Security Advisory

Microsoft Security Advisory 2719662

Vulnerabilities in Gadgets Could Allow Remote Code Execution

Published: July 10, 2012 | Updated: July 03, 2013

Version: 1.1

General Information

Executive Summary

Microsoft is announcing the availability of an automated Microsoft Fix it solution that disables Windows Sidebar and Gadgets on supported editions of Windows Vista and Windows 7. Disabling Windows Sidebar and Gadgets can help protect customers from potential attacks that leverage Gadgets to execute arbitrary code.

Customers should consider the following ways that an attacker could leverage Gadgets to execute arbitrary code:

  • Microsoft is aware that some legitimate Gadgets running in Windows Sidebar could contain vulnerabilities. An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system.
  • An attacker could create a malicious Gadget and then trick a user into installing the malicious Gadget. Once installed, the malicious Gadget could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system.

In addition, Gadgets can access your computer's files, show you objectionable content, or change their behavior at any time. Gadgets could also potentially harm your computer.

Applying the automated Microsoft Fix it solution described in Microsoft Knowledge Base Article 2719662 disables the Windows Sidebar experience and all Gadget functionality.

Recommendation. Customers who are concerned about vulnerable or malicious Gadgets should apply the automated Microsoft Fix it solution as soon as possible. For more information, see the Suggested Actions section of this advisory.

Advisory Details

Issue References

For more information about this issue, see the following references:

References Identification
Microsoft Knowledge Base Article 2719662 

Affected Software

This advisory discusses the following software.

Affected Software
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1

 

Non-Affected Software
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Frequently Asked Questions

What is the scope of the advisory?
The purpose of this advisory is to notify customers that Microsoft is aware of vulnerabilities in Gadgets affecting Windows Sidebar on supported versions of Windows Vista and Windows 7.

What caused the issue?
The issue is caused when Gadgets running in Windows Sidebar contain vulnerabilities that can be leveraged by an attacker.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited a Gadget vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

How could an attacker exploit the vulnerability?
An attacker would have to convince a user to install and enable a vulnerable Gadget.

Suggested Actions

Apply Workarounds

Workarounds refer to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before a security update is available. See the next section, Workarounds, for more information.

Workarounds

Apply the Microsoft Fix it solution that blocks the attack vector for this vulnerability

See Microsoft Knowledge Base Article 2719662 for instructions on applying an automated Microsoft Fix it solution that blocks the attack vector by disabling Windows Sidebar and Gadgets. We recommend that administrators review the article closely prior to deploying this Fix it solution.

Note This Fix it solution does not apply to Windows 8 Consumer Preview or Windows 8 Release Preview.

Disable Sidebar in Group Policy

To disable Sidebar in Group Policy, follow these steps:

  1. Click Start, click Run, type “gpedit.msc”, and then click Continue.
  2. Under Local Computer Policy\Computer Configuration double click Administrative Templates, double click Windows Components, and then double click Windows Sidebar.
  3. Change the value of the Turn off Windows Sidebar setting to Enabled:
  4. Right click on Turn off Windows Sidebar.
  5. Select Properties from the menu.
  6. Select the Enabled radio button.
  7. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

Impact of Workaround: Sidebar is disabled.

Disable the Sidebar in the system registry

Disabling Sidebar by creating a new registry key helps protect the affected system from attempts to exploit this vulnerability. To create a new Sidebar registry key, follow these steps:

Note: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

Note: We recommend backing up the registry before you edit it.

  1. Click Start, click Run, type “regedit” (without the quotation marks), and then click Continue.
  2. Expand HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand Windows, expand CurrentVersion, and then expand Policies.
  3. Right click on Policies, select New, select Key, and then type Windows as the file name.
  4. Right click on Windows, select New, select Key, and then type Sidebar as the file name.
  5. Right click on Sidebar, select New, select DWORD (32-bit) Value, and the type TurnOffSidebar as the Name.
  6. Right click on TurnOffSidebar, and then change Value data: to 1.
  7. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

Impact of Workaround: Sidebar is disabled.

Additional Suggested Actions

  • Protect your PC

    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer.

    For more information about staying safe on the Internet, visit Microsoft Security Central.

  • Keep Microsoft Software Updated

    Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Other Information

Acknowledgements

Microsoft thanks the following for working with us to help protect customers:

  • Mickey Shkatov and Toby Kohlenberg for working with us on Gadget vulnerabilities.

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback

Support

  • Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.
  • International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
  • Microsoft TechNet Security provides additional information about security in Microsoft products.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (July 10, 2012): Advisory published.
  • V1.1 (July 3, 2013): Clarified that disabling Windows Sidebar and Gadgets can help protect customers from potential attacks that leverage Gadgets to execute arbitrary code. This is an informational change only.

Built at 2014-04-18T13:49:36Z-07:00