One of the whiz-bang features of Windows Vista is the Sidebar. It is a vertical bar on the side of the display that can contain a variety of tools and applets. You can configure it to only show on the actual Windows Desktop or to always be displayed alongside the applications you are running. You can include a clock, your local weather, a notepad, your RSS feeds, photos, a calendar and more. There are currently more than 1,300 Sidebar Gadgets available on the Windows Live Gallery. Only about six Sidebar Gadgets fit on one screen, but the Vista Sidebar lets you flip through multiple pages if you exceed the original Sidebar real estate.
The Sidebar Gadgets are just little HTML- or XML-enabled applets. Part of the nature of applets such as these is that they are developed by a variety of organizations and individuals. Some are well-written and professionally done; others are rudimentary and rough around the edges.
Earlier this year Microsoft addressed issues with Vista Sidebar Gadgets, which could have been exploited to execute remote code on vulnerable systems. Security Bulletin MS07-048 (www.microsoft.com/technet/security/bulletin/MS07-048.mspx), and the patch associated with it, were aimed at correcting the flaw to protect Vista users. Microsoft has also published guidelines, titled Inspect Your Gadget (msdn2.microsoft.com/en-us/library/bb498012.aspx), to help developers create Gadgets securely.
Because it’s active code, all Sidebar Gadgets represent a potential security hole. Without knowing more about the individuals or organizations developing them, you need to take steps to ensure you are protected.
The first step to ensuring you use Sidebar Gadgets that are stable and secure is to review the user feedback. Gadgets on the Windows Live Gadget Gallery can be rated from one to five stars. Gadgets that are unstable will be ranked low by users. Reviewing the ranking of a Gadget and the number of times it was downloaded can help you find the ones that are user-tested and approved. One more word of advice: Look at how many users have ranked a Gadget. It may have five stars, but if it only has one review that gave it five stars, it is not as credible as a Gadget with four stars that has been reviewed and ranked by hundreds of users.
With Windows Vista, Microsoft implemented a variety of new security controls. These controls also apply to Sidebar Gadgets and will help protect the user and the operating system from potential malicious activity. Again, Gadgets are just mini HTML- or XML-enabled applications, so Vista treats them like any other code installed from the Internet.
The actual Sidebar code, Sidebar.exe, runs in the context of the logged-in user. It has Medium integrity and no virtualization, and DEP (data execution prevention) is enabled. Sidebar Gadgets receive the same security scrutiny as other applications. They are protected by DEP, locked down by parental controls and scanned by Windows Defender.
Even during the initial installation of a Sidebar Gadget, Microsoft does its part to make sure the user is well aware of the risks. With UAC (User Account Control), the user receives at least three and possibly as many as five (if the Sidebar Gadget code is unsigned) warning messages before the installation is complete.
Here are some examples of warning messages
Understanding the potential issues with Vista Sidebar Gadget security and taking the time to read Vista’s warning messages may work well for individuals, but organizations may wish to exert some control over how users can download and install Vista Sidebar Gadgets. Thankfully, there are four GPO (Group Policy Object) settings that can be used to lock down the Vista Sidebar.
The bottom line is that Vista Sidebar Gadgets may, in fact, be insecure, and Sidebar Gadget vulnerabilities could potentially be exploited to hijack or compromise a Windows Vista system. However, it is not the Vista Sidebar itself that is insecure. Sidebar Gadgets are just applications and are no more or less secure than other applications. Organizations need to assess the stability and security of Sidebar Gadgets just as they would other applications deployed to the desktop. Using these GPO settings, administrators can manage if and how Sidebar Gadgets are employed and exert some control to enforce security policy and protect the desktops on the network.