Gadgets are little snippets of HTML code that work with few rules and no security sandboxing. That's an open invitation to malicious hackers looking for unguarded entries into Windows.
Although the vulnerability in gadgets has existed for years, two security researchers are shedding some new light on the threat. At next week's annual hacker gathering in Las Vegas — Black Hat USA 2012 (more info) — Mickey Shkatov and Toby Kohlenberg will deliver their presentation, "We have you by the gadgets."
Much to their credit, Shkatov and Kohlenberg have been in talks with Microsoft, apparently divulging some of their findings. (The point of Black Hat is to reveal detailed information on how new security exploits work, thus pushing software developers into rapidly patching their code.) I can imagine the security folks at Microsoft saying, "These guys have us nailed." (Some of the MSRC folks might have said something considerably less printable.) The result is MS Security Advisory 2719662, which states, "Customers who are concerned about vulnerable or malicious gadgets should apply the automated Fix It solution as soon as possible"
Full Story
Microsoft invented a poison pill, disguised as a fixit in MS Support article 2719962. You’ll find two Fix it buttons halfway down the page: one to disable the Sidebar and gadgets, and another to enable them (which might be useful if Microsoft provides an actual patch for the vulnerability).
Direct link to the fix in the full story.
Similar Threads
