Microsoft is advising system administrators to disable the Windows Sidebar and Gadgets in supported versions of its desktop operating system due to security concerns. Written in JavaScript, CSS and HTML, Gadgets in the Windows Sidebar are small software widgets which were introduced in Windows Vista and are currently supported in some editions of Windows 7.

In a post on the Microsoft Security Response Center (MSRC) blog, the company says that, as some Gadgets "don't adhere to secure coding practices", they can pose a potentially serious risk to users' systems. These vulnerable or malicious Gadgets could be used by an attacker to inject and execute malicious code to compromise a victim's system.

The advisory comes just two weeks ahead of a planned presentation that will be given at this year's Black Hat information security conference, which will take place on 25 and 26 July in Las Vegas. In the presentation, security specialists Mickey Shkatov and Toby Kohlenberg will talk about how the Windows Gadget Platform can be exploited, and describe their research into creating malicious apps as well as using flaws in legitimate apps as attack vectors.

In the upcoming release of Windows 8, expected to arrive in the autumn, the Sidebar and Gadgets will be deprecated and no longer supported as Microsoft shifts its focus to Metro style apps for the Metro UI. Ahead of the release of Windows 8 and because of these concerns, Microsoft has now taken down the Desktop Gadgets Gallery. In a Knowledge Base Article, the company has provided a Fix it tool that disables the Windows Sidebar and all Gadget functionality in Windows.

See also:

(crve)