Microsoft finds vulnerabilities in Vista, W7 gadgets

By

Security risk for admins.

Microsoft has urged Windows Vista and Windows 7 users to disable desktop accessories in the operating systems as a security measure.

Microsoft finds vulnerabilities in Vista, W7 gadgets

The software giant said in a security advisory that the insecure Gadgets feature in the systems can execute arbitrary code as well as access user data.

Users logged on as administrator, guest or power user could unwittingly allow rogue Gadgets to run any code it wants at that security level, and take complete control over the system, according to Microsoft.

The advisory includes an automated  "Fix It" tool disabling the features.

While Microsoft did not outline the specific vulnerabilities, a briefing at the Black Hat security conference later this month promises to provide greater detail on the issue.

Gadgets — developed with JavaScript, CSS and HTML — are embedded into the Windows operating system by default, potentially providing a number of interesting attack vectors, according to researchers Mickey Shkatov and Toby Kohlenberg.

All editions of Windows Vista Serivce Pack 2 are affected by the vulnerability, as well as the entire Windows 7 operating system family.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
microsoftsecurityvulnerabilitieswindows 7windows vista

Sponsored Whitepapers

Optus Enterprise Mobility
Optus Enterprise Mobility
Life After VMware: Scale Securely with mCloud by Micron21
Life After VMware: Scale Securely with mCloud by Micron21
Cut Cloud Costs Without Compromise: Discover mCloud by Micron21
Cut Cloud Costs Without Compromise: Discover mCloud by Micron21
What 4 wholesale distribution challenges aren’t going away anytime soon?
What 4 wholesale distribution challenges aren’t going away anytime soon?
State of the SOC: Building Resilience in a Shifting Threat Landscape
State of the SOC: Building Resilience in a Shifting Threat Landscape

Events

Most Read Articles

First npm worm "Shai-Hulud" released in supply chain attack

First npm worm "Shai-Hulud" released in supply chain attack
"VoidProxy" PhishKit targets Google and Microsoft users

"VoidProxy" PhishKit targets Google and Microsoft users
NSW gov third party-linked cyber incidents quadruple in two years

NSW gov third party-linked cyber incidents quadruple in two years
Actor auth tokens gave Global Admin access across Azure Entra ID tenants

Actor auth tokens gave Global Admin access across Azure Entra ID tenants
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?