What's the "gadget vulnerability"?

Question

In a recent security advisory, Microsoft warns that "Vulnerabilities in Gadgets Could Allow Remote Code Execution":

An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user.

(Microsoft Security Advisory 2719662)

I don't really understand the point. As far as I know, gadgets are (by design) HTML-based application running with full trust!

Full Trust

The choice to run a gadget is presented to the user in the same way that the choice to run any application downloaded from the Internet is presented. Information about the author of the gadget is displayed in a dialog box that indicates there is risk associated with this file. After the user accepts the warning, the gadget will run with all of the permissions associated with the user's login account.

(MSDN: Gadgets for Windows Sidebar Security)

For example, nothing prevents you from adding

<script language="VBScript"> 
    Set shell = CreateObject("Wscript.Shell")
    shell.Run "notepad.exe"
</script>

and executing arbitrary commands from your gadget. This works and it's by design.

Obviously, they can do everything that another application running in the local user's context can do. So, where is the vulnerability the MS Security Advisory is mentioning which "can be exploited"?

Apparently the gadget code is javascript which is somewhat limited per se, but then there's a vulnerability in the gadget subsystem that allows executing random code, not limited to JS macnine. — GSerg, Jul 15 '12 at 09:33
@GSerg: The JavaScript/VBScript in gadgets has the same power as the one in [HTAs](http://en.wikipedia.org/wiki/HTML_Application), for example, [it can start arbitrary applications](http://blogs.technet.com/b/heyscriptingguy/archive/2005/10/31/how-can-i-start-an-application-from-an-hta.aspx). So, what's the point of an "exploit" if the language itself allows you to execute arbitrary code? — Heinzi, Jul 15 '12 at 09:42
PS: I've deliberately decided to post this to StackOverflow instead of SuperUser, since it's more likely that a Gadget *developer* can answer this question rather than a Gadget *user*. — Heinzi, Jul 15 '12 at 09:44

score 6 · Answer 1 · edited Feb 19 '19 at 01:37

Well the "gadget vulnerability" is the problem that:

the risks that gadgets are exposed to are the same as those faced by any web-based application, e.g. Man-In-The-Middle or code injection. Similar issues existed in earlier versions of most web browsers but modern browsers have specifically implemented controls to attempt to mitigate many of these issues. These controls have not been implemented in the Gadgets platform, leaving them vulnerable to well-known and thoroughly discussed attacks.
- We have you by the gadgets, black hat.

so you can see the main exploit is that there were no controls to limit the gadgets from running code with no restraint.

Another problem:

Microsoft has said that it has discovered that some Vista and Win7 gadgets don’t adhere to secure coding practices and should be regarded as causing risk to the systems on which they’re run.

so indeed running arbitrary code is part of HTA's but because the sidebar and gadgets platform didn't mitigate it and were quite pessimistic, thinking that all gadget programmers would write safe code and wouldn't try to exploit or do things gadgets aren't suppose to do.

Hope it answered what you asked.

I still think the question is quite vague because you say: well they allow to run arbitrary code and it's part of the model and concept and they didn't mitigate it so what's the exploit? it's already exploited... - this is the whole idea :)

It can be asked about every flaw and attack and that's exactly the problem - it was by design a problem and wasn't secure it was discovered that since no mitigation and since you are really able to run and execute the malicious code with no problem these gadgets have a flaw.

ProphetZarquon · Answer 2 · 2013-11-30T22:36:14.077

Agreed, the Gadgets platform appears to be no more or less vulnerable than if the user executed an unsigned application.

Why the same system-level execution prevention, heuristic analysis & other methods applied to applications could not be applied to Gadgets is mystifying to me.

This smacks of laziness on the part of Microsoft: The Gadgets platform was not highly regarded or widely used (despite the potential of delivering an unprecedented level of capability and integration of web-features directly into the desktop), so rather than make any attempt whatsoever to safeguard the user from malicious Gadgets, they simply discontinued them.

With the direction the User Interfaces in Windows, Mac and Android are headed, the average user has less and less idea how an app (or plugin) actually does what it is doing, so the proliferation of needless, opportunistic or even malicious apps continues. I've been back and forth over the Gadgets specification, and as near as I can tell, it is no more insecure than the plugins system used by Chrome and FireFox.

Execution of ActiveX and Java within a Gadget is subject to the Security settings in Internet Explorer. If your security settings allow a Gadget to do something, most of those functions are exploitable within a plugin or Java app as well.

The analyst reports I've read indicate that these vulnerabilities have been patched in "most modern browsers" but that clearly isn't true of Internet Explorer, as every Gadget exploit I've seen can also be run within the IE browser.

In short it is the "toggle-switch" style handling of ActiveX, Java and other plugins which is at fault here. By trying to spare the user endless prompting and eliminating the requirement of making an informed decision, Microsoft continues to leave uninformed or careless users wide open to malicious web apps and plugins.

Trust certificates & security patches would have been vastly preferable to discontinuing the feature.

score 2 · Answer 3 · answered Nov 21 '14 at 21:20

As I see it, I think the security issue is a smoke screen. These "security issues" exists across many vectors, and gadgets, if they were such a problem would have been addressed much sooner than the dawn of the release of Windows 8. My opinion is that gadgets were jettisoned because they are a power drain on a Windows 8 tablet. It reminds me of how the ribbon interface was "to expose deeply buried functionality" when I think in reality Microsoft was really planning for a touch interface. So, whatever "excuse" Microsoft gives for doing something, I tend to look for a deeper purpose. Hopefully this will change with the new management. Does anyone know if it is possible to install some sort of gadget platform on Windows 8.1? Thanks!

Hojat Taheri · Answer 4 · 2012-08-17T06:38:39.850

0

These attacks happen in this way:

An attacker would have to convince a user to install and enable a vulnerable Gadget
An attacker who successfully exploited a Gadget vulnerability could gain the same user rights as a logged-on user. If the user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

as you see it is simple if you install a vulnerable gadget, now tell me who authorize your gadgets? in the world wild web there are many many fake gadgets..be careful.

also microsoft has a hotfix to disable sidebar and gadgets that you can find in this link : microsoft advisory

and they killed gadgets and sidebar in windows 8

edited Aug 17 '12 at 06:38

answered Aug 17 '12 at 06:30

Hojat Taheri

177
1
1
11

3

Thanks, but it still does not answer the question: What makes a gadget "vulnerable"? That kind of feels like saying "the user could install vulnerable software on his PC, so we disallow software installations"... I still don't see what makes a gadget more "vulnerable" than any other application downloaded from the Internet. – Heinzi Aug 17 '12 at 07:06
It would seem that an attacker wouldn't necessarily need to do #1, as it's possible that the user might already have a vulnerable gadget on their machine. And I guess this is the problem... too many mainstream, legitimate gadgets have security vulnerabilities. I came across this document (PDF) that details a vulnerability in the [ITN News Gadget](https://labs.mwrinfosecurity.com/system/assets/193/original/mwri_itn-news-gadget-advisory_2008-02-04.pdf). – MrWhite Oct 04 '13 at 13:19

score 0 · Answer 5 · edited Oct 02 '12 at 19:10

0

I appreciate you to find the exact details, here is the article presented in blackhat which made Microsoft disable gadgets:

We have you by the gadgets - Black Hat (pdf file)

edited Oct 02 '12 at 19:10

j0k

22,600
28
79
90

answered Aug 17 '12 at 07:55

Hojat Taheri

177
1
1
11

I've read the article and couldn't find any *concrete* vulnerability metioned there, and nothing which isn't *by design* (e.g. "the risks that gadgets are exposed to are the same as those faced by any web-based application" or "Gadgets can be developed in a way that they are almost identical to traditional software"). Hence my question here. ;-) – Heinzi Aug 17 '12 at 08:02

What's the "gadget vulnerability"?

5 Answers5