Brucon: The rise and fall of desktop gadgets

News by Dan Raywood

The use of desktop gadgets has fallen due to vulnerabilities and the ability to attack them.

The use of desktop gadgets has fallen due to vulnerabilities and the ability to attack them.

Speaking at the Brucon conference in Ghent, security researcher Mickey Shkatov said that discussions had taken place on gadgets since 2007 and "nothing has been done until now".

Previously called the Sidebar on Vista, Shkatov said that there was no flexibility to move it until Windows 7 but there were no improvements in security, and now its use is in decline and it is being removed from Windows 8 altogether.

He said that typically there are 50-60 gadgets on a page such as calendars, RSS readers and the piano gadget, and their use was in decline, but there was a rise in iOS apps and he had seen one Silverlight-based gadget.

In terms of development, Shkatov said that he "took his hat off to Microsoft", as if you read its documentation it covers everything on what to do and what not to do, yet he claimed that no one follows it.

He said: “Gadgets are very similar to HTML, if they are installed you can use it and run it and you will not know anything about it. If you manually decompress them they will be installed and since Microsoft retired the gallery, there are corporations who have their own gadget store interface with internal gadgets.”

Looking at attacking with gadgets and attacking the gadgets, he said that the former was the easy part as you can add malicious code and send it to a victim who is none the wiser. “It is not perceived to be dangerous as it is only JavaScript and anti-virus will not look at it,” he said.

“Also you can open URLs as gadgets share the same cache as the user ID. You can also create files with whatever you want as the default location of writing file is the user's desktop. You don't have to be a genius to weaponise gadgets.”

In attacking gadgets, Shkatov said that a Google search for gadgets will return a lot of malicious links with executable files, especially as many sites claim to be gadget sites. “We have poor security practises and easy targets, a lot pull down JavaScript files to update themselves. You can intercept with a proxy and do whatever you want,” he said.

In terms of what to do about it, especially if anti-virus will not pick up on malicious code embedded in a gadget, Shkatov said that three CVEs were released in 2007 and a fix-it will remove the gadget altogether, but more work needed to be done by developers to write applications properly and force them to use SSL.

He pointed to advisory 2719662 from mid-July this year that disables the Windows Sidebar and gadgets on supported editions of Windows Vista and Windows 7. This was done because of a remote code execution vulnerability in gadgets.

Shkatov said that he had reported his findings to Microsoft and he said they 'relaxed' the gadgets, but he did not expect them to drop the feature altogether. “Clicking on the fix-it will remove it, I suggest you do so,” he said. 


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews