Microsoft Corp. yesterday patched several Windows Vista gadgets, the first time it’s had to fix the small applications, prompting one researcher to mark the date as the real “arrival of the next-generation of vulnerabilities.”
The three bugs detailed in one of the nine bulletins issued yesterday could let attackers inject their own malicious code into a victim’s Vista-powered PC, said Microsoft. Three of Vista’s bundled gadgets (the RSS, contacts and weather gadgets — the small applications that sit on the desktop, usually pulling information from other programs or off the Web) are flawed. The vulnerabilities in the RSS and weather gadgets are particularly dangerous, since both are enabled by default in a standard Vista installation.
“If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget or added a malicious contacts file in the Contacts Gadget or a user clicked on a malicious link in the Weather Gadget, an attacker could potentially run code on the system,” Microsoft reported in the bulletin.
Although the bugs can result in remote code executing on the target machine — a characteristic that usually pegs the vulnerability as “critical” — Microsoft ranked them one step lower, as “important,” in part because Vista’s revised account rights settings should deflect the worst kind of damage.