Microsoft released KB Article 2719662 which relates to the Windows Sidebar and Gadgets on supported versions of Windows Vista and Windows 7. Microsoft has discovered that some Windows Vista and Windows 7 gadgets do not adhere to secure coding practices and should be regarded as causing risk to the systems on which they’re run.
Insecure Gadgets or Gadgets installed from untrusted sources can harm your computer and can access your computer's files, show you objectionable content, or change their behavior at any time.
As described in the Security Advisory:
"An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Microsoft Fix itAs a work-around, particularly for IT Administrators, Microsoft has provided a Microsoft Fix it solution that blocks the attack vector for this vulnerability.
The Fix it solution is available from Microsoft KB Article 2719662, with direct links to the download files to enable and disable the solution below. I suggest that you save both files so that you can disable the solution prior to installing the update when it is released.
Edit Note: Report from http://www.dslreports.com/forum/r27320136-Microsoft-Security-Advisory-2719662 (H/T: Siljaline).
"FYI: Microsoft has switched the Enable and Disable Fix-Its. 50906 enables the Fix It. 50907 disables the Fix It."
| Fix this problem |
Microsoft Fix it 50907
| Fix this problem |
Microsoft Fix it 50906
- MSRC: Gadgets, certificate housekeeping and the July 2012 bulletins
- Tech Net Advisory: Microsoft Security Advisory (2719662) Vulnerabilities in Gadgets Could Allow Remote Code Execution
- Knowledge Base Article: Microsoft Security Advisory: Vulnerabilities in Gadgets could allow remote code execution