Dangitall · 777 days ago

      Well, in the interest of dispersing knowledge, whilst browsing Microsoft's bulletins, I found a bulletin entitled "Grammer Checker". They even managed to spell it correctly in the body of the bulletin, but the headline really stands out...as in outstanding work!

      Perhaps the same person(s) who mislabeled the Gadget Fixit tools?

  47. guest · 796 days ago

    This seems to me to be a sorry cop out like oracle pulled. "Oh its just to hard to fix so.....we wont". Really? These people employ several highly paid programers, make them earn thier money and fix the problems they created in the first place. If they cant get the job done replace them. There are thousands of qualified people looking for jobs that would gladly replace the people who dont want to do thier jobs.

  48. Martin Hubel · 795 days ago

    I followed the instructions and disabled my sidebar. However, the consequence of disabling the sidebar was that my only user id had its administrator rights disabled as well. I was reduced to a standard user, and left me without full control of my machine.

    I was able to restore my administrator status by turning User Account Control off momentarily. However, even after backing off this Microsoft supplied fix, I am unable to add or manage ODBC system data sources, which I absolutely require for my work.

    I suggest great caution around this fix. There appears to be other consequences.

  49. techx64blog · 775 days ago

    I find rainmeter windows 7 gadgets better than the stock windows gadgets.

  50. Moresy · 737 days ago

    When I travel I always like to know what time and temperature it is at home for phoning etc.
    They will be sorely missed. Are there any alternatives/

  51. PapaFrita · 728 days ago

    That's too bad. I find that being able to access Google Calendar, Pandora, and news feeds from my desktop is very handy, much more so than doing it through a browser. The gadgets take up a lot less memory. I hope they find a fix instead of just giving up. I know they're hoping everyone moves on to Windows 8, but Windows users like having options.

  52. Dale Rickert · 721 days ago

    Gadgets i loved them why is it micorsoft never listens to the people and what they want i love to be able to see my item fast and to make some cool one that make my day better stop making new os system and just make a good one unsted of make a new one every dam year

  53. Nightznice · 716 days ago

    I may come off sounding like a conspiracy nut, but... Doesn't seem really weird that their is suddenly a huge security issue with Windows Sidebar Gadgets on the eve of the coming release of Windows 8? I mean first MS decides to stop supporting this very useful feature because it doesn't fit into the new Win 8 scheme of things. But because it's a useful Win 7 feature that the community outside the scoop and control of MS support there is suddenly a "horrible security issue" which reduces a functionality of Win 7. It just seems a little to convenient to me.

  54. Gary · 715 days ago

    Unknown to me my weather gadget, which came with windows, caused hachers to send me unwanted lewd material. So, I advise everyone to be carefull. Gary in Las Vegas

  55. ibsteve2u · 709 days ago

    Somehow this slipped right on by me...I didn't start investigating until I tried to find the Microsoft gadget gallery (http://windows.microsoft.com/is-IS/windows/downloads/personalize/gadgets) in a search for a solution for a specific need and read

    "Because we want to focus on the exciting possibilities of the newest version of Windows, the Windows website no longer hosts the gadget gallery."

    which - because of my long experience in the field (I still remember my intense excitement at the networking and expanding batch command capabilities of Windows for Workgroups...hey, finally the PC was going to do stuff I could do on DEC equipment!) - caused me to "smell a rat".

    Soon - and sure - enough, a web search lead me here.

  56. TECH_JEFF · 704 days ago

    I liked a few of the gadgets and never used 3rd party ones. Never had any issues - for years! Does this mean it's back to Yahoo widgets?

  57. dec · 703 days ago

    I found a few things very useful. Clock set to other location, temperature, currency exchange, clipboard by Jan Zeman, Screen snaper. Very sad.

  58. Peter · 701 days ago

    Well, I've been using the CPU, GPU & Network meters, a clock, and the Kaspersky gadget, under Vista. Now that I'm running 7, most of all I really miss the Network gatget's ability to refresh the local & ISP network settings, which very frequently drop ?bandwidth quite rapidly, and often seem to benefit from some frobbing. Sitting here waiting forever for DLs is so irritating, especially if I can't DO anything but sit & wait.. all the apps out there seem to focus on refreshing the list of available networks to connect to, not refreshing the one one is already on.grr. And the Kaspersky gadget is a security hole, LOL!!! what can I say?! inverted humour !

  59. Bruce52 · 693 days ago

    If I really wanted to be safe wouldn't I simply disable the Internet? I mean, isn't that mostly where our security issues come from? I don't care how many gadgets you disable or how many anti-virus programs you run, somebody is concocting a new threat every minute from out there in cyberspace and the odds are good we'll all get hit sometime.

  60. Ian Downie · 688 days ago

    I downloaded from the link 'fix it tool' above. When I restarted the desktop was clean; so is 'My Documents' 'Pictures' and 'Videos'! Everything completely gone. Tragedy. No problems before, just followed the advice 'to be safe'. Prime lesson in 'if it ain't broke, don't fix it!'

  61. baggenesse · 688 days ago

    never got a message about this from microsoft and this was posted in july and its now november. Shit i still use alll of my gadgets and two of them are third party distributed.

  62. Alibaba505 · 672 days ago

    The story is interesting for old ladies and grandpa. Each time when new product is on sight ( Win8 ) or something similar, new usefull program, they say it will be aim for hackers ( old one - gadgets this time ).
    The story is only for those who are forced with it to buy, buy, buy..... etc. new products ( this time is Win 8 ) and until this moment gadgets are and are not any problem. Interesting ?
    Yust use licensed antivirus, as I do, NOD32 is the best, and use licensed antimalware, for instance Malwarebyte, and you can free, and safely use your gadgets.
    The story is only for small childrens.

  63. Since the only ones I use are the pre-installed MS gadgets, the clock and weather tools, then I am safe. I'd never install a 3rd party gadget anyway so it really doesn't affect me.

  64. Bill Johnson · 654 days ago

    So how is this such a security risk, and how is a firewall, anti-virus, and anti-malware software so woefully inadequate to address it? Humor me with specifics. By the logic presented here, I guess I better stay off the internet, too.

  65. Evan · 643 days ago

    I strongly suspect there is more going on than meets the eye. A gadget is simply an executable program like any other application that runs on the system. It poses no particular additional risk over other apps.

    However, it may well pose a marketing risk for Windows 8 by adding functionality that Microsoft only wants available in Window 8. Simply abandoning an actually useful feature in the OS is not Microsoft's typical approach. In this case the security risk is probably real but no different than the risk posed by any other program and subject to the same defenses. The marketing risk is also very real and of much greater importance to MS. Naturally, it is not something they will speak about.

  66. Evan · 643 days ago

    I use gadgets and find them useful so I did some more investigating. I have been programming since 1963 and am still active. It appears that most gadgets are written in either Javascript or Visual Basic. They are handled by the Windows Scripting Host. That has been a target and source of vulnerabilities in the past along with nearly every part of the operating system since Win 3.0.

    I see nothing special about the Sidebar that would pose any extra risk. Gadgets are generally very simple programs with very little code to exploit. Something such as a simple clock program does little more than read the system time and draw some appropriate graphics on the screen using a small cache of pre-drawn shapes. It usually writes a few bits of ordinary text to a settings file in the same directory as the script file. That's it. It isn't much of a target for hacking unless the Scripting Host is buggy.

    If there is a problem with the Scripting Host then Microsoft needs to fix it regardless of whether the side bar is enabled or not. That isn't the only use for it.

    I smell a marketing rat.

  67. PTKoelle · 628 days ago

    I just stumbled upon this article and also find Microsoft's reaction a bit curious.

    1. If it is a truly important security issue, why is it not part of Windows Update? Why has it not been a major news item?
    2. Rather than fixing the insecure code that allows Sidebar Gadgets to create a security risk, why has MS told people to instead disable the feature?
    3. It should be safe to assume that gadgets made by Microsoft are secure, but that doesn't seem to be mentioned. Are they also inherently insecure or is the issue overblown?
    4. Alternate gadget packages (e.g. Rainmaker) are not any safer since they are also made by third parties. Again, it comes down to the intention of the developer and the intelligence of the user to avoid introducing system security holes by installing garbage.
    5. The Windows 8 tile UI is essentially an implementation of gadgets (i.e. live informational views and the ability to execute actions). One could get the impression that MS is telling users to disable Sidebar gadgets to push people towards Windows 8.

    Personally, I suspect this is an overreaction to a legitimate (but small) security issue blown out of proportion by MS deciding to not fix it to encourage Win8 sales. I plan to keep on using the same half dozen gadgets made by MS and two developers that I've been using without a problem since 2006.

    • Fixitman · 608 days ago

      "The Windows 8 tile UI is essentially an implementation of gadgets (i.e. live informational views and the ability to execute actions). One could get the impression that MS is telling users to disable Sidebar gadgets to push people towards Windows 8"
      So, Windows 8 is inherently insecure, because it's built around something MICROSOFT itself told you to disable on a previous version.
      Brilliant!
      Who would buy this crap? The last good OS Microsoft had was Windows 2000. XP was too hard to get used to. I'm now using Xubuntu Linux. No security problems, no constant "fixes" and no updates, if you don't want them. It just works. AND IF YOU DO want a new OS, there is a new on out every six months, FREE. If you don't want it, the old one works just fine, for years, without messing around.

  68. Yakov Lanskiy · 625 days ago

    Gadgets are the main reason i like win7. To take them away is to me a crime. I like my gadgets, especially the weather, translator, and clock gadgets, and the money changer. I WILL find others on the net or wherever and do not care where I have to go to get them. If I cannot get them, I will move to Linux where all is free and never a crooked upgrade.

  69. Yakov Lanskiy · 625 days ago

    You not only took away the weather gadget, but also shut down the server that fed it. Shame on you, and all to try to sell windows8. I will go to linux if I cannot replace that weather gadget with a functional alternative.

  70. Hardwire · 483 days ago

    So far the only one that has seemed to make any sense of all this is PTKoelle, I’m with him/her.
    I also only see "security risk" being used without any hard facts of the breach. Without hard facts, it makes it pretty hard to believe there is a real threat of any kind with the MS Gadgets. Third party gadgets I can see a possible risk with, however so long as you have a good security tool in place that continuously monitors malicious activity you have nothing to worry about imho. ;)

  71. Tim · 469 days ago

    I haven't applied any fixes, but my gadgets just disappeared. I want them back. The only thing I did today was updated RealPlayer and my gadgets are gone. Gonna try dumping RealPlayer.

  72. T.A. · 454 days ago

    This is just total BS to get people to use Windows 8! Plain and simple!

    Microsoft has discontinued the Gadgets website with an announcement to instead use their live tiles within Windows 8! Pure marketing ploy!

    Gadgets running on desktops which were included with Windows 7 would be fine to use. Why would MS issue gadgets which had the vulnerabilties in the first place!

  73. Riker · 420 days ago

    What makes a Windows Live Tile safer? And why can't the vulnerabilities be fixed?

  74. this is stoopid i will not shall not do this after all the hard work i put into making myself a custom Gadget from scratch and im still working on it, the only way you would make me do this is if cows flyed and my computer could keep proper time and to have the weather displayed on my window
    and name at least 1 program that cant be hack/exploited/infected/corrupted because truely i don't think you can because if you can program it them someone out there will find a way

  75. Cyberslueth · 381 days ago

    Are you not all aware this is just a way to make people become fearful of Windows 7 and migrate to Windows 8? This is poppy cock nonsense when it comes to the onboard gadgets Microsoft included in Windows 7.

    Now third party gadgets from any site is inviting a possible problem but I see nothing more then a well planned security scare from Microsoft to sell Windows 8.

  76. Anonymous · 309 days ago

    Ok, having a hard time wrapping my brain around this one ... what makes the Windows 8 "Apps" (fancy new name for Gadget) any less vulnerable than the Win7 Gadgets?

  77. John smith · 308 days ago

    That's it ... I am moving to Apple ...

  78. Anonymous · 266 days ago

    To hell with Microsoft! My gadgets are staying right where they belong, I shall simply uninstall the "fix" if Microsoft try to sneak it onto
    my computer!

    • thgun · 207 days ago

      Sorry to sink your floating boat. Mine automatically packed up wouldn't display properly and they couldn't be reconfigured. If mine have just given up yours most likely will too.

  79. Eliminating the gadgets is a first step in a Microsoft masterplan to transition its customers to closed PCs onto which you will be unable to load software in the conventional manner. They intend to end the selling of shrink-wrap packaged retail software, and move its customer base to "secure digital delivery" of new applications. They assume as do many that EVERYONE has internet access, and high-bandwidth access at that.

    They have, in essence, thrown in the towel on any attempt to create a properly securable desktop OS, and are trying to build a software Maginot Line instead. We know how that worked out for the French.

  80. lynn s · 242 days ago

    So what happened at the supposed Black Hat expose that triggered all this?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.