Microsoft has released a security patch for Windows Vista to resolve the vulnerabilities on its small desktop applications, Vista Gadgets, which could allow an anonymous remote attacker to run code with the privileges of the logged on user.

The vulnerabilities are found in Feed Headlines gadget, Contacts gadget and Weather gadget.

According to Secunia, successful exploitation requires that a user is tricked into subscribing to a malicious RSS feed in the Feed Headlines gadget using Internet Explorer or into adding/importing a malicious contact into the Contacts gadget. For Weather gadget, successful exploitation requires a Man-in-the-Middle attack.

In addition, Microsoft said that “in all attack vectors, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Microsoft has recommended that users apply the security update. The patch can be downloaded in both 32-bit and 64-bit versions of Vista.

---

Related:

Windows Vista requires more patches than XP

Vista SideBar and gadgets the new frontier for malware

Patch Tuesday update zaps third-party bugs, but Media Player fix on hold

Safari on Vista comes complete with bugs and security holes

IE7 and Windows Mail in Vista to receive ‘critical’ fixes on Patch Tuesday

Entry was posted on Tuesday, August 14th, 2007 at 10:09 pm under Security, Vista.  Print This Post

Read more entries by Ruben Francia.