Vulnerabilities in Gadgets Could Allow Remote Code Execution

Microsoft Security Advisory (2719662)
Vulnerabilities in Gadgets Could Allow Remote Code Execution
https://technet.microsoft.com/en-us/...visory/2719662

" Microsoft is announcing the availability of an automated Microsoft Fix
it solution that disables the Windows Sidebar and Gadgets on supported
editions of Windows Vista and Windows 7. Disabling the Windows Sidebar
and Gadgets can help protect customers from vulnerabilities that involve
the execution of arbitrary code by the Windows Sidebar when running
insecure Gadgets. In addition, Gadgets installed from untrusted sources
can harm your computer and can access your computer's files, show you
objectionable content, or change their behavior at any time.

An attacker who successfully exploited a Gadget vulnerability could run
arbitrary code in the context of the current user. If the current user
is logged on with administrative user rights, an attacker could take
complete control of the affected system. An attacker could then install
programs; view, change, or delete data; or create new accounts with full
user rights. Users whose accounts are configured to have fewer user
rights on the system could be less impacted than users who operate with
administrative user rights.

Applying the automated Microsoft Fix It solution described in Microsoft
Knowledge Base Article 2719662
( http://support.microsoft.com/kb/2719662 )
disables the Windows Sidebar experience and all Gadget functionality.

Recommendation. Customers who are concerned about vulnerable or
malicious Gadgets should apply the automated Fix It solution as soon as
possible. For more information, see the Suggested Actions section of
this advisory. "


Kill those Vista and Win7 gadgets now!
http://windowssecrets.com/top-story/...7-gadgets-now/

The presentation on the sidebar and gadgets vulnerability (ies) takes
place @Black Hat by Mickey Shkatov and Toby Kohlenberg next Thursday,
July 26th. As yet, thankfully, few details have been released other then

" We will be talking about the windows gadget platform and what the
nastiness that can be done with it, how are gadgets made, how are they
distributed and more importantly their weaknesses. Gadgets are comprised
of JS, CSS and HTML and are application that the Windows operating
system has embedded by default. As a result there are a number of
interesting attack vectors that are interesting to explore and take
advantage of.

We will be talking about our research into creating malicious gadgets,
misappropriating legitimate gadgets and the sorts of flaws we have found
in published gadgets. "


MowGreen
================
*-343-* FDNY
Never Forgotten
================

MowGreen wrote:
> Microsoft Security Advisory (2719662)
> Vulnerabilities in Gadgets Could Allow Remote Code Execution
> https://technet.microsoft.com/en-us/...visory/2719662
>
> " Microsoft is announcing the availability of an automated Microsoft Fix
> it solution that disables the Windows Sidebar and Gadgets on supported
> editions of Windows Vista and Windows 7. Disabling the Windows Sidebar
> and Gadgets can help protect customers from vulnerabilities that involve
> the execution of arbitrary code by the Windows Sidebar when running
> insecure Gadgets. In addition, Gadgets installed from untrusted sources
> can harm your computer and can access your computer's files, show you
> objectionable content, or change their behavior at any time.

Going back to XP's looking like a better idea all the time.


--
Tciao for Now!

John.

Alias wrote:
> On 7/20/2012 5:55 PM, MowGreen wrote:
>> Microsoft Security Advisory (2719662)
>> Vulnerabilities in Gadgets Could Allow Remote Code Execution
>> https://technet.microsoft.com/en-us/...visory/2719662
>>
>
> I assume that doesn't apply to Microsoft gadgets such as the weather,
> clock, etc but only applies to third party gadgets.
>
Bet on that? With Microsoft's record? ;-)

--
Tciao for Now!

John.

On Fri, 20 Jul 2012 18:21:29 +0200, Alias
<> wrote:

>On 7/20/2012 5:55 PM, MowGreen wrote:
>> Microsoft Security Advisory (2719662)
>> Vulnerabilities in Gadgets Could Allow Remote Code Execution
>> https://technet.microsoft.com/en-us/...visory/2719662
<snip>
>>
>> Recommendation. Customers who are concerned about vulnerable or
>> malicious Gadgets should apply the automated Fix It solution as soon as
>> possible. For more information, see the Suggested Actions section of
>> this advisory. "
>>
<snip>
>>
>> Kill those Vista and Win7 gadgets now!
>> http://windowssecrets.com/top-story/...7-gadgets-now/
>>
>
>I assume that doesn't apply to Microsoft gadgets such as the weather,
>clock, etc but only applies to third party gadgets.

My assumption is that the warning applies to the entire gadget
platform, including the Microsoft aspects. Stand by for further
clarification, I guess.

--

Char Jackson

On Fri, 20 Jul 2012 17:04:29 +0100, John Williamson
<> wrote:

>MowGreen wrote:
>> Microsoft Security Advisory (2719662)
>> Vulnerabilities in Gadgets Could Allow Remote Code Execution
>> https://technet.microsoft.com/en-us/...visory/2719662
>>
>> " Microsoft is announcing the availability of an automated Microsoft Fix
>> it solution that disables the Windows Sidebar and Gadgets on supported
>> editions of Windows Vista and Windows 7. Disabling the Windows Sidebar
>> and Gadgets can help protect customers from vulnerabilities that involve
>> the execution of arbitrary code by the Windows Sidebar when running
>> insecure Gadgets. In addition, Gadgets installed from untrusted sources
>> can harm your computer and can access your computer's files, show you
>> objectionable content, or change their behavior at any time.
>
>Going back to XP's looking like a better idea all the time.

As each day passes, going back to XP looks like a worse idea to me. XP
is fading into the sunset, and I'm not big enough or strong enough to
prevent that.

--

Char Jackson

Alias wrote:
> On 7/20/2012 5:55 PM, MowGreen wrote:
>> Microsoft Security Advisory (2719662)
>> Vulnerabilities in Gadgets Could Allow Remote Code Execution
>> https://technet.microsoft.com/en-us/...visory/2719662
>>
>> " Microsoft is announcing the availability of an automated Microsoft Fix
>> it solution that disables the Windows Sidebar and Gadgets on supported
>> editions of Windows Vista and Windows 7. Disabling the Windows Sidebar
>> and Gadgets can help protect customers from vulnerabilities that involve
>> the execution of arbitrary code by the Windows Sidebar when running
>> insecure Gadgets. In addition, Gadgets installed from untrusted sources
>> can harm your computer and can access your computer's files, show you
>> objectionable content, or change their behavior at any time.
>>
>> An attacker who successfully exploited a Gadget vulnerability could run
>> arbitrary code in the context of the current user. If the current user
>> is logged on with administrative user rights, an attacker could take
>> complete control of the affected system. An attacker could then install
>> programs; view, change, or delete data; or create new accounts with full
>> user rights. Users whose accounts are configured to have fewer user
>> rights on the system could be less impacted than users who operate with
>> administrative user rights.
>>
>> Applying the automated Microsoft Fix It solution described in Microsoft
>> Knowledge Base Article 2719662
>> ( http://support.microsoft.com/kb/2719662 )
>> disables the Windows Sidebar experience and all Gadget functionality.
>>
>> Recommendation. Customers who are concerned about vulnerable or
>> malicious Gadgets should apply the automated Fix It solution as soon as
>> possible. For more information, see the Suggested Actions section of
>> this advisory. "
>>
>>
>> Kill those Vista and Win7 gadgets now!
>> http://windowssecrets.com/top-story/...7-gadgets-now/
>>
>>
>> The presentation on the sidebar and gadgets vulnerability (ies) takes
>> place @Black Hat by Mickey Shkatov and Toby Kohlenberg next Thursday,
>> July 26th. As yet, thankfully, few details have been released other then
>>
>> " We will be talking about the windows gadget platform and what the
>> nastiness that can be done with it, how are gadgets made, how are they
>> distributed and more importantly their weaknesses. Gadgets are comprised
>> of JS, CSS and HTML and are application that the Windows operating
>> system has embedded by default. As a result there are a number of
>> interesting attack vectors that are interesting to explore and take
>> advantage of.
>>
>> We will be talking about our research into creating malicious gadgets,
>> misappropriating legitimate gadgets and the sorts of flaws we have found
>> in published gadgets. "
>>
>>
>> MowGreen
>> ================
>> *-343-* FDNY
>> Never Forgotten
>> ================
>>
>>
>
> I assume that doesn't apply to Microsoft gadgets such as the weather,
> clock, etc but only applies to third party gadgets.
>

It sounds like they're turning off the subsystem, so that no JS, CSS, HTML
wrapped as a gadget, gets to launch. And that means all the gadgets stop working,
because they can no longer launch after the Fixit is applied.

Well, I guess that's a few less square yards of attack surface. I'm feeling
more secure already.

Paul

Per Char Jackson:
>As each day passes, going back to XP looks like a worse idea to me. XP
>is fading into the sunset, and I'm not big enough or strong enough to
>prevent that.

If Char says it, that gets my attention.

I was flirting with conversion to 7 quite a few months ago, but
never followed through.

Is anybody currently subscribing to MSDN?

I've been through a couple of subscriptions, but that was way
back when they shipped a bunch of DVDs.

A major selling point with me was the 10-or-so XP licenses that
came with the subscription. I use almost all of them on my
various PCs.

Do they offer the same deal for Windows 7 with the new
download-based MSDN subscriptions?

If so, do those and whatever other licenses persist after the
annual subscription has expired? Or do they go "Poof!" and the
user is locked into subscribing every year from then on?
--
Pete Cresswell

John Williamson wrote:
> MowGreen wrote:
>> Microsoft Security Advisory (2719662) Vulnerabilities in Gadgets
>> Could Allow Remote Code Execution
>> https://technet.microsoft.com/en-us/...visory/2719662
>>
>> " Microsoft is announcing the availability of an automated
>> Microsoft Fix it solution that disables the Windows Sidebar and
>> Gadgets on supported editions of Windows Vista and Windows 7.
>> Disabling the Windows Sidebar and Gadgets can help protect
>> customers from vulnerabilities that involve the execution of
>> arbitrary code by the Windows Sidebar when running insecure
>> Gadgets. In addition, Gadgets installed from untrusted sources can
>> harm your computer and can access your computer's files, show you
>> objectionable content, or change their behavior at any time.
>
> Going back to XP's looking like a better idea all the time.

Going back to XP won't stop you from installing malware. The
vulnerability is to user installed, third party gadgets, not MS gadgets.
Neither XP nor Windows 7 are immune to idiots.
--
Crash

"The real question is not whether machines think but whether men do."
~ B. F. Skinner ~

On Fri, 20 Jul 2012 14:41:38 -0400, "(PeteCresswell)" <>
wrote:

>Per Char Jackson:
>>As each day passes, going back to XP looks like a worse idea to me. XP
>>is fading into the sunset, and I'm not big enough or strong enough to
>>prevent that.
>
>If Char says it, that gets my attention.

Big mistake. No one listens to me. Not even me.

>I was flirting with conversion to 7 quite a few months ago, but
>never followed through.
>
>Is anybody currently subscribing to MSDN?

I'm aware of it but never subscribed. I hope someone answers your
questions because I'm interested, as well.

>I've been through a couple of subscriptions, but that was way
>back when they shipped a bunch of DVDs.
>
>A major selling point with me was the 10-or-so XP licenses that
>came with the subscription. I use almost all of them on my
>various PCs.
>
>Do they offer the same deal for Windows 7 with the new
>download-based MSDN subscriptions?
>
>If so, do those and whatever other licenses persist after the
>annual subscription has expired? Or do they go "Poof!" and the
>user is locked into subscribing every year from then on?

--

Char Jackson

On Fri, 20 Jul 2012 14:54:52 -0400, "Dave \"Crash\" Dummy"
<> wrote:

>John Williamson wrote:
>> MowGreen wrote:
>>> Microsoft Security Advisory (2719662) Vulnerabilities in Gadgets
>>> Could Allow Remote Code Execution
>>> https://technet.microsoft.com/en-us/...visory/2719662
>>>
>>> " Microsoft is announcing the availability of an automated
>>> Microsoft Fix it solution that disables the Windows Sidebar and
>>> Gadgets on supported editions of Windows Vista and Windows 7.
>>> Disabling the Windows Sidebar and Gadgets can help protect
>>> customers from vulnerabilities that involve the execution of
>>> arbitrary code by the Windows Sidebar when running insecure
>>> Gadgets. In addition, Gadgets installed from untrusted sources can
>>> harm your computer and can access your computer's files, show you
>>> objectionable content, or change their behavior at any time.
>>
>> Going back to XP's looking like a better idea all the time.
>
>Going back to XP won't stop you from installing malware. The
>vulnerability is to user installed, third party gadgets, not MS gadgets.
>Neither XP nor Windows 7 are immune to idiots.

I mostly skimmed the article, but it sounded to me like the MS gadgets
were equally (or primarily, even) the subject of concern.

--

Char Jackson