Black Hat security researchers warn of dangers associated with non-Microsoft based gadget controls in Windows 7 that could be used maliciously.

Microsoft Windows 7 – Disable third party Gadgets

QUOTE: Do you have any gadgets on your Windows 7 desktop, other than the ones that came with Windows? Kill them now! That’s the message I took away from a Black Hat talk by researchers Mickey Shkatov and Toby Kohlenberg. The two took great pains to clarify that the talk represents their own opinions only, wholly unconnected with any employer past or present. Kohlenberg reported that he was initially skeptical. Gadgets are going away, so where’s the value in studying them. “I told Mickey, if I write this code, you owe me.” However, he changed his opinion after some study. Sure, Windows gadgets are going away, but the programming style and frameworks used to make gadgets exist in other areas too, most notably smartphone apps.

Why kill your gadgets? Simply put, they are an egregious security risk. A gadget can do anything a normal application can do, but without many of the protections and limitations applied to programs. “People don’t perceive gadgets as applications, but they are,” said Kohlenberg. “They can do anything any other app can do, and you can do things from a gadget that would immediately be flagged if you did it from a binary.”  He went on to demonstrate a simple gadget that brings up gmail and sends a message to all of your contacts, with the gadget itself as an attachment. Yes, a self-replicating gadget! Sure, this won’t work if you correctly log out of gmail every time you use it. Do you?