While I was looking into writing my own gadget for Vista’s Sidebar to display my Google Reader news, it hit me that Gadgets are really simple web browser applications.

They consist of only 1 XML and 1 HTML file in general and can contain JavaScript, vbscript, wmi scripts,… (everything basically). This should make you think because XSS, XSRF and all kinds of web exploits can potentially work in your sidebar if the right precautions have not been made!

Vista’s UAC warns you when you install a gadget or when the gadget isn’t signed but how many users would click yes to install ‘that cool gadget which also happens to contain a little bit of malicious code’? Most likely all of them.

There are even more attack vectors for the Vista Gadget API and I found an interesting paper which discusses these and also shows which precautions Microsoft made: http://www.portcullis-security.com/uplds/Next_Generation_malware.pdf

It is not too long and goes not too deep but gives the reader enough info and links to investigate further if wanted. The portcullis-security.com website also has a nice download section which contains a lot of interesting tools.