Desktop gadgets and widgets that display system information and other data, such as those included with Microsoft's new Vista operating system, are becoming so popular they could become the next big security threat, says Eric Chien, security response engineer at Symantec.

Gadgets such as Google gadgets and Yahoo widgets, which typically provide real-time graphical information about current battery status, the weather, stock quotes or the latest headlines, are not plug-ins or "sandboxed applets", says Chien. Instead, they are fully fledged applications that have the potential to be malicious.

Gadgets are overlaid on the desktop or docked to a toolbar and can be written in scripting languages such as JavaScript or VBScript, says Chien. They can also be written using compiled languages such as C++ or C#.

Despite their innocent appearance, gadgets generally have full system access like any other program and can be used to perform malicious actions, including Trojans, worms and viruses, he says. Some gadget-specific APIs (application programming interfaces) could also provide access to services that would normally require authentication, he says. Gadgets could search the system for specific information, hook the keyboard or browser and then export the information to remote systems, via HTTP, email or instant messaging, he says.

"And because all gadgets support JavaScript, cross-platform infections are possible," he adds. "A Yahoo gadget could, potentially, infect a Vista gadget, for example."

Windows Vista will ship with the Sidebar technology, which hosts and supports gadgets, and this may make gadgets a popular avenue of attack, Chien warns. However, while creating malicious gadgets is quite possible, widespread infections from gadgets are not a huge threat yet because the number of gadget framework users is a lot smaller than, for example, the number of Windows users, he says.

David Rayner, Windows client marketing manager at Microsoft New Zealand, says gadgets pose no more or less of a threat than anything else downloaded from the internet.

"We're committed to making Windows Vista the most secure version of Windows yet," he says.

He adds that Microsoft hopes to be able to announce some local gadgets at the Vista launch on 30 January.

It is easy to open up gadgets and check the code, Chien says. So, if you know anything about coding, you can easily detect if a gadget is malicious. On the other hand, because most gadgets are written in script languages, it is also quite easy to add to the existing code and modify the gadget. Some frameworks do prevent gadgets from being modified, but gadgets are easily modified in Vista, he says.

Users should only install gadgets that they know come from reputable locations, says Chien. And enterprises need to consider whether gadgets really are necessary.

Chien spoke at the AVAR (Association of Anti-virus Asia Researchers) conference, held in Auckland in December last year.