Nov 08 2007

Securing the Sidebar

Understanding and addressing security issues with one of Vista's new features.

One of the whiz-bang features of Windows Vista is the Sidebar. It is a vertical bar on the side of the display that can contain a variety of tools and applets. You can configure it to only show on the actual Windows Desktop or to always be displayed alongside the applications you are running. You can include a clock, your local weather, a notepad, your RSS feeds, photos, a calendar and more. There are currently more than 1,300 Sidebar Gadgets available on the Windows Live Gallery. Only about six Sidebar Gadgets fit on one screen, but the Vista Sidebar lets you flip through multiple pages if you exceed the original Sidebar real estate.

The Sidebar Gadgets are just little HTML- or XML-enabled applets. Part of the nature of applets such as these is that they are developed by a variety of organizations and individuals. Some are well-written and professionally done; others are rudimentary and rough around the edges.

Sidebar Security Issues

Earlier this year Microsoft addressed issues with Vista Sidebar Gadgets, which could have been exploited to execute remote code on vulnerable systems. Security Bulletin MS07-048 (www.microsoft.com/technet/security/bulletin/MS07-048.mspx), and the patch associated with it, were aimed at correcting the flaw to protect Vista users. Microsoft has also published guidelines, titled Inspect Your Gadget (msdn2.microsoft.com/en-us/library/bb498012.aspx), to help developers create Gadgets securely.

Because it’s active code, all Sidebar Gadgets represent a potential security hole. Without knowing more about the individuals or organizations developing them, you need to take steps to ensure you are protected.

The first step to ensuring you use Sidebar Gadgets that are stable and secure is to review the user feedback. Gadgets on the Windows Live Gadget Gallery can be rated from one to five stars. Gadgets that are unstable will be ranked low by users. Reviewing the ranking of a Gadget and the number of times it was downloaded can help you find the ones that are user-tested and approved. One more word of advice: Look at how many users have ranked a Gadget. It may have five stars, but if it only has one review that gave it five stars, it is not as credible as a Gadget with four stars that has been reviewed and ranked by hundreds of users.

Vista Security Measures

With Windows Vista, Microsoft implemented a variety of new security controls. These controls also apply to Sidebar Gadgets and will help protect the user and the operating system from potential malicious activity. Again, Gadgets are just mini HTML- or XML-enabled applications, so Vista treats them like any other code installed from the Internet.

The actual Sidebar code, Sidebar.exe, runs in the context of the logged-in user. It has Medium integrity and no virtualization, and DEP (data execution prevention) is enabled. Sidebar Gadgets receive the same security scrutiny as other applications. They are protected by DEP, locked down by parental controls and scanned by Windows Defender.

Even during the initial installation of a Sidebar Gadget, Microsoft does its part to make sure the user is well aware of the risks. With UAC (User Account Control), the user receives at least three and possibly as many as five (if the Sidebar Gadget code is unsigned) warning messages before the installation is complete.

Here are some examples of warning messages

Managing Sidebar Gadget Security

Understanding the potential issues with Vista Sidebar Gadget security and taking the time to read Vista’s warning messages may work well for individuals, but organizations may wish to exert some control over how users can download and install Vista Sidebar Gadgets. Thankfully, there are four GPO (Group Policy Object) settings that can be used to lock down the Vista Sidebar.

  1. Turn off Windows Sidebar: Using this GPO setting, an administrator can disable the Sidebar altogether for users, preventing them from using Sidebar Gadgets at all.
  2. Disable unpacking and installation of gadgets that are not digitally signed. Software that is digitally signed provides some validity as to its source and the integrity of the code. With this GPO setting, an administrator can ensure that users do not install Sidebar Gadgets that are not digitally signed. Enabling this policy will not, however, disable or remove any Sidebar Gadgets that have already been downloaded and installed. Sidebar Gadgets without digital signatures that users have previously installed will continue to function.
  3. Turn off user-installed Windows Sidebar Gadgets. Administrators can allow Sidebar Gadgets but restrict access so users can only use designated acceptable Sidebar Gadgets. With this GPO setting, Gadgets found in the users’ personal directory will not be displayed in the Gadget Gallery and will be disabled. Administrators can designate acceptable Sidebar Gadgets by placing them into the Shared Gadgets folder, which can only be modified by members of the Administrator group.
  4. Override the More Gadgets link. The Gadget Gallery shows the available Sidebar Gadgets but also has a link to Get More Gadgets Online, which connects the user with a Microsoft Web site where hundreds of Sidebar Gadgets from a variety of sources can be reviewed and downloaded. With this setting, an administrator can override the link and redirect users to an internal site where approved Sidebar Gadgets are available, or to a static Web screen letting users know that downloading and installing unapproved Sidebar Gadgets is against security policy.

The bottom line is that Vista Sidebar Gadgets may, in fact, be insecure, and Sidebar Gadget vulnerabilities could potentially be exploited to hijack or compromise a Windows Vista system. However, it is not the Vista Sidebar itself that is insecure. Sidebar Gadgets are just applications and are no more or less secure than other applications. Organizations need to assess the stability and security of Sidebar Gadgets just as they would other applications deployed to the desktop. Using these GPO settings, administrators can manage if and how Sidebar Gadgets are employed and exert some control to enforce security policy and protect the desktops on the network.

Tony Bradley, a Microsoft MVP (Most Valuable Professional) in Windows Security, is a computer security consultant with BT INS in Houston, Texas, and author of Essential Computer Security.