Microsoft Sidebar a Serious Security Vulnerability

Microsoft has released a security advisory detailing the vulnerabilities in the windows Sidebar that could potentially be a gateway for remote arbitrary code execution when running insecure Gadgets.  The Sidebar is an application on computers that run Vista and some versions of Windows7 and can show realtime updates of news, weather, RSS feeds and more, but also included games and puzzles and even dashboards to show how your computer is running – all according to which widget you download or purchase to customize the sidebar.   Apparently if the current user is logged on with administrative user rights, an attacker could take complete control of the affected system.  Programs could be installed; data viewed, changed, or deleted; and new accounts created with full user rights.

Microsoft, in response, has issued a quick deactivation for the sidebar and has removed the ‘Desktop Gadgets‘ application.  According to the old gadgets page “gadgets installed from untrusted sources can harm your computer and can access your computer’s files, show you objectionable content, or change their behavior at any time”.

Microsoft has been in the spotlight a lot recently in regards to ignoring best security practices and leaving a lot of vulnerabilities.  The most notable of these is the Flame Malware.  Attackers decrypted the Message-Digest Algorithm (MD5), (proven vulnerable since at least 1996 and now obsolete) that Microsoft was using, to forge Microsoft Certificates and plant the malware as security updates.  Quite a large security oversight.

If you have a Windows Sidebar please visit this page and click on the relevant “Fix it” link.  If you have had any security issues due to your Sidebar or Gadgets, or have any thing else to add, then please post a comment.