Microsoft issues warning: Vista/Win7 users should disable the sidebar!


In response to what appears a very real risk, Microsoft is advising Vista and Windows 7 users to completely disable the sidebar and associated gadgets.

Apparently, the warning from Microsoft has been sparked by a scheduled security report from independent researchers which exposes a variety of attack vectors against gadgets, including how malicious gadgets can be created, and the vulnerabilities discovered in already published gadgets.

Microsoft has taken both the report and potential threat very seriously and has subsequently issued an official Security Advisory (2719662) which includes the following warning:

An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system.

And this recommendation:

Recommendation. Customers who are concerned about vulnerable or malicious Gadgets should apply the automated Fix It solution as soon as possible.

The automated ‘Fix it’ solution is available via a Microsoft TechNet page entitled…”Vulnerabilities in Gadgets could allow remote code execution“… HERE.


NOTE: There are two ‘Fix it’ downloads, one to Enable and another to Disable. The labeling is quite confusing as it appears to be back to front. The one labeled Enable (50906) actually enables the fix, which then disables the sidebar. The one labeled Disable (50907) reverses that and re-enables the sidebar… at least, that’s the way I am seeing it.

So in plain language: Run the ‘Enable’ Fix it (50906) to disable the sidebar and the ‘Disable’ Fix it (50907) to bring the sidebar back.

UPDATE: It has been pointed out in the comments section, by long time DCT member (and good friend) Nightowl78, that Microsoft has now altered the ‘Fix it’ links, after I published this article. I’m not at all surprised, the originals were very confusing. As you can see from the screenshots, Microsoft has now added a brief notation explaining what each one does, and also swapped the numbers around… bless ’em. I have amended the numbers in the article accordingly but please ignore the screenshot above… here is what you will now see:

About the Author

Jim Hillier

Jim is the resident freeware aficionado at DCT. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele... as well as writing for DCT, of course.

9 Comments

  1. Hey Jim:
    I just went to the link you have in your article as “HERE” and unless I have miss read this completely, if you scroll down about half way in the TechNet page the “FixIt” are just backward of what you are saying. It reads that the “50906” will disable the sidebar and gadgets.
    Of course I may be out in left field (which is where I stay most of the time).

    • Yep, you’re quite correct mate, the beggars went and changed it!! Not surprised, there have been a lot of comments about how confusing it was.

      The included (original) screenshot was taken direct from the TechNet site so you can see that they have not only changed the wording but swapped the numbers around too. I’ve edited the numbers in the article accordingly but I’ll have to add in a fresh screenshot now as well.

      Thanks for the heads up mate,
      Cheers… Jim

  2. Once again nice, informative and timely article.

    At the end of June I have already disabled those gadgets.
    But I got a question, if, you please reply.
    Do I still use that MS Fix this problem tool to disable gadgets which are already not showing on the Desktop?

    Thanks

  3. I downloaded both fixes. Where are they? There’s no icon. How do I find the fixes?

    Richie

    • Richard – The fixes should be in your default download location… usually CUsersyour usernameDownloads. Or wherever your downloads are generally saved.

      The files will be labeled: MicrosoftFixit.50906.msi and MicrosoftFixit.50907.msi

  4. Thank you for advice, I downloaded the 50906 exe file and ran it.

    Without your explanation about enable and disable I might be thinking
    should I use 50906 or 50907 because on Microsoft web it is difficult to understand which is which.

    Your explanation saved frustration.

    Thank you once again.

  5. Hi Jim,
    I just disabled my sidebar, better safe then sorry.
    thanks for the heads up mate.
    have a wonderfulday. 🙂