It is currently March 28th, 2024, 8:04 pm

Security Vulnerabilities in Rainmeter?

General topics related to Rainmeter.
tibo1010
Posts: 3
Joined: December 8th, 2017, 1:17 pm

Security Vulnerabilities in Rainmeter?

Post by tibo1010 »

Dear All,

I installed Rainmeter yesterday and am and very happy with the skin I'm using (ModernGadgets) since it helps me monitor some of the hardware installed on my computer. My question as a complete newbie to Rainmeter is that are there inherent security vulnerabilities in this application?

I remember back when Microsoft released their Desktop Gadgets in Windows Vista and 7 there were some serious security vulnerabilities with these as per Microsoft Security Advisory 2719662 (https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2013/2719662). Essentially, these Desktop Gadgets could allow attackers to run arbitrary code in the context of the current user and if the current user was logged on with administrative user rights, an attacker could take complete control of the affected system.

I very much want to keep using Rainmeter but not at the expense of compromising security. I'm currently running Win 10 Pro x64

I look forward to hearing your comments
User avatar
jsmorley
Developer
Posts: 22628
Joined: April 19th, 2009, 11:02 pm
Location: Fort Hunt, Virginia, USA

Re: Security Vulnerabilities in Rainmeter?

Post by jsmorley »

There really are no external security vulnerabilities with Rainmeter. There is nothing about Rainmeter that can ever "execute" anything from the web. Rainmeter is not a web browser and has no support for Javascript or any other client-side execution. The biggest concern would be with allowing someone who is even reasonably computer literate local access to your system, as if you use things like a Gmail skin, your password is in plain text in the skin .ini file. In addition, Rainmeter can be made to execute pretty much any Windows command line, which certainly could have unwanted or destructive results if someone is able to get at the keyboard of your system and make changes.

Of course that is true in general if you are not exactly sure who is sitting in front of your computer at all times, and not specific to Rainmeter.
tibo1010
Posts: 3
Joined: December 8th, 2017, 1:17 pm

Re: Security Vulnerabilities in Rainmeter?

Post by tibo1010 »

Thanks for your detailed and prompt reply. Its really appreciated
User avatar
jsmorley
Developer
Posts: 22628
Joined: April 19th, 2009, 11:02 pm
Location: Fort Hunt, Virginia, USA

Re: Security Vulnerabilities in Rainmeter?

Post by jsmorley »

Glad to help.

The only thing I would stress with Rainmeter is that you are careful where you get "skins" from. As long as you get them from here, in our Share Your Creations topic, or from the Rainmeter area at deviantART, it should be fine.

If you download skin .rmskin files from sketchy places, like from a bittorent site or other unreliable sites, it is not beyond the realm of possibility that the skin could install and execute some .dll plugin or .exe executable file that would be harmful.

Know what you are installing. Get it from here or deviantART, and pay attention to any comments before you download and install. That is also good general advice of course...
tibo1010
Posts: 3
Joined: December 8th, 2017, 1:17 pm

Re: Security Vulnerabilities in Rainmeter?

Post by tibo1010 »

Great, many thanks for the additional helpful information. Hopefully this will also be of interest to other Rainmeter newbies out there.
User avatar
tjhrulz
Developer
Posts: 267
Joined: October 13th, 2016, 1:28 am
Location: Earth

Re: Security Vulnerabilities in Rainmeter?

Post by tjhrulz »

tibo1010 wrote:Great, many thanks for the additional helpful information. Hopefully this will also be of interest to other Rainmeter newbies out there.
And if you or anyone else ever find a skin you are a little worried about/someone said was a virus just post about it here and we will be glad to give it a once over and make sure it is good to go (I know I have seen people make accusations about skins being viruses in the past that were just fine and very popular)