It’s hard to get excited about Microsoft’s monthly Patch Tuesday since its arrival is inevitable as death and taxes, so ”Microsoft fixes 14 flaws in biggest patch day since February” isn’t much of an eyebrow raiser, but Todd Bishop points out one interesting patch for Vista Gadgets:
This important security update resolves two privately reported vulnerabilities in addition to other vulnerabilities identified during the course of the investigation. These vulnerabilities could allow an anonymous remote attacker to run code with the privileges of the logged on user. If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget or added a malicious contacts file in the Contacts Gadget or a user clicked on a malicious link in the Weather Gadget an attacker could potentially run code on the system. In all attack vectors, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Gadgets were introduced in Vista as a new form of small, useful desktop applets and as is often the case with first versions, it looks like the developers didn’t fully consider how they could be abused. I suppose one could turn snarky over the hyped ultra-secure nature of Vista, but the hype and the eventual holes were inevitable too.