Microsoft fixes First Vista Gadget Bugs

Microsoft Corp. patched several Windows Vista gadgets, the first time it's had to fix the small applications, prompting one researcher to mark the date as the real "arrival of the next-generation of exposures.
According to the sources, the three bugs detailed in one of the nine bulletins could let attackers inject their own malicious code into a victim's Vista-powered PC. Three of Vista's bundled gadgets -- the small applications that sit on the desktop, usually pulling information from other programs or off the Web -- are flawed: the RSS, contacts and weather gadgets. The vulnerabilities in the RSS and weather gadgets are particularly dangerous, since both are enabled by default in a standard Vista installation.
Sources revealed that if a user subscribed to a malicious RSS feed in the Feed Headlines Gadget or added a malicious contacts file in the Contacts Gadget or a user clicked on a malicious link in the Weather Gadget an attacker could potentially run code on the system.
Although the bugs can result in remote code executing on the target machine ; a characteristic that usually pegs the vulnerability as "critical" .Most third-party researchers fixed attention not so much on the bugs themselves but on the fact that they lived inside Vista's gadgets.
According to the sources, the RSS gadget bug is a harbinger of bad things to come. If an attacker can find some way to inject data into a trusted feed then they will be able to exploit any subscribers to the feed. Microsoft's gadget patches can be grabbed via one of the developer's update services.