In response to what appears a very real risk, Microsoft is advising Vista and Windows 7 users to completely disable the sidebar and associated gadgets.
Apparently, the warning from Microsoft has been sparked by a scheduled security report from independent researchers which exposes a variety of attack vectors against gadgets, including how malicious gadgets can be created, and the vulnerabilities discovered in already published gadgets.
Microsoft has taken both the report and potential threat very seriously and has subsequently issued an official Security Advisory (2719662) which includes the following warning:
An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system.
And this recommendation:
Recommendation. Customers who are concerned about vulnerable or malicious Gadgets should apply the automated Fix It solution as soon as possible.
The automated ‘Fix it’ solution is available via a Microsoft TechNet page entitled…”Vulnerabilities in Gadgets could allow remote code execution“… HERE.
NOTE: There are two ‘Fix it’ downloads, one to Enable and another to Disable. The labeling is quite confusing as it appears to be back to front. The one labeled Enable (50906) actually enables the fix, which then disables the sidebar. The one labeled Disable (50907) reverses that and re-enables the sidebar… at least, that’s the way I am seeing it.
So in plain language: Run the ‘Enable’ Fix it (50906) to disable the sidebar and the ‘Disable’ Fix it (50907) to bring the sidebar back.
UPDATE: It has been pointed out in the comments section, by long time DCT member (and good friend) Nightowl78, that Microsoft has now altered the ‘Fix it’ links, after I published this article. I’m not at all surprised, the originals were very confusing. As you can see from the screenshots, Microsoft has now added a brief notation explaining what each one does, and also swapped the numbers around… bless ’em. I have amended the numbers in the article accordingly but please ignore the screenshot above… here is what you will now see: