Slashdot Mirror
Malicious Web Pages Can Install Dashboard Widgets
bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.
magine porn sites auto-installing adware widgets without your knowledge.
Yes, but do they install porn?
-SJ53
If people would just run a secure OS like Linux or Windows, they wouldn't be hit with attacks like this. When will people learn?
That seems liek quite a security flaw... Any timeline on it being patched?
I LIKE TOAST!!!
with somethingorother.zip. Interesting, but not dangerous.
Oh well, what the hell...
this page at Apple's Developer Connection says that a 'widget' cannot ask for any resources or do anything to the filesystem outside of the widgets bundle.
This is what happens when you tie together parts of the OS that shouldn't be put together. In particular, has apple not realised that having the browser tied to anything that expects local rather than remote content is fundamentally an incredibly stupid idea?
I am trolling
Apple copies Microsoft.....
I'm running Jaguar!
I can't afford to buy all the Apple "upgrades of the month."
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
Nothing happened to me (I'm running XP at the moment), but there's a friggin ZIP file sitting on my desktop. OK, time to bring out my tin foil hat! And to the /. editors, don't link to shit like that, damn! That's just common sense.
I know that Windows usually posts security fixes and doesn't address spyware exploits specifically in many cases -- it'll be interesting to see if Apple addresses this in 10.4.1 or if we see a patch sooner (or later!)
Yeah... I'm imagining those porn sites.........
This is similar to the "scary" Firefox exploit mentioned earlier: if you don't have automagic download and installation of software enabled, you have nothing to worry about.
In other words, unless you're a hopelessly ignorant @$$wad, you're in the clear.
ignoring is not a good way to become popular. yes, we know it worked for microsoft, but um
If you do not tick the "open safe files" check box in the prefs. Which you should left unchecked if you're not entirely stupid, as there is no way to tell whether any file is actually "safe". Good Internet Practice, as I like to call it.
----- One learns to itch where one can scratch.
Is to turn off "Open 'Safe' downloads" in Safari's Options.
It's just common sense anyways
Indeed. What with Firefox being able to execute arbitrary code, and now dashboard adware coming in via Safari, today really hasn't been a good day for proponents of alternative browsers.
So the worst case scenario is that the icon in de dashboard bar is pornographic? I;m going back to windows instantly, because with windows, I can also immediately dial-up to a porn site, eat that Apple! (no pun intended)
It's true that it's too easy to install a widget with safari, because it unzips and install automatically, but it can't do anyharm but to your eyes..
Still, some sort of warning with a preview would be a good idea.
"imagine porn sites auto-installing adware widgets without your knowledge." I guess Mac users can now blame their browsers for the pr0n popping up on their computers as well.
The guys at Apple finally have something to do!
the idiots at Apple, completely unheedful and unmindful of prior art and experience - this is especially true of security-related matters - are going about slowly ensuring that OS/X will end up just as full of security holes and vulnerabilities as Windows.
This is sad; I love my PowerBook, I love OS/X, I'm a *NIX switcher (i.e., not an Apple person, but a *NIX person who switched from Linux to the Mac in order to get the benefits of FreeBSD along with all the goodness of Apple's hardware and multimedia capabilities, not to mention Office).
Someone needs to whack Jobs over the head and get him to focus his people on security, or the Mac will end up being as full of malware as Windows, solely because Apple programmers are doing stupid things which undermine the solid security foundation of FreeBSD which OS/X was built upon, but which can be bypassed by doing stupid things with the GUI/APIs layered atop it.
but you'd also have to have the "open safe items" turned on in safari prefs, and that is kinda dumb.
Pablo Piccaso was never called an asshole. Not like you.
By default safari has "open safe files after downloading" turned on in general prefs. I changed my to off on day 1. I am sure apple will change this in the future or set it to ignore auto installing widgets. to prevent the problem do as follows. Navigate in Safari to Safari>Preferences...>General Then uncheck the box that says 'Open "safe" files after downloading'
I love features!
Anyone want a more minimalistic system? Say, one that doesn't do things behind your back?
Tharkban (It is a signature after all)
Looks like he was nice and made us a goatse.cx widget. Too bad I don't have Tiger yet... :'(
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
it's not totally evil.
It installs the widget, but does not activate it.. it just makes it available.
Further, widgets do run in a sandbox, and require user approval to execute if they want to do certain things (like erase your HD).
Honestly, apple should have said "would you like to install this widget?".. that would be sensible and courteous.
If you set your browser to automatically execute downloaded files bad stuff can happen. What does this have to do with dashboard or even osx now?
First, when a widget starts to download, Tiger prompts me and says "This download contains an application, do you want to continue?" That should be the first dead-giveaweay.
...say Calculator).
Secondly, while the OS DOES copy downloaded widgets to the Widgets folder in the Users directory, the widgets do not become active until you actually activate them. (of course there's nothing stopping you from usign the same name and icon as
Getting widgets to do complex system-level stuff you WANT them to do is tough enough.
Mod this article back to the stone age. Tech the author to use "killall" and those grabbing this as the ultimate proof of OS X lack of security - get a grip !
If you have your browser set to auto-open files, your fault. You STILL have to EXECUTE the widget - that will NOT happen auto"magically".
GAH !
Mod parent down now!
i don't know what this discussion is all about. either somebody tries to be important or apple has fixed the issue before the tiger gm release.
.zip file automatically downloaded to my desktop. ok. double-click on the .zip file. a widget "zaptastic.wdgt" appears. double-click on the widget file. dashboard asks me whether i want to use this widget because it is launched for the first time. just deny.
i went on the page and a
as far as i can see--no security risk, am i wrong?
If there's anything that Slashdot has taught us, it's that it's never safe to use your computer.
Safari is uber paranoid about other filetypes now-- if you download a tar or a dmg it says "warning, this file may contain an application, are you sure you want to uncompress this?" It didn't do this before Tiger.
The unzip/install widgets thing wasn't a conscious decision. This is clearly a bug.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
The default settings I used on my Mac stopped this cold. First, I have the setting in Safari to not automatically run 'safe' files after download. Thus, it just downloaded, didn't install.
Second, I don't have a personal Widgets folder. I only use the system one, and copy the widgets there with su. So, even after setting the 'run safe' option, it still didn't install!
So, yes, it does affect Macs, but those of us who are completeloy paranoid are pretty safe.
My suggestion - block auto-open of 'safe' downloads AND move all your widgets to the system folder and delete your widgets folder.
With this new addition to Safari under Tiger, Apple has made a large step in catching up with Microsoft Windows...
Now the script kiddies won't feel as limited in their options in annoying Mac users just like they do MS Windows users.
A nice, new, open window (no pun intended) for the black hats to use... *sigh*
--
Tomas
so I take it then that all web apps are an 'incredibly stupid idea'?
-ashot
It's like a fly in my Chardonnay :(
If anyone else let the evil version install to see what it did (like me) it's really easy to remove.
Step 1: Remove the folder zaptastic_evil.wdgt from ~/Library/Widgets.
Step 2: Using Activity Monitor to kill any running instance of it (yes Activity Monitor shows each widget as a separate process).
No reboot.
Here, another proof ;)
imagine porn sites auto-installing adware widgets without your knowledge
Imagine it? I'm a Windows/IE user...I live it!
if Apple actually invented anything original. Both Apple and Microsoft copy just about everything from others.
Click OnLine, BBC's tech show:
e /worl_click_030505_show_hi.rm?Media=60506
http://stream.servstream.com/ViewWeb/BBCWorld/Fil
Cole asks Apple manager: is Dashboard a big rip off of Konfabulator?
Apple manager's response:um, er...Desk..Accessory...um...things......from before....like
I did go the the "malicious" website using Safari and Tiger, but the widget did not install. Then I figured out that unchecking the "open 'safe' files after downloading" option is sufficient to prevent this behavior.
There is one for Goatse, which some here would regard as porn.
I prefer the "u" in honour as it seems to be missing these days.
ok, i shot too fast. of course i had the open "safe" files checkbox unchecked.
yeah, this is bad design. you should always be asked before having something installed.
I'm just glad I'm running Firefox under Windows. No need for me to worry about nefarious web sites.
I can't see how putting your personal widgets into the system's widget directory _improves_ security! I would imagine that in doing so you are giving root privileges to the widget? Of course, I expect Apple severely limits their power, but that's no reason to do it. You're also forcing all of the users on your system to use your widgets! Terrible advice!
Isn't it funny how the only "exploits" people can find for Mac OS X almost always exclusively revolve around social engineering, and never real flaws in the platform itself?
/sarcasm
Yes, isn't it? Apple Releases Mega Patch to Fix 19 Flaws
Give me but one firm spot on which to stand, and I will move the earth.
- Archimedes
Yes, I know that Dashboard programs cannot (supposedly) affect the filesystem outside of their bundle. And I know that if you uncheck the "automatically open downloaded blah blah blah" then Safari won't do that.
But the default is not secure! And that's what will cause the computer to do "weird" stuff like the above; the same type of stuff that annoys Windows users and gets them thinking about buying a Mac next time. (Four people at work have already bought a new Mac specifically because of past problems with malicious code in Windows.)
Since OS X is based on UNIX, providing rock-solid security for non-security-conscious users shouldn't be any trouble at all. The mechanism is all there; all Apple needs to change is the policies of the default install, and nearly all users will be safe from crap like this.
First, downloaded files should, by default, not be opened automatically. If the user wishes to change this setting, it's the user's responsibility. Second, any downloaded files, bundles, scripts, etc., should not have the execute bit set by default. When the user tries to run it for the first time, OS X will ask for the password, like it does when you install X11 or Final Cut or something. Only then will the execute bit be set. This is not a small inconvenience; rather, it is a huge convenience. Sure, you have to type a password to run a downloaded program for the first time, but that's only as annoying as finding out the bank put an extra $10,000 in your account by mistake. And your computer won't suddenly acquire programs/spyware/malware/adware/viruses and other nice stuff that you didn't intend it to acquire. This is extremely convenient. It's an additional level of security for safety-conscious parents who use Tiger's new child-safety features. It's good for owners of computers with multiple users, who don't want people to run arbitrary code that came from God knows where.
Apple could and should take this a step further. At some point, people will find ways to screw up Macs with programs/spyware/malware/adware/viruses, especially if they become pretty popular. Apple could prevent this before it happens. Provide an online database of MD5 sums of binaries for OS X, and provide a mechanism in the OS to report bad software and where it came from. Perhaps people could post a comment with their claim. The system would be moderated by the community, so good software won't end up listed as bad. There are plenty of Mac zealots who would participate. When you try to run any program for the first time, whether it comes from the Internet, a CD, or wherever, OS X might first compute the MD5 sum and compare it to the online database. If the MD5 matches, OS X will warn the user and perhaps allow the user to browse the comments posted about this program. Comments like, "This program sends all keystrokes to the goatse site!" The user can then decide whether to run the program or clean it off the system. Not connected to the Internet? The database shouldn't be that large... When you install OS X, the latest version could be placed on the HDD, and when you connect, it could automatically update it. Bam... Pretty good protection against the spyware problem, BEFORE it comes to the Mac. Proactive... not reactive like the Microsoft crowd.
I use Macs, Linux, and the BSDs.
D'OH! That about sums it up.
Oh, so it's OK that this guy has SOFTWARE PATENTS because he's an Apple guy, not an M$ guy. Very mature.
Exactly. You might as well claim it's a serious security flaw that I could release a program which asks for your admin password to install and then formats your hard drive.
Don't blame me; I'm never given mod points.
This is more secure because you have to type in your Admin password to install any widget. So the auto-install download will not work.
Widgets in the main system library run just the same as the ones in your personal library. They do not run as root!
I have a doubt, which might sound rather silly, but I havent found a "good" soln: How would s/w or worms or any malicious orig/widget/[insert anything] get activated unless one is in an admin a/c. I surf in an a/c without any priveleges and switch to admin only when I have something [which I rely] to install.. a naive doubt but plz answer.. this is offtopic as I use windows xp..
Not easier to remove at all. It is always a matter of locating the content, removing it and rebooting. Windows has a number of third party tools that will do the work without a reboot needed.
Let's be fair, all Ad/spyware sucks. It shouldn't be tolerated at all and offenders should be blacklisted for life. No one should put/run code on my machine but me!
Get your Unix fortune now!
This can't possibly be true.
Everyone knows that Linux and OS X are perfect and only Windows has security exploits.
Let's get it right people! You're slipping!
if Apple actually invented anything original. Both Apple and Microsoft copy just about everything from others.
Microsoft has buggy software which would allow something like this to happen. Now it seems like Apple is copying off of that and allowing such ease of control of somebody's computer. It's both +1 funny and +1 insightful.
I am defenseless. Use your button. Mod me down with all of your hatred.
Switch to Windows, its better, really.
I've got a BAAADDDD feeling about this -- looks way too much like Apple has been drinking Microsoft Kool-Aid. I don't want anything to install itself automatically on a Macintosh...
"All successful systems accumulate parasites" -- Hal Hixon
Did you actually just post a link to a fucking Slashdot story that is about an Apple update that patches THEORETICAL exploits as some sort of Take That comeback???
How fucking sad.
Also, an addendum to my previous post:
Will someone call me when there actually *is* a real world, successful remote exploit on Mac OS X due to an actual flaw in the platform? (And not something like a person enabling ssh on a public network and having an account with username 'test' and password 'test'?)
I love you guys who think Mac OS X is really horribly insecure, and the only reason it has had almost zero problems for over 4 years now isn't because the platform is actually inherently more secure, but is because of its low marketshare. (Funnily, it seems like another version of the "Macs have no software" argument.) I love ya. I really do.
1) It installs it but doesn't start it. You have to open Dashboard, find it in the Wigit catalog, and start it yourself.
2) Widgets run in a sandbox.
3) It's easy to close any Widget. Hold down the Option key, mouse over the Wiget, and the "X" appears allowing you to close it.
Mike from www.myallo.com/blog
You'll also note that many of those flaws revolve around one of the following issues: A) bad data sent to the program causes it to crash (just crash, not expose any security risks) B) server-related issues in non-Apple-made programs such as Apache, and which will rarely be used by end users C) Require the user to either manually add a file to a certain location or authorize another program to add the file to that location. Only one or two actually have any serious end-user effect to them. I'm not one to say that Apple's perfect, but it's also not true to say that all 19 fixed flaws relate to security flaws that will likely affect end users.
Want Slashdot headlines on your site? Try SlashHead
Just setting the permissions to the ~/Library/Widget folder to "Read Only" will do the trick.
Of course, that doesn't mean that it should install widgets for you in the first place...
Just find this guy and kick his ass. Problem fixed, no need to patch shit.
This is why apple is wating a little bit on releasing the first update to tiger, that way they will be able to nip all thoes nasty bugs and oversites in a nice update. Rest assured mac folks, this will get fixed Apple is really up on the security thing and they will problably set it up so that you are asked before installing any widgets. At least no matter how bad the fllaw is it isn't something that can comprimise the system itself.
`B Flicks, `Cool Lick'ah, `Sweet Talk' `in' ManG'
THERE'S the real security hole, IMO.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
But,But,But,M$....Oh, nevermind
Under Preferences>General, uncheck "Open "safe" files automatically"
Should be the default setting. In fact, this shouldn't even be an option. This capability has been the object of a few vulnerabilities.
(%i1) factor(777353);
(%o1) 777353
I don't understand how you can state that there is no way to make a trojan for the MacOS. Are programs in MacOS not allowed to delete files? If the answer is yes (which I assume it is) then yes, a trojan can be made for MacOS. If you haven't found any, then the only thing stopping them is most probably either the fact that there's little point (the marketshare arguement), or that MacOS users aren't going to run it (which may also be related, but more positively for Mac users, to the marketshare arguement).
Dashboard will ask you the first time a third-party widget is run and give you the option of not running it.
What more should Apple do save crippling the functionality of Dashboard for all users?
Jesus was a compassionate social conservative who called individuals to sin no more.
What was the point of setting up a strawman and knocking it down?
Do you feel better now dummy?
I do use Tiger and Safari, but it didn't work on my system. Primarily because in Safari > System Preferences > General, I Unchecked the check box that automatically open's up Safe files, which includes archives (which I do not consider safe).
Another thing I did, was to redirect downloads to a special download folder which has a special Folder Action attached that scans new files for viruses and then changes new files permissions to "No Access" (even if there are no viruses). If I want to open/read a downloaded file I have to change it permissions to read/write, for which I made a single-click Apple script that I dragged in the Finders top bar thingie. Ok I'm slightly paranoid, mainly because IT security is my thing (btw the reason why I switched to Mac OS X last year), But it works.
The glass is half-full. With poison. And there are cracks in the glass. The dirty, dirty glass.
Um, wha???
.command file for Mac OS X, have it autodownloaded on a web page to the user's desktop (which could happen easily by default), and then give them instructions to double click the downloaded file to see a really cool screensaver, but it then does an rm -rf ~, which would require no further prompting, is that some kind of Mac OS X "exploit"? Hardly. It's just as much of an "exploit" as this is.
I NEVER said a trojan can't be made for the MacOS (sic).
In fact, I specifically said "it's definitely possible for Mac OS X to have viruses, worms, trojans, and other malware," and made several references to "trojans" that DO exist, so I have no idea where you got that from.
But a trojan, a social engineering exploit that requires explicit and deliberate user action, is completely uninteresting. That will always be possible on all OSes and all platforms. If I write a
http://www.microsoft.com/technet/security/bulletin /ms04-028.mspx
every day http://en.wikipedia.org/wiki/Special:Random
Well, it turns out I spoke too soon.
I said that Dashboard would prompt you when the widget was run for the first time. It turns out that for auto-installed Safari widgets, it does NOT prompt you the first time the widget is run.
Interesting.
This is indeed a security issue, and it should be made to at least prompt the user.
Considering that ALL other new widgets always prompt when first run, this appears to be a bug, and not the intended behavior.
The temporary fix (and what I always recommend anyway) is to disable "Open 'safe' files after downloading" in Safari.
(Isn't it funny how the only "exploits" people can find for Mac OS X almost always exclusively revolve around social engineering, and never real flaws in the platform itself?)
If this were true, why yes, yes it would be.
Just uncheck the "Open safe files" checkbox in the General section of Safari's preferences. No more widget autoloading.
It's a single user system (my laptop).
It doesn't require them to RUN those widgets - just have them in the widget dock. Frankly, I don't see this as a major problem, especially given the improved security. The widgets don't run as root, and you can't just install anything without proper administrative access.
And Apple will take steps to mitigate the problem.
The fact is, we're not so much angry at MS for having vulnerabilities in the first place. We're angry that there are a) so fucking many of them, and b) they take a long, long time to get fixed.
This is a bad thing, Apple will fix it, we'll all move on while a windows worm accounts for 25% of internet traffic.
In preferences this can be avoided by turning off the "Open 'Safe' Files" option. Simply uncheck the box.
I'll upgrade sometime early in 2006...once all of the bleeding edge bugs have been taken care of. It will still be long before the first release of Longhorn...
I'd like to give him a chance to present his argument. If only he'd give me a chance to read it.
Orationem pulchram non habens, scribo ista linea in lingua Latina.
Yes, this Proof of Concept widget was fortunately deterred under Safari - the payload issued "Format C: /FS:FAT" to the command shell.
"Flyin' in just a sweet place,
Never been known to fail..."
In the interests of getting the message across to the rest of computer-using humanity, can we just drop the rubric of "social engineering" and call it a con? "Social engineering" gives it an aura of false-respectability. Let's not.
HI,
I'm still running Jaguar, too.
While I can't speak for the intial poster, from My perspective:
Panther seemed pretty cool but at the time it was released a new version of the OS, Tiger, was already being aniticpated. There was also a glitch with Panther that eventually was corrected ( FileVault? Encryption?)
Since, I was relatively new to OS X and still use OS 9 most often, I just wanted to get comfortable and up to snuff with X before I resumed the Get It While It is Hot buying pattern. From experience, waiting for a point one update is sound because those major errors are squashed.
The thing is it seemed less important to get Panther as time went on. I think only the core audio stuff and a few other things are required for most 3rd party software updates. Those are all non-essential software for me. So, I don't miss them.
My rational is that waiting a cycle and just buying a debugged Tiger is worth the wait. Every new feature Panther has will be in it plus
"200 extra features" So, by jumping over Panther, I'll get "350 or so features" more than Jaguar.
I'd buy Tiger (X. 10.4.1) when it comes out. Get it all on disk and you can probably wait to see if the 10.5 is going to be groundbreaking or just wallet breaking.
cheers!
There is no Control Panel for Dashboard? .rsrc and source URL metadata) and third party widgets (using similar verifiable info).
If not, that is dumb. I can see needing to tweak preferences from within widgets (if it allows for this) but to not have the ability to change permissions, delete widgets, or make them inactive or even special sets (like OS 9's extension manager or better than APE)...
That is just dumb that you don't get more control. Hell, that is what control panels are for!
When a widget is downloaded, there should be a dialogue box asking if you want it to install. That dialogue box should ask for a password to install. The Dialogue box should also link to a Control panel which lists all of the widgets and allows for easily removing offending widgets and gives options what to install or not to install. Hell, it should open the control panel for you. Show you Apple created (verified by
Obviously, that ain't there in Tiger. So, smack Apple. They need to give security control to the end user instead of Autoinstall?!? WTF!?? They also need to make users better aware of the Control Panels period. So the above solution(s) are a good starting point.
As Seen On TV, are you listening????
I decided to byte the bullet, so to speak, and went to the site. The widget did automagically download, but because I run Speed Download 3, it was simply placed in my download folder.
I don't work or have any affiliation with yazsoft (whoever they are, heh), but I can tell you that if you are running a Mac on a broadband connection, this is MUST HAVE SOFTWARE! I have a fast download connection to the 'net via Time Warner Cable and Earthlink, and I can max the line almost every time I download something (which is about 600KB/sec) with Speed Download 3. It's pretty cool.
"To make a mistake is only human; to persist in a mistake is idiotic." Cicero
Oh that's so funny that the parent is modded "flamebait"! Touch a raw spot on the moderator's ass, I guess!
I knew this was a bad idea from the first time I saw it happen. Safari will warn you that your download MIGHT contain an application, the most annoying alert ever, and you can't turn it off. If somebody can't add simple instructions to copy the file to /Library/Widgets/ or the person can not follow those directions, it should not be installed.
/Library/Widgets/ means any user can use it on the machine. and ~/Library/Widgets/ means it's just for you. It seems as though these widgets are installed in the user's library folder, so they wont automatically run on somebody else's account, so that is somewhat better.
Being a very long time mac user, I prefer to install things myself. Using either installers or dragging a file to its required location, I don't know why, but I just feel better about it. For one I KNOW it's installed where I want it. For example
Overall, Apple should just turn off auto installing of widgets. It's very against what apple customers are used to anyway, so it was very confusing when I downloaded a widget and it wasn't where I expected it to be. Causing me to download it again.
The best option would be that the user has to launch the widget, from wherever it is at the time, and if it isn't in the widgets folder. Then alert the user that this widget isn't in the Widgets folder, and ask if you would like it to be installed either for everyone or just you.
I run BeOS for this reason: Netpostive is so out of date vary little runs in, sometimes even HTML. (Note to mods this is a funny)
So, yes, it does affect Macs, but those of us who are completeloy paranoid are pretty safe.
So basically that leavs out 99.99% of most mac users, who are novices like all other computer users.
Really, apple dropped the ball with this one. They should have made the default to NOT automatically download WITHOUT ASKING, as it currently does default in safari.
I guess somebody takes the time to tighten up your internet settings.
Our maybe you just haven't noticed when you weren't prompted in a theoretically "safe" zone.
But I agree, somebody's copying cool features without thinking.
Actually, you don't have to reboot. Just go to ~/Library/Widgets and delete the offending widget. Then log out and back in again. No reboot required.
gonna send this to all my friends who have a mac
Today has really been a bad day for computer users. All we need next is Yet Another New Windows Exploit/Virus/Trojan/Worm and our day will be complete. :P
Knowledge is power. Knowledge shared is power multiplied.
But a trojan, a social engineering exploit that requires explicit and deliberate user action, is completely uninteresting. That will always be possible on all OSes and all platforms.
That's the thing; a good OS *should* be able to prevent those. The OS should be able to recognize that what claimed to be a screensaver is attempting to access your Quicken files and open a connection to somewhere in Russia, and it would probably be a good idea to deny that and let you know what's going on.
User education is a lost cause. An OS needs to be able to defend against trojans without relying on the user to be particularly intelligent. Unfortunately I have no idea how to actually implement that in a usable manner.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
Safari is a good browser, of course, just as its daddy Konqueror is; it is just that Apple bet on the wrong horse. They should have gone with the Firefox core.
Yes, if goatse.cx is porn...
But either way, if you installed Paranoid Android (direct link) it will ask you to approve the url. And it is opensourced too.
Millions of email viruses and Windows spyware rely on exactly the same thing. That doesn't appear to have slowed them down any. Hell, there was a not-insignificant outbreak of a particular Windows trojan that required users to extract it from a *password protected zip file* before running it.
Isn't it funny how the only "exploits" people can find for Mac OS X almost always exclusively revolve around social engineering, and never real flaws in the platform itself?
Nearly as funny as the people who hold up the 95%+ of Windows "vulnerabilities" that rely on social engineering as proof of its "insecurity".
Good thing it hasn't happened then.
Sure it has. Still does, past and present examples.
Joke or not, your comment is indicative of the denial most Mac users seem to live in- "If it's not Windows, it's secure" and "If I don't hear about it, I must be OK" but the fact is that Mac OS X uses BSD, BSD has holes == Mac OS X has holes. Mac OS X is written by people who want users to have the easiest possible experience using their Mac. As a result, some of the things in place to make usability easier open up holes. This is the same for any OS. Anytime you cater to the user first and security second (or later) you will always ALWAYS provide someone else a way in.
I have no problem with using one OS or another, I use whatever the hell I need to get the job done- to me it's a tool, not a lifestyle. As such, I make sure my tools are safe and pay attention when someone says my OS has a hole or exploit or vulnerability, rather than just refusing to believe it's true.
R(k)
IN SOVIET RUSSIA...some guy kicks ass of YOU!
(Oh christ, why? The karma, it burns like my shame)
1. Close Safari
2. Open a terminal window and type:
defaults write com.apple.Safari AutoOpenSafeDownloads No
3. Open Safari back and enjoy.
"Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
If you hate the Dashboard and want to get rid of it, just throw Dashboard.app into the Trash and it will never launch again.
but those of us who are completeloy paranoid are pretty safe.
We're still out to get you, you know. With frickin' lasers.
You mean you made a trojan?
I'll alert the media forthwith!!!
Is this "installed" or just put into a certain directory.
If the widget auto-executed, then that would seem like a REALLY bad idea. But, if "installed" just means the widget is placed where Dashboard expects to find widgets, that seems less unsafe.
You would still have to consciously decide to activate the widget in Dashboard, right? At that point you're at the same security level as any widget regardless of where the browser put it on your system.
Still sounds funky, but not like the sky is falling.
"The world is a construct of forceful imagination. Those who don't know walk around in the reailties of those who do"
Whatever. An exploit is an exploit. Patched or not, a hole is a fucking hole.
I use a Mac, I know damn well updates are up to ME to install if I choose so. Any exploit and vulnerability EVER found in a Mac still exists, simply releasing a patch DOES NOT MAKE IT GO AWAY.
Case in point, last week 20 patches for vulnerabilities for 10.3.9 were released. Those are fixed in 10.4. Does that mean the hole is plugged? NO. A patch was released and the new software doesn't have the flaw, but anyone still running 10.3.x without the patches installed is still at risk.
Is it stupid to not install the patch, yes, duh. And yet people on all OSes fail do to just that.
Want me to put up? HERE it's from the holy seat itself.
It's a fact, one you overlook so you can act like an ass instead. Do so if you want, but stop pretending Mac OS is invulnerable.
R(k)
Unfortunately I have no idea how to actually implement that in a usable manner.
Neither does anyone else, which is why such "exploits" are completely uninteresting.
As long as users need the power to do potentially harmful things such as modify or delete files in order to get work done, it will be possible to trick them into doing so. Any "exploit" that relies on tricking the user is not a flaw in the OS, but relies on the gullibility of users.
There is nothing that can possibly stop social engineering of this sort short of an OS that prevents users from ever deleting or modifying files. Maybe one day storage will become so inexpensive that a file system that archives all previous versions of all files will be implemented. Until then, it will always be possibly to trick the user into deleting important files, because the user needs the ability to modify and delete important files (i.e., his own user data) in order to get any work done.
I'm an expert in being human. An expert in posting to slashdot. An expert in designing an ad. An expert in roofing a house. An expert cook. Exactly what particular "non-expert" are you looking for.
How ?
Since the major ingredient for the success of a worm or virus is some ability to spread, witness the fact that there is no way with anything built into Mac OS X to perform automated propagation of a virus, [...]
OS X has exactly the same functionality "built into" the OS to allow code propogation as Windows does - ie: it can run code.
Any hope for automatic propagation would require a comparatively high level of sophistication, and perhaps even its own mail server - not to mention some intrinsic vulnerability to exploit.
Rubbish. All it needs is a way to get the user to execute it, just like that vast majority of Windows "viruses" do. "Free porn" tends to be reasonably effective at achieving this goal.
On the other hand, there are still, to this moment, unfixed vulnerabilities in certain versions of Outlook that will spread certain virus variants simply by previewing a message, and nothing more.
Links ?
The marketshare argument only goes so far. This seems to be a version of the "Macs have no software" argument.
It's not a variation on that argument at all. OS X's *vastly* smaller marketshare has a significant impact on exploits:
Fewer people who can write the code
Fewer machines to target
Hence, much slower infection rates
Hence, much more limited impact
Hence, much easier to contain
The much smaller community also means news of exploits travels faster.
The user demographic is also significant. Macs are more expensive, so the typical Mac owner is more likely to be a higher income earner. This in turn means they're more likely to be better educated, follow the news and actually think before acting (ie: they're less likely to open that program promising free teen b00bies).
But the argument that it's straight cause-and-effect is disingenuous. If this principle were true, the apache web server platform would have far more vulnerabilities than IIS, since apache is by far the most widely used web server on the internet. But not only does apache not have more vulnerabilities, the disparity is laughable.
Stats ? Methodology ? Do you normalise for the higher likelihood Apache is running on systems more likely to be properly maintained ?
This is a perfect example of greater exposure not necessarily equating to increased vulnerabilities.
That's not the argument (indeed the argument that marketshare has anything to do with the *number* of vulnerabilities is ludicrous). The argument is that higher marketshare means any discovered vulnerabilities will spread faster, have a much greater impact and stick around for much longer.
Indeed, your whole rant against the "marketshare" argument is irrelevant because you've started from an incorrect assumption of what the "marketshare" argument means.
We'd definitely see more bad-guy action. Whether any of it is fruitful remains to be seen.
Nor is it ever likely to "be seen", forming a very handy circular, self-supporting argument against the "marketshare argument".
The vast bulk of malware only gets into the system because *the end user* executes it at the behest of web page dialogs, emails, etc. Somehow I can't see that changing were OS X (or even Linux) to become as omnipresent as Windows.
Or are you saying that after a while, security updates will only be available for relatively recent versions of the core OS, meaning you are more-or-less forced to upgrade? If so, how is that any different than the Windows model?
The difference, at least at this point in time, is that Microsoft support old versions of Windows for about seven years, whereas Apple support old versions of OS X for about three, if that.
But there is simply no suitable vector, akin to similar past (or present) vectors on Windows, for mas
I may be missing something, but I don't even HAVE a ~/Library/Widget folder
They must be upset that this isn't another article where they can go on long circle jerk pieces about why the Mac OS is sooo secure, never has any viruses/exploits/spyware/etc or ever will, and that only "M$ Winblowz PeeCee Luzers" get viruses/hacked/spyware/etc.
It really hurts them to hear the truth, and have their little fantasy world getting crushed by reality.
I say this because I just hit the site in Safari and the zip package was downloaded but only sits quietly on my desktop waiting for me to delete it. Why? Because under Safari > Preferences > General I have the stupid 'Open "safe" files automatically' unchecked. This keeps any autoinstallation from occurring, too bad Apple didn't change the new version of Safari to stop using that "safe" file lingo which is incredibly confusing to stupid people who don't read the caveat below or know anything about their computer.
Even if I knew that tomorrow the world would go to pieces, I would still plant my apple tree. -Martin Luther
sweet mother of god you're annoying (not to mention wrong)
Then these downloaded executables then get run with all the user's privileges, not in a jail or sandbox. Java may not be perfect, but at least Sun understood they had to run applets with less privileges than user applications.
If by "restart" you mean "restart dashboard" and by run you mean "provide in the dashboard programs bar" and by widget you mean "something limited by the scope of javascript" then yes, it does what you say. Otherwise you're bitching. I understand the idea that Safari shouldn't auto-install things, but it's not like this thing starts arbitrary binaries at boot-time -- it just installs a javascript file, which a user still has to launch, in a specific folder. Get over yourself.
http://www.nonmundane.org/~dspisak/media/slashdot/ howtoprotect.png
Yeah this exploit is sorta lame, but its also trivial to plug in the meantime.
Fascinating article. I installed zaptastic_evil and was amused by it. Very annoying indeed. Widgets simply should not do this.
Just a few points of interest.
1) The widget may automatically download and get copied into the widgets folder, but it is not automatically installed onto the active dashboard. Therefor the user would have to manually click on it. Without knowing the widget is there, the user may not ever notice it. Of course, this is still a security risk, but this isn't the best way to propogate malware.
2) Widgets can be deleted manually as pointed out in the article by going into ~/Library/Widgets and removing the unwanted widget
3) The Dashboard can be reinitialized by killing the Dock. Those not familiar with terminal can just fire up Activity Monitor and kill the Dock there. The Dock immediately relaunches, then Dashboard reinitializes when it is launched again and the offending widgets are gone.
4) Apple should allow us to delete widgets from the dashboard, but the behavior when clicking and dragging a widget off of the Dashboard installs the widget instead of bringing up the delete puff of smoke. This behavior is at odds with every other taskbar/dock/menubar in OS X. I would recommend Apple change this.
5) We ARE dealing with Dashboard 1.0 so there are bound to be bugs needing to be squashed. Personally, I enjoy Dashboard but find it difficult to manage when there are too many widgets deployed. I find myself wishing for Exposé for Dashboard! LOL I also wish that widgets would reinitialize without force quiting the dock and that the dashboard would be a bit more dynamic. Sometimes deleted widgets take a while to disappear off the dashboard as well as newly installed widgets. I look forward to the upcoming 10.4.1 release.
The Splintered Mind - Overcoming
The grandparent was right. There haven't been any exploits. Both you and the link you give confuses the concepts of exploit and vulnerability. Exploit != vulnerability. A vulnerability is only the potential or an exploit, and it often blocked by other security measures in a properly layered security system.
Only allow widgets to access certain websites named in their plist? When the widget starts for the first time warn the user which urls it will attempt to acccess and ask for permission (this would be a useful thing in my opinion anyway system-wide, it should be possible to see which apps are talking to which servers a la Little Snitch and have fine-grained control).
Really though, there are a few things they could do that would make this situation a lot better : -
Safari should not download files from the Internet without warning via javascript/page refresh (why does this work anyway, it was already the cause of another security hole a while ago??).
It should not auto-install widgets. Ever.
The user should be able to remove widgets from Dashboard (not by fiddling in the library folder).
Apple should *never* have given people the impression widgets were anything other than full Applications - this should be clearly stated on their widgets page. They can run arbitrary shell commands and scripts for god's sake, after one innocuous warning dialog.
They should treat all widgets exactly the same as scripts and applications (if you try to have safe and non-safe ones you can bet someone will figure out a way round it). So show the warning about trusting apps on first run. The present dialog just says
'xxx widget is being run for the first time, are you sure you want to run this widget' (User thinks, well yes, that's why I double clicked it). That's all.
Consider a vetting program for widgets (and even applications) so that they have a 'certified clean' listing on the Apple site. A whitelist since you don't like blacklists.
Personally I have changed the permissions on my widgets folder so I'd have to authenticate before installing, however I can't expect my non tech-savvy friends to do this - perhaps I could send them a widget to do it : )
I expect a fix from Apple, but worryingly a few of the 'security' features in Tiger are doing things the wrong way, bombarding the user with different pop-up windows asking for permission for almost every zip file, saying this 'may' be dangerous and we all know what happens when users learn to click OK on several dialogs before they can do anything - they stop reading the dialogs and clickety-click their way to doom.
They need a small number (ideally 1) of consistent dialogs which have the same message - things you download from the internet are not safe, be very careful that you trust the source before running, to be triggered on first run of an app/script/widget.
I've always let safe files be opened by Safari. All this ever seemed to do was autolaunch PDF and media files and autodecompress zip archives. It was nice to have Safari do this for me since it also cleaned up after itself and removed the zip file while leaving the archive I had just downloaded. So automatically opening safe files was something I wanted Safari to do.
.exe files don't do anything on the Mac, obviously. And usually uncompressed "safe" files just sit in the default download directory. Isn't this the first time a form of installation actually occurred using Safari?
:(
Some of you former Windows guys are fairly paranoid, though I can hardly blame you. I've had one virus on my PC in the decade or so that I've used them. I'm very careful on PCs, but never saw the same vulnerability on my Mac. This code (
) is very annoying and I don't like the fact that Safari downloaded that file without my permission. This has happened before when using Safari, but only on sites with PC autodailers or adware installers. Those
Couldn't this be fixed if Apple disabled meta pushed downloading from within Safari and didn't auto install the widgets? Then people like me could keep "Open safe files..." checked. I don't open anything I haven't downloaded on purpose. I'm careful and responsible and like the convenience of auto disk image mounting, etc...
Can't I have my cake and eat it too?
If you go to the secunia site you'll see all the holes have been plugged... Let's take a look at XP, or some other OS? :D
It's not an application, it's a widget. On your preferred browser, are you asked everytime before a flash plugin is downloaded and executed? No, not unless you disable flash. It's similar with these widgets, except they are not executed automatically, only downloaded.
I'm using FlashBlock for Firefox, so yes, I am being asked before the Flash is executed. It's an extension to Firefox, but I believe EVERY browser should have such a fine feature built in. Once you start using it, you'll never miss the obnoxious ads on the net again.
Btw, if images could insert arbitrary code in IE and Firefox, how secure can Flash be against malicious code?
Firefox and Safari use a download management window, making easy to find and open/execute the downloaded files. Even in OS X Tiger this function is more useless, because you could use Spotlight to search for the file. Making easy to make the system insecure to save 2 or 3 keystrokes/clics is crimminal.
Mexico: 100% conservative's America now!
I use a Mac
We could tell from your beret.
"I thought they were the dominant species..."
Convenience and ease of use are two large factors that account for why I use my Macs more than my PC. So I agree with you that the "open safe files" feature is very handy. Usually, this merely opens up files that I clicked on to download, be they zipped archives, PDFs, or disk images. But since Safari can be forced to autodownload files via the meta refresh tag and then autoinstall them if they are dashboard widgets, this convenient feature just became a liability.
Of course, if Apple plugs up the holes "open safe files" can return to its useful state. I think this is the first time we've seen a security hole like this in OSX. It's Windowsian in its scale and incompetence... I am curious to see how quickly Apple fixes this breech.
The Splintered Mind - Overcoming
safari gains activeX support
Real men don't write sigs
oh please kids stop fighting
there are bugs in every os of the world
program your own os if you think you can do it better (which i doubt)
why dont you just post something useful!?
erasmus
Safari isn't explicitly running an installer, it's "opening a safe file after downloading", because it thinks "ZIP" is a safe file. Now, I don't think of "ZIP" as safe, and I don't think browsers should be opening "safe" files anyway because that turns any security hole in the general purpose application involved into a security hole in Safari, but let's set that aside for a moment because there's another question in my mind here...
In Panther and earlier, "ZIP" files are opened by Stuffit Expander. Stuffit Expander has its own problems, like it automatically mounts disk images by default (another thing to turn off while you're turning things off) but I don't think it automatically runs "safe" programs. Not only that, but it predates widgets so wouldn't be expected to automatically install a widget when it saw one.
But in Tiger they don't include Stuffit or Aladding Expander, so presumably they have a different program for handling "ZIP" files. And THAT program would be the one that's automatically running the installer.
Someone with Tiger... what's that program? Because if that program's automatically running installers it's apparently less secure than the old Expander... and that's ANOTHER security problem to wach for.
For the past ten years Microsoft has been trying to keep users from running exploits by warning users when they're doing something that in some circumstances might be an exploit, by having a last-minute dialog that pops up. This has not prevented the spread of viruses and malware, all it's done is teach people to "OK" dialogs. I spent years doing support for Windows users and I can't tell you how many times I got called in after someone's done this.
These kinds of warning dialogs, like the ones they introduced last June to "fix" the LaunchServices hole, DO NOT WORK. They are the computer equivalent of prescribing unnecessary antibiotics. Even if these dialogs could be depended on actually showing up (which they can't), they don't work.
Any browser, or any other application that is used to view untrusted documents, MUST be a completely sandboxed environment. It NUST NOT have any mechanism to automatically pass control on to any environment that is not equally sandboxed, whether it pops up a dialog or not.
In particular, at the very least, a browser MUST NOT do any of the following things:
1. Enable a local access mechanism based only on the location of an object (this is where the Firefox XPI hole comes in, as well as (of course) the whole sorry history of 'cross zone' exploits in IE).
2. Automatically run any desktop applications on downloading a file (this is where "open safe files" fails).
3. Automatically install a plugin (ActiveX, XPI, possibly this Widget exploit... I'm not sure where the actual install is being handled).
4. Use the same list of "helper applications" as the desktop environment (this is where the "help:" hole or the Windows CHM hole came from).
There's lots more, but these are a few of the ones that have recently been exploited. The basic principle is that unless the user explicitly asks you to (and that means more than just clicking OK on a routine dialog box), you MUST NOT pass control to an application that you do not know, for certain, is designed to handle unsafe content.
So, the better solution, is only pass control to things that are intended to handle unsafe objects. That's a much shorter list:
1. Plugins that at some point in time were explicitly installed by the user.
2. Components included with the browser.
3. Helper applications that were explicitly registered for use with untrusted objects. That means "registered with the browser", not "registered with the desktop".
I can't think of anything else. Any other tools, the user should download and manually install themselves. Now that's not certain, I've had a few users download and then explicitly run malware, but it happens an order of magnitude less often and I've yet to have a user do it twice.
When I installed Tiger I thought to myself "why hasn't apple provided a mechanism for Widget management?"
.wdgt extension, and (somehow) gets higher association relevance than the Dock for execution. Then, when a widget is double-clicked on it gets copied directly into ~/Library/Widgets ( Disabled ) -- giving you the chance to enable it or not before the Dashboard gets it.
Secondly, I thought to myself "it would be so easy for a widget to do nasty things"
So, here's what I'm going to do: I'm going to write a preference pane to manage widgets. It'll come in a few phases:
Phase 1) Preference pane which will allow you to turn on/off particular widgets in your ~/Library/Widgets folder by moving turned-off widgets to, say, ~/Library/Widgets (Disabled). I just did a test and discovered that the parent process of Widgets is the Dock, which means that the Dashboard is just a Dock mechanism. So, killing the dock ( politely, even ) will give Dashboard a chance to reload, since the Dock restarts automatically.
Phase 2) Write a widget scanner -- something which greps the widget source for keywords like widget.System() and whatever parameters are required for custom binaries which widgets can run. Now, I recognize I can't tell *what* those calls do, but I can at least put up a big red exclamation point next to the widget in the preference pane saying "This widget is potentially dangerous"
Phase 3) Write a small bundled app to be packaged with the preference pane which associates itself with the
This sounds like a PITA, but Apple shoulda done this in the first place.
Apple: You're drunk on the perceived security of your platform. Don't keep making the stupid mistakes.
A -- potentially better -- option is to have something like an "approved" widget download area. Say, apple's servers, where you know widgets hosted there have been given the thumbs up. Doesn't Firefox do something sort of like this for extensions?
lorem ipsum, dolor sit amet
Why is it that the energizer bunnies parading back and forth about how win xp is better than mac os x, always insert a caveat that they don't really care about which os they use? Note: i only use the term "energizer bunny" for those win xp fanboys who make the utterly lame claim that mac os x relies entirely on security through obscurity, and that the number of exploits is directly proportional to market share (which it's not).
BSD has holes == Mac OS X has hole
Oh? And what part of the BSD subsystem has had holes? OSX uses a different kernel, all tcp/ip exploits are in the hands of OSX developers. All the exploits I've seen for Jaguar involve 3rd party software like sendmail and apache (exempting Apple's own software).
The reality is that while BSD has had some security issues (as does everything), few to none of them have to do with OSX.
The grandparent was right. There haven't been any exploits. Both you and the link you give confuses the concepts of exploit and vulnerability.
Wow, have you got a lot to learn... Did you not read the article AT ALL? Claiming that the apple system is a "properly layered security system" is an opinion, not a fact. Some might agree it is more proper than windows XP. I'm not here to argue wether that is true or not. I'm here to argue that either 1) a properly layered security system doesn't give you a secure system or 2) the MacOS doesn't have a properly layered security system.
One of the above(or possibly both) is true. It is up to you to decide which and quit sitting up on your high horse thinking you are a god for using MacOS.
Your ignorance is infinitely greater than you realize.
Feel better now faggot?
Say hi to your Windows anti-virus and spyware software loser!
I meant they should fix it in not allowing an untrusted remote application to be downloaded on a local computer with no interaction from the user.
/Library/Widgets. No need to restart OS X or Dashboard, it just shows up.
So turn off the ability. In Safari, open Preferences, and on the first tab, de-select 'automatically run "safe" files upon download.' Then, it'll download it, and you can manually install the widget by copying it to
This was one of the first things I tweaked after switching to a Mac. I noticed it'd automatically mount disk image files, and I could see the potential security implication, so I found the checkbox and tunred it off.
It's not rocket science, just basic research.
Doesn't Firefox do something sort of like this for extensions?
Yes, and it's already been used to develop an exploit based on faking Firefox out and making it think that it's downloaded a script from Apple's site.
The RIGHT fix is for the browser to NEVER do anything with any material it sees except (1) handle it completely in its own sandbox, (2) download it to a file and let the user explicitly decide what to do with it on their schedule, or (3) hand it off to an application or plugin that was registered with it (the browser or a registry intended specifically for untrusted content like "Library/Internet Plug-Ins", NOT LaunchServices) as being intended for use with untrusted objects.
That's it. There is no fourth option.
I wrote ...and making it think that it's downloaded a script from Apple's site...
Obviously I meant Mozilla's site.
Where the hell is my proofreader? I even previewed that, and I missed it. BAD HUMAN. NO BISCUIT.
The site DashboardWidgets has moderators review widgets before they are made available for download. While this wouldn't stop subtle trojans (which are not a uniquely widget problem) it will exclude adware, spoofs, and the like.
echo 33676832766569823265328479713269.8639857989Pq | dc
A -- potentially better -- option is to have something like an "approved" widget download area. Say, apple's servers, where you know widgets hosted there have been given the thumbs up.
Ask and ye shall recieve - Mac OS X Downloads - Dashboard
The fix isn't anything so complex.
The fix is to make sure that Safari always prompts you before auto-install or safe open. Especially when it doesn't happen as the result of a GET (as in the example page, check out the refresh header at the top of the source, that's not cool).
I'm sure there are people out there who want reolving porn widgets on their dashboard. More power to them. What's key there is that they want and Safari needs to ensure that it always asks that question.
Slashdot. It's Not For Common Sense
What a self-agggrandizing little twit -- camparing his widgets to nuclear weapons indeed!
NOTE: widget are not automatically activated by default, even they are installed corectly inside Library/Widget folder. This means that the user has to be convinced to run the widget. Moreover, if the widget contains some code, not js (that's may be the fault), Safari warns the user that he is installing an application.
However, it's convenient to disable automatic opening of documents from Safari preferences.
From the download page:
"Apple is providing links to these applications as a courtesy, and makes no representations regarding the applications or any information related thereto. Any questions, complaints or claims regarding the applications must be directed to the appropriate software vendor."
-Mark
The widget doesn't actually run when it's installed! It is simply placed in your dashboard. It won't run until you:
1) Activate Dashboard
2) Press the + sign to turn on widgets
3) Select the widget you want to have turned on
It's essentially the same as opening an unknown file on your desktop, except instead of being on your desktop, it's in the dashboard.
Well, since I'm not quite stupid enough to keep the 'Open "Safe" files after downloading' box checked, then this only resulted in a zip file appearing on my desktop. Not to mention that in Safari on Tiger, it fricken' prompts you whenever you download anything that may contain a program, i.e. a zip file. This bug will only hit the idiots out there. Unfortunately, that includes anyone who doesn't know to turn off the *default* behavior of auto-open downloaded files.
-- JP
Apple has an "approved" widget download area
http://www.apple.com/downloads/macosx/dashboard/
First you can go to preferences in safari and turn off "Open safe files after downloading". However what I did is add the folder action add - New item alert.scpt. Since widgets don't run till you go to dashboard and click on them, this will warn you the second one is added, you can then go to that folder and delete the widget. I think I am going to make my own script that will ask me if I want to keep the widget yes/no, and then delete the file if I say no. I really think apple should turn off auto install. You only need to double click a downloaded widget to install, so they don't need this added "convenience"
Actually, yes, I am, and I love it.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
This is not new, I've watched Apple make a whole series of design decisions that have the potential of putting OS X' security at stake, right from the first version of Safari when it was a beta on Jaguar. Most of these problems are still there, because most of them haven't yet been turned into exploits, or because by themselves they don't lead to an exploit, or because Apple has found a way to stop some particular exploit without fixing the underlying problem.
... and on and on ...
None of them are anywhere near as bad or as deepely embedded as the ones Microsoft has burned into the core of Windows' user interface, but they do show a singular lack of healthy paranoia on Apple's part.
Some hilights: Using Finder for FTP URLs, using LaunchServices for handling URIs, making "open safe downloads" the default, adding warning dialogs to LaunchServices instead of giving apps handling untrusted content their own stripped down database containing only sandboxing applications, internet enabled disk images, adding a warning dialog to the installer instead of treating the installer as an "unsafe" application,
I would rather have Apple define "safe" properly and exclude anything capable of installing itself (or other files) outside of your designated download location.
Web page which drops a visible file on my desktop: not so bad.
Web page which adds anything to my Library folder: bad.
And you can't just make words that have meanings be synonyms when they are not.
You are engaging in sophistry here. I didn't say that a malicious web site could execute dashboard widgets remotely. What I am saying is that the malicious web site can take advantage of a security misdesign in the broswer to persistently alter your system without your awareness or permission. This meets the dictionary definition of "execution", if you must be pedantic, which requires only the ability to carry out instructions, not that these instructions be unlimited in nature. Those instructions may be as little as attaching a mime type to a file, but if they are seen by the bad guys as a way to get your system to do something specific, they're instructions.
Granted, this is, so far, a limited exploit. But it's extremely foolish to discount this out of hand. The Internet is a hostile place for users. People do want to exploit the users and their machines and will actively work to find exploits for any promising hole that is opened. Suppose a sandboxing vulnerability is later found in Apple's ECMAScript implementation, or it's HTML renderer? Just such an exploit bit Microsoft on the ass in the CHM help file format. Black hats work exactly this way -- they exploit things like help files that are viewed by users as inherently benign. Now, combine a vulnerability with automatic installation and a bit of social engineering and you've got the potential for real trouble.
Face it -- this is a screw up. It's not the end of the world, and it's not the worst serious security hole ever found on an operating system, or even in the last year. But in my opinion it's an extremely stupid mistake to make at this point in history, but I suppose honest people might disagree whether it is stupid, and still others might think that having some complete stranger be able to install software on your computer without your knowledge or permission is a good thing.
In any case I think you're taking it too personally that I happen to think Apple screwed up here. Everybody screws up sooner or later, what's it to you?
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Shit. This has been so blown out of proportion is makes me want to explode.
1. NOTHING auto-executes. EVER.
2. Downloaded widgets are automatically placed in ~/Library/Widgets. Big. Fucking. Deal.
3. Thus downloaded widgets show up in the widget list when you go to add one to your dashboard.
4. Again, NOTHING AUTO-EXECUTES.
5. When you click on a newly downloaded widget to add it to your dashboard, a dialog comes up asking you to confirm. THIS IS EXACTLY THE SAME AS DOUBLE-CLICKING A DOWNLOADED PROGRAM FOR THE FIRST TIME.
6. The ONLY difference between downloading a widget and a program is that the widget ends up in ~/Library/Widgets and the program ends up in ~/Desktop.
7. NOTHING FUCKING AUTO-EXECUTES.
8. THERE IS NO SECURITY RISK HERE.
Move along, nothing to see. You've all been trolled damn good.
In other news, malicious websites can display the Goatse picture. APPLE MUST PROTECT US FROM THIS!!!!!!!!!!
Safari moves the "ask what to do" dialog to Dashboard. Dashboard asks what to do before running any new widget for the first time.
THIS IS NOT AN ISSUE AT ALL. GO FUCKING HOME, TROLL WHO WROTE THE ORIGINAL ARTICLE.
And grow a brain, everyone else who took it as fact.
The end result is the same. You can't run a new widget without getting prompted about it.
NO ISSUE, case closed. Go home, trolls.
A widget forkbomb wouldn't be so hard I don't think.
Yes it would. Widgets DON'T RUN UPON INSTALLATION.
Nice try, I know you wanted this to be security risk, but sadly it isn't.
Disclaimer: IANAMUIAAJPAAWXPU (I am not a mac user, I am a Java programmer and a Windows XP user): MS explained on its last two public conferences in Sofia, Bulgaria, that safe by default is a good thing since most users never change the default settings.
Apple has been taking tentative steps along the dark path to the place Microsoft lives since the very first release of Safari. They haven't yet reached the point where it becomes impossible to back out without breaking existing software, but it's just a matter of time.
So, no, this guy isn't a troll, he's just a bit more frustrated than the rest of us.
I've seen several folks making note of the fact that just because the widget gets automatically copied into the "right" folder, it doesn't get launched/activated until the user explicitly does so in Dashboard. While this does provide an extra layer of protection, it's not enough for most users. (I'm not meaning to imply that the commenter I linked to specifically was underestimating the seriousness of this issue, but his comment was the clearest explanation of the widget behavior that wasn't written by AC.)
.Mac service, since Apple likes to put a variety of software in the user's iDisk under the Software folder IIRC. The Applications folder on his G5 was littered with broken apps, disk image files, you name it. The scary thing is, he had no recollection of installing most of these things, nor could he recall giving anyone else control of his machine to install these items. There were things he installed that he didn't even have use for, such as the TiVo Desktop. (That was a bit harder to get rid of than most stuff, because TiVo's software installs a preference pane.)
I learned a painful lesson in user naivity when I visited my father for the holidays. I meant to do a little cleanup on his system, but what I discovered was a complete mess that I could barely scratch the surface of. It looked like he had installed every single demo, crapware, shareware app, and plugin imaginable; he probably got these from Apple's
My father is not an idiot, but he is elderly, and he's not as computer savvy as he sometimes thinks he is. If a naive user can install a bunch of application binaries without really remembering doing so, what's to say that some naive user won't notice a new widget sitting in Dashboard, and activate it out of curiosity to see what it does? After all, Apple's philosophy has always been to encourage users to explore and play around with their computing environment to learn how things work.
Bottom line: The end user can't be trusted. Users can't be trusted not to do perverse things with their systems. Users can't even be trusted not to click on something that's been downloaded, nor can they be trusted not to click on something that's been "helpfully" installed for them.
Idiot.
So does IE. ActiveX controls have ALWAYS prompted.
HAH, yeah, assuming the page wasn't exploiting one of the numerous, patched and/or unpatched vulnerabilities in IE, in order to run the executable without even prompting the user.
I don't use IE, but half-assed ASP on our company's website mandates it for some users. I stood there behind multiple users backs watching a seemingly legitimate website (www.anywho.com, a directory website A/R was using, owned by AT&T/p0wNeD by script kiddies) try to download, and execute an executable that was flagged as a worm (don't remember which one) by our anti-virus software. This is on fully patched, and up to date Windows 2000 boxen. Luckily the damn AV software caught it, 'cause IE didn't bat an eye, as long as Active-X scripting was turned on, it didn't matter what the zone settings were, or if "Active-X prompting" was turned on. I sent numerous flaming e-mails to various standard administrative contact addresses in that domain, after I blocked www.anywho.com on our proxy, haven't been back since.
grep -iw skynet
The reason Windows is so full of malware is because everyone uses it.
Wrong.
The reason Windows is full of malware is because back in the '90s Microsoft came up with this clever scheme to create a loophole in their agreement with the Justice Department about bundling applications with Windows, by merging Internet Explorer with Windows Explorer so you could have fancy HTML-enhanced windows and control panel applets, and so you could use Internet Explorer as a "universal API" and create web pages that automatically installed local native code components that let you do all kinds of nifty things.
Then they found out that people could use this to create web pages that did bad things. And email that looked to the HTML control like it was a local file (because the HTML control didn't know it was just a temp file) so the HTML control gave it local rights. And Microsoft proceeded to spend the next seven or so years trying to pin down the border between "safe places" that could do exciting things and "dangerous places" that couldn't. They called the "safe places" the local security zone, and they called the "dangerous places" the internet security zone. But then they had to create exceptions, and exceptions to those exceptions, and as time went on the whole structure became more and more complex.
Eventually, it got so complex that it was easier to write a stand-alone application and have people download it than to explain to people how to set their ActiveX security settings so they can actually use your nifty ActiveX add-ons. And, of course, they never HAVE been able to pin that border down, because they're trying to make it do so many things...
THAT is why Windows is a swamp. It's not like there was a sudden thousand-fold increase in the number of Windows users in just ONE year in the late '90s, but sometime around 1997 worms and viruses exploded on the scene. And they were all NEW KINDS of exploits, things that had been unthinkable a few years before. There had even been a joke going around about a virus that was launched JUST BY READING YOUR MAIL. It was hilarious, because we all KNEW nobody would EVER write a mail program that had that kind of capability. I mean, really, you'd be nuts to even think about putting things like a general purpose scripting language into a mail reader in a way the email could even potentially get at it.
Before then, pretty much all you needed to do to stay virus free was avoid opening attachments and downloading programs. Oh, sure, occasionally there were things like buffer overflows discovered... but they were relatively rare and they were easy to fix.
Afterwards, all bets were off.
I mean, I watched this happen, and I said "this is going to be a disaster", and they kept on doing it. I DID manage to ban Outlook and IE and other programs that used the HTML control at our office, though. So I know what things were like through about 2003 if you didn't use these programs... and it was amazing. Every few months the whole company went through a spasm of virus alerts, except for our little corner where... nothing happened. Because we weren't using the bits of Windows that makes Windows the huge malware target that it is. Without the HTML control, Windows is actually pretty nice.
But don't expect Microsoft to pull it out.
Just hope Apple steps back from the edge before it's too late.
Not possible, because "requiring the password" is not just an application decision, it's due to a requirement in the OS that you take on admin rights before you perform an operation. If you have to be an admin before you can set the setuid bit you'll force people to have admin rights to do things as simple as run compilers.
Not sufficient because you don't need the execute bit to load and run code in the general case, all the execute bit does is let one system call (exec()) know how to run applications. It's not needed for scripts, plugins, dynamic libraries, patches, haxies, and so on.
Not necessary because just removing the option to automatically open safe files (not you or I turning it off, but Apple removing it) would eliminate most of the potential exploits, and creating a "sandbox applications only" subset of LaunchServices would eliminate most of the rest. Your only exposure would be pure social-engineering attacks, and outright bugs (buffer overflows and stack smashing attacks, for example) that can be fixed without further changes in the API or UI.
That's why you have fucking eyes, numbnuts. Putting files anywhere except the download folder is NOT "safe" behavior.
Err, uhh, so what you're saying is that it's correct for Safari to prompt me before downloading it and running it from a click (that "has an application" prompt is in Safari), but when you put a special meta-refresh, it shouldn't?
Why?
It's not a serious issue, the damage caused is minimal, but these kinds of tiny holes have a way of being part of a larger attack.
Slashdot. It's Not For Common Sense
Why not? You've proven it's possible.
chmod ugo-w ~/Library/Widgets/; sudo chmod ugo-w /Library/Widgets/
Read and learn the MAC OS is a much more secure and roboust OS than Windoze. Anyone to say that windows is more secure than Unix is fooling themselves and is not a tech.
g gedin/bal-mac082803%2C0%2C1353478.column
http://www.baltimoresun.com/technology/custom/plu
Anyone to say that windows is more secure than Unix is fooling themselves and is not a tech.
Anyone who says this isn't a "tech"? Please. You sound like you just got off the schoolbus. You obviously don't have much experience. I'm not defending windows AT ALL. I am simply stating that macOS has proven exploits and proven security holes. Period. End of discussion.
Your ignorance is infinitely greater than you realize.