Sunday, December 02, 2007
Vista Windows Sidebar Gadget Security?What is Windows Sidebar?
Microsoft Windows Vista includes a new feature called the Windows Sidebar. By default, the Windows Sidebar is enabled and visible when Vista is installed. The Windows Sidebar is used for displaying little applets (small programs) called gadgets.
If you're new to Vista, you probably have some gadgets showing on your desktop now. Along the right side of your Windows desktop, there is probably an RSS news feed, an analog clock display, and a little window showing a slideshow of the sample images placed by default in your Pictures folder. These sample gadgets were installed on your PC by the Vista installer.
I have no way of knowing what drove the decision to create the Windows Sidebar but there are some associative assumptions that can be made. Gadgets are small programs with lightweight user interfaces and, usually, specific task oriented functionality.
Windows, from Windows 95 through Windows XP, has provided similar functionality in what is known as the "notification area" of the TaskBar - the area adjacent to the time at the lower-right corner of the screen. Gadgets (though not officially called gadgets prior to Vista) that could be added in XP or before include little applications to set sound card settings, tell you if you had new email messages, configure your anti-virus settings, and more.
Other gadgets that you can download from the Internet for Windows versions previous to Vista include applications to perform searches on your PC, display your local weather, display sports scores, news feeds, etc. The problem was, and is, that many downloadable gadgets include features to track and report your Internet usage, to display popup advertisements, or possibly even worse.
Of course, these small applications are great revenue generators for the creators and also for those who trick users to install them. Many malware application creators pay distributors of those applications on a per-installation basis. This is why many brand new computers come with so much malware (often called crapware when it comes on a brand new name-brand PC) pre-installed. The manufacturer of the PC doesn't provide that software as a benefit to you; they install it because they get paid by the creator of the crapware for undermining your PC security and privacy.
The only problem with the notification area as host location for the gadget user interface is that the space for such applications is just so limited. There is only so much room in the Windows task bar.
Since Microsoft clearly loves the idea of Windows as the delivery mechanism for marketing and advertising, they have come up with a solution to the space limitations of the notification area as home to gadgets: the Windows Sidebar. Suddenly, not only is there room for a lot more gadgets, the gadgets get more eye candy so they are more tempting to install.
Microsoft has published a description of the security model for Windows Sidebar gadgets and, from what I understand, it is just plain scary! It seems to me that there really is no security in gadgets at all.
Disecting the Windows Sidebar Gadget Security Model
Let's start at the top of Microsoft's own documentation on gadget security and examine what makes me feel like gadgets should be approached with extreme caution.
"Gadgets for Sidebar, though developed using the functionality of the Microsoft HTML (MSHTML) runtime, are not limited by the standard browser security model."What the statement above means is that, even though web pages that you access from the Internet cannot access files on your hard drive, gadgets that you install from the Internet can access your files.
"Since gadgets are locally installed mini-applications that provide a rich set of system access APIs, a packaging and deployment method similar to a typical executable distribution is employed."This means that when you install a gadget, it has the ability to install any file that the gadget creators choose to include in the installation package. This ability is the same ability exploited by the installation programs for applications such as Napster and Kazaa that installed password stealing and other malware on probably millions of PCs, most often without the knowledge of the user.
"A gadget is downloaded as a "package" of resources and configuration files. The package is distributed as a zip file or as a Windows cabinet (.cab) file. Both methods of distribution require the file extension, .zip or .cab, to be changed to .gadget. If the file is packaged as a .cab file, you can use a code signing certificate to provide information about the origin of the gadget. The user is then presented with this information before the gadget files are extracted.So the security of your PC is disregarded for the convenience of the gadget developer community - whether or not the developer is creating a malware infested gadget.
Note There is no requirement for gadgets to be digitally signed since the certificates are costly and not commonly used by the developer community likely to create gadgets."
"User Account Control (UAC) is a new feature of Microsoft Windows Vista that improves security when running as a standard user. Gadgets run with standard user privileges in the Administrator Approval Mode of UAC even if the user is a member of the administrators group. This helps prevent gadget code from modifying protected resources."So while UAC prevents gadgets from modifying or deleting your system protected files, they do not prevent the gadget from modifying or deleting files that the user would otherwise have access to modify or delete, whether or not those files are related to the gadget in question. UAC also does not prevent the gadget from reading your personal or financial information and sending that information to servers on the Internet without your knowledge.
"Note An individual gadget may only have a single function such as reading files and information from the computer, accessing information from one or more domains, or displaying buttons and information for a utility. However, gadgets mix and match functionality in a variety of ways and, in aggregate, have the same set of functionality as other code."Even the thought of gadgets reading files and information from my computer just makes me shiver. Like that paragraph says, gadgets have the same set of functionality as other code. They are programs and can do anything on your PC that any other program can do. Even if the user interface only shows a calculator or your local weather, the program can be doing anything it wants on your PC without you knowing.
"In a computing environment controlled by group policy, the use of gadgets can be further limited. The Sidebar supports three gadget folders, %systemdrive%\Program Files\Windows Sidebar\Shared Gadgets and %systemdrive%\Program Files\Windows Sidebar\Gadgets that can only be modified by the Administrator group and the %systemdrive%\Users\%user%\AppData\Local\Microsoft\Windows Sidebar\Gadgets folder where gadgets downloaded by the user are installed."This paragraph is pretty scary in a couple ways.
First, why would users with "a computing environment controlled by group policy" (usually this means a corporate environment with a full-time IT staff) have better security options regarding gadgets than would have average home users? Well, businesses have the knowledge and skill to recognize the risks of gadgets and won't allow them at all without appropriate controls. There would be a loud outcry from business if this risk could not be eliminated and, probably, businesses would not install Vista at all.
Second, buried within that paragraph is one of the scariest risks in Windows Sidebar gadgets of them all. Read it carefully. Do you see the risk? There are two folders in which gadgets might be installed that only administrators can install gadgets. If a standard user tried to install into one of these folders, UAC would prevent the installation. But that's not what happens at all! If a standard user tries to install a gadget, the gadget (program!) installs just fine.
Vista does not normally allow standard users to install programs. That is one of the greatest features of Vista and why I really like UAC. Now, it turns out, there is a way around that UAC protection. My grandchildren could easily be tricked into installing a gadget on my PC that could expose not only my personal information but could expose their personal information and put them at risk. This was a very disturbing realization.
When I realized the implications of the quoted paragraph above, I had to try it. I switched to a non-administrative user and found I could install any gadget I downloaded. Thankfully, system restore allows me to undo the risk I took by the installations.
Windows Vista has been the first OS that I have used where I allowed my children and grandchildren to use my PC. I had counted on UAC to limit their ability to accidentally install malware. That protection doesn't really exist.
Microsoft's description of the security for Windows Sidebar gadgets includes the following description of security options available for users with group policy controlled environments (numbers added for formatting purposes):
"1. Turn off Windows Sidebar.
This policy allows administrators to completely disable the Windows Sidebar.
2. Disable unpacking and installation of gadgets that are not digitally signed.
This policy allows administrators to require that all gadgets installed by a user are digitally signed. This policy only affects gadgets that are downloaded and installed by double-clicking on the gadget package. All previously installed gadgets, as well as those installed manually, will still function.
3. Turn off user-installed gadgets.
This policy allows administrators to block gadgets not placed into either the Gadgets or the Shared Gadgets folders (both of which can only be modified by a user in the administrator group). Gadgets installed into the %systemdrive%\Users\%user%\AppData\Local\Microsoft\Windows Sidebar\Gadgets folder will not display in the Gadget Gallery dialog box or be allowed to run.
4. Override the "Get more gadgets online" link.
The Gadget Gallery dialog box provides a link where users can discover more gadgets. By default, this link points to an online Microsoft Web site; however, administrators can specify that this link point to another Web site. Administrators can then more easily distribute gadgets that are approved for use within their organization."
My Recommendations for Sidebar Gadgets
Luckily, all users do have the ability to configure group policies on their local PCs. It isn't really difficult but it is a shame that these settings are not available in a more user discoverable and user friendly way.
When executing the following procedure, use caution. These steps will make changes to the Windows registry. Incorrect application of group policies can render your computer unusable and require the re-installation of Windows.
To improve the security related to gadgets on your computer, start by making sure that the Windows Sidebar is currently running. You can show the Sidebar by clicking Start->All Programs->Accessories->Windows Sidebar.
For each running gadget, right-click on the gadget and choose Close Gadget. If the Sidebar closes after closing the last visible gadget, open the Sidebar again. Now right-click in the Sidebar and choose Properties. In the Properties window, click the button labeled "View list of running gadgets". Make sure that there are no running gadgets. This is necessary because if you simply close the Sidebar, it will not close the gadgets. If you have any malware gadgets running, closing the Sidebar will leave them running invisibly in the background with no visible indication or user interface to warn you that the gadget is running.
Now that you're sure there are no running gadgets, close the properties window. If the Sidebar closes, open it again. Right-click in the Sidebar and choose "Add Gadgets...". You will see a list of icons for all currently installed gadgets. Uninstall any that you don't want to use or don't know where they came from. To uninstall, right-click the icon for the gadget and choose Uninstall from the context menu. Because of the lack of security in Vista with regards to Windows Sidebar gadgets, you won't even see a UAC prompt to uninstall the gadgets.
Now, with this somewhat safer starting point, we can really go to work on improving the security of the Windows Sidebar - to the extent that there can be any security in the Windows Sidebar.
Click on the start menu and type gpedit.msc in the search box. Click enter.
If necessary, enter the username and password for an administrative user and then click OK at the UAC prompt.
Now expand the Administrative Templates tree under Computer Configuration at the left. Make sure you are working under Computer Configuration. If you make these changes under User Configuration, the changes will only apply to the current user and will not provide any protection for other users.
Under Computer Configuration\Administrative Templates, expand Windows Components and then scroll down to Windows Sidebar. Make sure you have selected Windows Sidebar and not Windows Sideshow. In the panel to the right, there will be four configuration options matching those described in the quote above.
The four options are:
1. Override the More Gadgets Link.
Other options below may make configuring this option unnecessary but if you want to take the most secure route, do the following:
Double-click this option and select Enabled. This will enable the text box to enter a web address for downloading gadgets from within Windows Sidebar. Enter "http://127.0.0.1/" without the quotes. This will cause Windows Sidebar to try to search your own computer for gadgets to download. If you don't have a web server running on your PC, Sidebar won't get a response. If you do have a web server running, your web server will not have any gadgets available for download.
Click OK to apply the change.
2. Turn off Windows Sidebar
This option will keep Windows Sidebar from loading when Windows starts. It will not, however keep any configured gadgets from starting. Make sure you've followed the procedure I described above to close all running gadgets or this setting will simply hide the running gadgets.
To turn off Windows Sidebar, double-click this option and click Enabled. Click OK to apply the change.
3. Disable unpacking and installation of gadgets that are not digitally signed.
This setting will help prevent the installation of gadgets for which the creator of the gadget does not sign the gadget with a traceable and identifiable digital signature. This setting will not prevent previously installed gadgets from running whether nor not those gadgets have been signed and it will not prevent the manual installation of gadgets by simply copying gadget files into the gadget directories. Even so, it will prevent the accidental installation of gadgets from unknown sources.
To enable this setting, disabling the installation of unsigned gadgets, double-click this option and select Enabled. Click OK to apply the change.
4. Turn off User Installed Windows Sidebar Gadgets
This is perhaps the most important of the four configurable settings. While all of the others may be considered optional settings, you should absolutely enable this setting. Enabling this setting will prevent non-administrative users from installing gadgets.
If there is a gadget for which you are confident about the safety and security, download the gadget and install it as an administrative user. Do not allow standard users to install them using the built-in installation options for gadgets. That way, you, as the administrator, parent, adult, or other responsible person, can make an informed decision about what gadgets, if any, get installed on your PC.
To enable this option, double-click the option and choose Enabled. Click OK to apply the change.
Along with the above settings, there are some basic safety and security rules you need to consider and follow in regards to Windows Sidebar gadgets:
1. Only install gadgets from trusted sources. What's a trusted source? Well, consider some sources that are not trusted:
- Your brother. No matter how well you trust your brother, just because he sends you software or a link to software does not mean that software is safe to run. Maybe if he wrote it himself you can judge the trustworthiness of the software by your trust in your brother but, otherwise, you must trace the trust all the way back to the original source and every stop along the way to be confident that the software was safe when created and was not modified or virus-infected along the way before it gets to you.
- Major companies that you have had business dealings with for years and you're sure they would never do anything to jeopardize the safety and security of your PC. Wrong again.
Consider the giant Sony Corporation. Sony knowingly, and without any notification or permission from its customers, installed a rootkit on the PCs of millions of their customers. Not only was the installation of the rootkit a serious violation of the trust Sony's customers had in Sony, it also opened up back door access to every computer on which the rootkit was installed.
Or consider Microsoft themselves. Microsoft once tried to Claria, one of the largest adware companies in the world. And in the middle of the negotiations to buy Claria, Microsoft downgraded its recommendation on Claria spyware products from "Quarantine" to "Ignore" in its then beta anti-spyware product.
You can read about Sony's attack at http://www.schneier.com/blog/archives/2005/11/sony_secretly_i_1.html or read about rootkits on my blog at http://www.dalepreston.com/Blog/2005/04/rootkits-and-hooks.html - published, by the way, long before the Sony rootkit was discovered.
And you can read about Microsoft's association with Claria (formerly known as Gator) at http://www.eweek.com/article2/0,1759,1833649,00.asp. In this article, the author mentions that he still does not want anything to do with WeatherBug because of WeatherBug's previous association with Gator or Claria. WeatherBug, by the way, makes a Windows Sidebar gadget that is listed on Microsoft's official Sidebar gadget site.
Or you can read about Microsoft changing its recommendation for Claria/Gator products at http://www.eweek.com/article2/0,1895,1834607,00.asp.
So trust doesn't come from the size of the company. A lot of great gadgets will be created by developers who make and share them for free because they like doing the work. I have shared a lot of programs for managing MP3 music libraries here on my own website. I do it because I enjoy it.
Other great gadgets will be created by reputable large companies. The company who makes the motherboard in your PC might make a gadget for monitoring CPU temperatures. Your favorite network news channel may make a gadget for displaying news headlines - and they may even include advertisements in that gadget but, if they are fair and honest, they will notify you that they are going to give you advertisements and won't install other malware to drive those ads.
When deciding who to trust, don't make assumptions. Research and spend some time learning about the person or company before you trust them, no matter who the company is.