Privacy PC came across an interesting topic raised by Mickey Shkatov and Toby Kohlenberg at the last Black Hat USA conference. The researchers were talking about comparatively rare but potentially very hazardous attack vector dealing with Microsoft Windows desktop gadgets. We have contacted Mickey Shaktov and asked him several questions.
Mickey Shkatov is a vulnerability researcher whose main interests are hardware related. He also holds a bachelors degree in engineering from the Ben-Gurion University of the Negev in Israel. Currently Mickey works for Intel as a security researcher breaking software, firmware and hardware.
– So, Windows gadgets are basically web apps with extended features that can act as any other application. The average users do not perceive them as dangerous. Why does it happen?– I cannot say for certain why users perceive things the way they do, my best guess would be that the common user believes that web related applications must be connected somehow to the web browser; the fact that these gadgets’ code runs based on the IE engine is transparent to them. When I think of answering this question I tend to think of my father, who knows a little bit about the innards of computer software, and remember how I had to explain to him why Windows gadgets are not part of Windows but more of a tiny website running on his desktop. I then had to apologize for making him remove them :) He understood why I had to do it :)
– It is important to note for ordinary users that most antivirus software do not flag gadgets as they are not considered executables, why does it happen?
– Well, to describe it simply, executables perform their own custom actions on the user’s computer as they are designed to do. They are able to basically do whatever they want and therefore are under constant observation by the computer cop, the Antivirus. The antivirus keeps an eye out for pieces of code it knows might cause a malicious outcome, and stops it from running before it does.
Gadgets, on the other hand, have at their disposal a set of trusted interfaces and tools that have, when used outside the browser, already been deemed benign by the Antivirus. And so it is possible for a gadget to be able to chain several seemingly innocent acts into one malicious action.
– In your opinion, what are the most dangerous security issues about gadgets?
– The original MS gadgets have been thoroughly tested and are almost certainly safe. The problem lies with 3rd party gadgets. Most of the gadgets we researched that were made by 3rd parties poorly followed secure coding practices as published by Microsoft specifically about gadget development.
– What percentage of Windows users run gadgets and how many gadgets are there overall?
– Those statistics were never available for us, we did try to find out ourselves, but anyone can write a gadget and anyone who installs a gadget does not have it recorded anywhere.
There are a few 3rd party Windows gadget collection web sites we found that host dozens of gadgets, but again, we have not tried to catalog all of the gadgets out there.
– We see gadgets are on the decline and the Windows website no longer has any gadgets to download. Do you think Microsoft is putting them down due to security issues? Do you think this is part of Microsoft’s strategy in pushing users to buy Windows 8? Or is it just that gadgets don’t fit into Windows 8?
– I would not go as far as saying it is a Win8 marketing strategy; Windows 8 uses a different UI concept of tiles that kind of pushes common day-to-day computer users away from the conventional desktop. This new UI uses the Microsoft store and new application containers created by Microsoft. These new applications are more complex and also more secure than the old sidebar gadgets.
The sidebar gadget concept was a good attempt by Microsoft to have “widgets” on the desktop similar to other popular operating systems at the time. The problem was that it was an optional sideline feature most users chose to ignore, and so it remained dormant, so to speak, in the Windows 7 operating system.
– You found most 3rd party gadgets have poor security and are written badly. Why do you think this happened?
– I think it is because most usage models of gadgets are very simple and easy. Implementing a secure gadget to perform a simple task would take too much time.
– You found lots of malware claiming to be gadgets. How popular are attacks that involve gadgets?
– We have no idea, not even a clue. We have not heard of a real-world attack done using the gadgets. That said, it does not mean that a targeted attack against a corporation or individuals was not conducted at some time in the past.
– Can you name big breaches involving gadgets?
Sorry, I do not know of any security breaches involving Windows gadgets.– How often do we see container-based apps for smartphones? What security issues do we have with such apps?
– In smartphones the security model is different in comparison to gadgets. In Android for example, the user selects the proper privileges an app can receive from the phone’s operating system, such as have access to contacts or photos; the user can then choose to trust the app or not. You wouldn’t trust a picture application that wants access to your phone, right?
– After finding out about gadgets’ insecurity most people who were using gadgets were greatly disappointed by the news and were reluctant to refuse from gadgets. What advice can you give to them?
– BE CAREFUL! If you use 3rd party gadgets be aware that they might be malicious.
Or in other words, you wouldn’t take a candy from a stranger no matter how good the candy looks, right?
If you decided to disable the Windows sidebar here are instructions from Microsoft: http://technet.microsoft.com/en-us/security/advisory/2719662.