Security Risk: Check your Desktop Gadgets NOW - Win 7

General discussion and chat (archived)

Moderator: satrow

Blacklab
Astronaut
Astronaut
Posts: 734
Joined: 2012-06-08, 12:14
Location: Scotland UK

Security Risk: Check your Desktop Gadgets NOW - Win 7

Unread post by Blacklab » 2012-07-20, 12:33

EDIT by Moderator (Lobocursor): Please don't write "Bang" headlines because this post was about to removed as spam by mistake. Subject edited. :think:

***

The latest Windows Secrets newsletter lead article is "Kill those Vista and Win 7 Gadgets now!" (http://windowssecrets.com/top-story/kill-those-vista-and-win7-gadgets-now/) and a quick search will find are more on the subject from MS and others. The much reduced MS Gadget Store is already gone.

I am quite fond of the old MS Calendar Gadget and occasionally use a Sticky Note. (I am aware of the RAM draining effect of some of the more complex OS monitoring Gadgets and do not use them.) It seems the MS solution is a Fix-It that removes sidebar.exe entirely - which seems a rather brutal "fix" given that Desktop Gadgets were once a MS selling point for Vista and Win 7.

Any thoughts on the real risks involved from the more technically aware members would be welcome.

EDIT: Thanks Lobocursor - will avoid exclams! in titles :shifty: Sadly not spam - I wish it was - looks like Gadgets are going, going, gone..... :(

stravinsky

Re: Security Risk: Check your Desktop Gadgets NOW - Win 7

Unread post by stravinsky » 2012-07-21, 13:15

one speculation is to make users get used to a gadget less UI in preparation for METRO ui in win8.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 23648
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Security Risk: Check your Desktop Gadgets NOW - Win 7

Unread post by Moonchild » 2012-07-21, 21:28

I'm glad I have the gadgets I need installed already then :P
Specifically "AllCPUmeter" is one I use a lot, and it's free (donationware). I guess you will have to find a different central gadget repository site if MS is taking it down. I don't really understand why, though. I don't use the sidebar, and the widgets I use are third-party (and I don't use anything odd that connects to the 'net or anything) so if it's in the widgets supplied by MS or in the Sidebar, it wouldn't influence you.

For now, also, there's a scare post but no details -- i wish they wouldn't do that as you can't make a proper decision based on rumor or guesswork:
"At this time, it’s not clear whether the vulnerability is within the gadgets themselves or is associated with the Sidebar. (In Windows 7, you can run gadgets with or without the Sidebar.) MS Security Advisory 2719662 suggests both. I suppose we’ll find out next Thursday, but for now I think you need to kiss those clocks and stock tickers good-bye."
Please post more details when you have them.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
"I'm afraid you have me mistaken for someone who can be shamed by a child." -- Quillspawn

lyceus
Moon Magic practitioner
Moon Magic practitioner
Posts: 2210
Joined: 2011-09-13, 23:08

Re: Security Risk: Check your Desktop Gadgets NOW - Win 7

Unread post by lyceus » 2012-07-22, 02:20

Thanks God I don't use any gadget after I removed Windows Vista and "updated" to Windows 7. I'm happy with gadget-less Windows XP :D

stravinsky

Re: Security Risk: Check your Desktop Gadgets NOW - Win 7

Unread post by stravinsky » 2012-07-22, 04:08

something like the CPU-RAM meter is definitely handy.

User avatar
Rohugh
Keeps coming back
Keeps coming back
Posts: 781
Joined: 2012-05-01, 22:56
Location: Spain
Contact:

Re: Security Risk: Check your Desktop Gadgets NOW - Win 7

Unread post by Rohugh » 2012-07-22, 10:17

I have never used gadgets although I did have a short time when I was using Rainmeter. So far as RAM, CPU etc etc is concerned a click on the taskbar to bring up ""Start Task Manager" is all that is needed.
Gaming:- Win 10 X64 2TB HD : 128GB SSD/16GB RAM · Pale Moon 26.1.1 (X64)
Desktop:- Win 10 X64 500GB HD/1TB External HD/8GB RAM · Pale Moon 26.1.1 (X86)
Laptop:- Win 10 X64 1TB HD/4GB RAM · Pale Moon 26.1.1

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 23648
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Security Risk: Check your Desktop Gadgets NOW - Win 7

Unread post by Moonchild » 2012-07-22, 11:11

Rohugh wrote:I have never used gadgets although I did have a short time when I was using Rainmeter. So far as RAM, CPU etc etc is concerned a click on the taskbar to bring up ""Start Task Manager" is all that is needed.
It depends a little on your needs. I keep it as a peripheral status indicator for my overall system status. I don't want to have to actively call it up with task manager while doing other things.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
"I'm afraid you have me mistaken for someone who can be shamed by a child." -- Quillspawn

dark_moon

Re: Security Risk: Check your Desktop Gadgets NOW - Win 7

Unread post by dark_moon » 2012-07-22, 11:35

The best tool for system monitoring is process explorer from microsoft.

You can see the overall system status (ram, cpu, disk i/o status) and the status from every process too. And you can easy replace taskmanager with this tool in one click.
And process explorer can show the status in the systemtray if need.

If you dont like this, check this tools out:
http://anonymous-thing.deviantart.com/a ... -200169785
http://superbarmonitor.de/wp/
http://www.nirmaltv.com/2009/10/29/spic ... ar-meters/

weather:
http://weatherbar.codeplex.com/
http://weather.weatherbug.com/

rss:
http://www.neowin.net/forum/topic/81947 ... skbar-rss/

internet traffic: http://www.floriangilles.de/software/netspeedmonitor/
(I use this- very nice !)

And btw: Vulnerabilities in Gadgets Could Allow Remote Code Execution

Blacklab
Astronaut
Astronaut
Posts: 734
Joined: 2012-06-08, 12:14
Location: Scotland UK

Re: Security Risk: Check your Desktop Gadgets NOW - Win 7

Unread post by Blacklab » 2012-07-22, 12:16

Thanks dark_moon - some interesting apps to try. Agree SysInternals Tools are excellent. (I find Autoruns especially useful:http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) Process Explorer/Monitor are amazing tools but pretty damn complex for those of us who aren't computer engineers! So I particularly enjoyed this blog post from Mark Russinovich describing how he used his own software tools to fix his mother's computer: http://blogs.technet.com/b/markrussinovich/archive/2012/01/05/3473797.aspx. It's worth reading just for the bit where he ponders ringing MS Support! It's also great to see that even the expert has trouble getting the Crapware off a new PC - paying extra for Microsoft Signature seems lke the tail wagging the dog to me!

I suppose we shall just have to wait until Thursday (26 July) for the Black Hat presentation to find out exactly why MS is ditching Gadgets/sidebar.exe so suddenly (https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Shkatov)
Last edited by Blacklab on 2012-07-22, 13:02, edited 1 time in total.

dark_moon

Re: Security Risk: Check your Desktop Gadgets NOW - Win 7

Unread post by dark_moon » 2012-07-22, 12:39

Yes the Sysinternals Tools are very great ant Mark Russinovich is awesome.

You only need Process Explorer, Process Monitor and Autoruns. With this 3 tools you can solve every windows problem. F**king awesome

Blacklab
Astronaut
Astronaut
Posts: 734
Joined: 2012-06-08, 12:14
Location: Scotland UK

Re: Security Risk: Check your Desktop Gadgets NOW - Win 7

Unread post by Blacklab » 2012-07-31, 19:01

The Black Hat 2012 Briefing "We have you by the Gadgets" was on Thur 26th July and you might have expected a flurry of specialist press interest.....but regular searches have drawn a blank. (The Black Hat site states that they do not release the presentation transcripts for two weeks and then only at authors request.) So this piece by Woody Leonhard is the first I have seen anywhere. He sums up Shaktov and Kohlenbergs' briefing as follows:
All of that leads to three recommendations:

If you use Gadgets, only use Gadgets from trusted sources.
If you develop Gadgets, get out of the business and move on to Metro.
If you don't use Gadgets, use Microsoft's FixIt to make it impossible to accidentally install one.

Although other people have come to different conclusions, to me the takeaway is pretty simple: If you stick with the Gadgets that Microsoft developed years ago -- the analog clock, CPU meter, currency converter, and weather Gadgets for example -- you're fine. But if you're using Gadgets from a third party, you're taking a gamble.
The full article is at: http://www.infoworld.com/t/microsoft-windows/time-kill-most-windows-gadgets-199028?page=0,0

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 23648
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Security Risk: Check your Desktop Gadgets NOW - Win 7

Unread post by Moonchild » 2012-08-01, 10:49

Blacklab wrote:Although other people have come to different conclusions, to me the takeaway is pretty simple: If you stick with the Gadgets that Microsoft developed years ago -- the analog clock, CPU meter, currency converter, and weather Gadgets for example -- you're fine. But if you're using Gadgets from a third party, you're taking a gamble.
Which is pretty much what I've been saying :)

So "disable your gadgets NOW" (and showing the Microsoft ones) has been a lot of fear talk with no substance unless you are actually using gadgets that are in themselves already dodgy.

I take from this the following:
  1. If you use gadgets that don't connect to the internet, you should be safe (resource monitors, calendars, etc.)
  2. If you use gadgets you have already used for a long time, you're probably safe too - but keep an eye on whether the company that developed the gadgets is still in business if it uses on-line data, to prevent possible hijacking.
  3. The "security risk" is just as great with gadgets as it is with any other application that is installed and has web access by default. Note that this also especially applies to any and all Metro applications and Web Apps you may place on your desktop since they, like gadgets, will use a web browser back-end (with internet access) to run. Metro, after all, is a structured way to run apps inside IE with an HTML front-end.
  4. "Get out of the business making gadgets and move to Metro" as a conclusion makes this the biggest BS ever to try and push people towards Win 8 since it's exclusive to Win 8. Smart marketing move to create panic for the old way of doing things.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
"I'm afraid you have me mistaken for someone who can be shamed by a child." -- Quillspawn

stravinsky

Re: Security Risk: Check your Desktop Gadgets NOW - Win 7

Unread post by stravinsky » 2012-08-01, 12:13

Smart marketing move to create panic for the old way of doing things.
Steve Ballmer has been a good salesman since forever.

Blacklab
Astronaut
Astronaut
Posts: 734
Joined: 2012-06-08, 12:14
Location: Scotland UK

Re: Security Risk: Check your Desktop Gadgets NOW - Win 7

Unread post by Blacklab » 2012-08-04, 20:40

The Black Hat 2012 archive is now live and the "We have you by the Gadgets" briefing by Mickey Shakatov and Toby Kohlenberg has an 8 page "White Paper" script download (192KB) and it's accompanying 31 slides in the "Presentation" file (544KB) - both available at: https://www.blackhat.com/html/bh-us-12/bh-us-12-archives.html#Shkatov

IMHO both pretty light on detail given the level of "panic" induced - therefore assume these were "speaking notes" rather than a proper research paper published to back-up the briefing.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 23648
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Security Risk: Check your Desktop Gadgets NOW - Win 7

Unread post by Moonchild » 2012-08-04, 23:59

stravinsky wrote:Steve Ballmer has been a good salesman since forever.
I wouldn't call this strategy "good", just "very aggressive". A good sales strategy would be one that wasn't so obviously transparent.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
"I'm afraid you have me mistaken for someone who can be shamed by a child." -- Quillspawn

stravinsky

Re: Security Risk: Check your Desktop Gadgets NOW - Win 7

Unread post by stravinsky » 2012-08-05, 04:27

Moonchild wrote: I wouldn't call this strategy "good", just "very aggressive". A good sales strategy would be one that wasn't so obviously transparent.
its so bad its almost good ;)

Locked