Gadgets such as Google Inc. gadgets and Yahoo Inc. widgets, which typically provide real-time graphical information about current battery status, the weather, stock quotes or the latest headlines, are not plug-ins or 'sandboxed applets', says Chien. Instead, they are fully fledged applications that have the potential to be malicious.

Gadgets are overlaid on the desktop or docked to a toolbar and can be written in scripting languages such as JavaScript or VBScript, says Chien. They can also be written using compiled languages such as C++ or C#.

Despite their innocent appearance, gadgets generally have full system access like any other program and can be used to perform malicious actions, including Trojans, worms and viruses, he says. Some gadget-specific application programming interfaces (APIs) could also provide access to services that would normally require authentication, he says. Gadgets could search the system for specific information, hook the keyboard or browser and then export the information to remote systems, via HTTP, email or instant messaging, he says.

'And because all gadgets support JavaScript, cross-platform infections are possible,' he adds. 'A Yahoo gadget could, potentially, infect a Vista gadget, for example.'

Windows Vista will ship with the Sidebar technology, which hosts and supports gadgets, and this may make gadgets a popular avenue of attack, warns Chien. However, while creating malicious gadgets is quite possible, widespread infections from gadgets are not a huge threat yet because the number of gadget framework users is a lot smaller than, for example, the number of Windows users, he says.