Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious Web Pages Can Install Dashboard Widgets

Posted by timothy on from the not-good dept.

bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.

14 of 610 comments (clear)

  1. widgets limited by RobertTaylor · · Score: 4, Informative

    this page at Apple's Developer Connection says that a 'widget' cannot ask for any resources or do anything to the filesystem outside of the widgets bundle.

  2. Not much of a problem... by InternationalCow · · Score: 5, Informative

    If you do not tick the "open safe files" check box in the prefs. Which you should left unchecked if you're not entirely stupid, as there is no way to tell whether any file is actually "safe". Good Internet Practice, as I like to call it.

    --
    ----- One learns to itch where one can scratch.
    1. Re:Not much of a problem... by Lars+T. · · Score: 3, Informative
      JPEG files are "safe"

      http://www.kb.cert.org/vuls/id/297462, http://www.linuxsecurity.com/content/view/102413/1 10/

      --

      Lars T.

      To the guy who modded me down from perfect to terrible Karma - Apple haters still suck

  3. The solution by Little+Grey · · Score: 5, Informative

    Is to turn off "Open 'Safe' downloads" in Safari's Options.

    It's just common sense anyways

  4. Re:Firefox asks what to do by Bungopolis · · Score: 5, Informative

    This warning applies specifically to Safari. It's obviously not going to affect Firefox, because Firefox does not have the widget auto-installation feature that Safari does. Most users of Tiger, however, are probably using Safari, so this most certainly is dangerous.

  5. Re:Thanks Slashdot! by YrWrstNtmr · · Score: 3, Informative
    FF can be set to d/l automatically. "Do this automatically for files like this from now on." If you've clicked that box in the past, zip files will be automagically downloaded. This will work for any filetype. Automatically play a .wav/mp3 file, or open a .doc, or d/l whatever.

    Dumb to do, but it can be set like that.

  6. Re:Ouch! by justMichael · · Score: 3, Informative
    That seems liek quite a security flaw... Any timeline on it being patched?
    Preferences -> General -> Open "safe" files after downloading (uncheck)

    Problem solved. Having that pref checked is asking for trouble. You can drop whatever you want in my downloads, I'll open it myself when I'm ready.

    Disclaimer: I am not running Tiger, so this may not be 100% correct.
  7. Important correction by daveschroeder · · Score: 5, Informative

    Well, it turns out I spoke too soon.

    I said that Dashboard would prompt you when the widget was run for the first time. It turns out that for auto-installed Safari widgets, it does NOT prompt you the first time the widget is run.

    Interesting.

    This is indeed a security issue, and it should be made to at least prompt the user.

    Considering that ALL other new widgets always prompt when first run, this appears to be a bug, and not the intended behavior.

    The temporary fix (and what I always recommend anyway) is to disable "Open 'safe' files after downloading" in Safari.

  8. Re:Sky not falling, Safari warns user twice. by mithras+the+prophet · · Score: 5, Informative
    Safari will warn you when downloading a widget with cocoa calls in it by saying "widgetname contains an application. Are you sure you want to continue downloading widgetname?". You have the option to abort download and installation.

    Yes, but you won't get that prompt for a widget that doesn't have Cocoa code, but does contain widget.System() calls -- which effectively means it's an application. You could put an executable in your widget, not set the executable bit, but then chmod a+x and run it from widget.System() calls.

    Dashboard will ask you the first time a third-party widget is run and give you the option of not running it.

    It's so bizarre I didn't believe myself at first, but this is not true of widgets that are auto-installed. Try it yourself -- here is my example exploit page with an entire set of widgets that look identical to the Apple widgets. You will be prompted for permission with none of them, including the `Calculator' widget, which makes a widget.System() call and could conceivably have deleted your home directory.

    --
    four nine eighteen twenty-7 thirty-nine forty-7 fiftyeight sixty-nine seventy-9 eighty-8 one-hundred-and-nine one-twenty
  9. Re:Ouch! by mithras+the+prophet · · Score: 4, Informative

    I think you already corrected yourself above, but for others reading this, no, it doesn't prompt the user before running an auto-installed widget, which is such a fantastically bad idea I can't believe it didn't occur to anyone what a security flaw that is.

    --
    four nine eighteen twenty-7 thirty-nine forty-7 fiftyeight sixty-nine seventy-9 eighty-8 one-hundred-and-nine one-twenty
  10. Dashboard tips by Absentminded-Artist · · Score: 4, Informative

    Fascinating article. I installed zaptastic_evil and was amused by it. Very annoying indeed. Widgets simply should not do this.

    Just a few points of interest.

    1) The widget may automatically download and get copied into the widgets folder, but it is not automatically installed onto the active dashboard. Therefor the user would have to manually click on it. Without knowing the widget is there, the user may not ever notice it. Of course, this is still a security risk, but this isn't the best way to propogate malware.

    2) Widgets can be deleted manually as pointed out in the article by going into ~/Library/Widgets and removing the unwanted widget

    3) The Dashboard can be reinitialized by killing the Dock. Those not familiar with terminal can just fire up Activity Monitor and kill the Dock there. The Dock immediately relaunches, then Dashboard reinitializes when it is launched again and the offending widgets are gone.

    4) Apple should allow us to delete widgets from the dashboard, but the behavior when clicking and dragging a widget off of the Dashboard installs the widget instead of bringing up the delete puff of smoke. This behavior is at odds with every other taskbar/dock/menubar in OS X. I would recommend Apple change this.

    5) We ARE dealing with Dashboard 1.0 so there are bound to be bugs needing to be squashed. Personally, I enjoy Dashboard but find it difficult to manage when there are too many widgets deployed. I find myself wishing for Exposé for Dashboard! LOL I also wish that widgets would reinitialize without force quiting the dock and that the dashboard would be a bit more dynamic. Sometimes deleted widgets take a while to disappear off the dashboard as well as newly installed widgets. I look forward to the upcoming 10.4.1 release.

    --
    The Splintered Mind - Overcoming
  11. Re:Oh but it has, and you've proved part of my poi by BasilBrush · · Score: 3, Informative

    The grandparent was right. There haven't been any exploits. Both you and the link you give confuses the concepts of exploit and vulnerability. Exploit != vulnerability. A vulnerability is only the potential or an exploit, and it often blocked by other security measures in a properly layered security system.

  12. Re:Serves you right by teh+kurisu · · Score: 4, Informative

    No, it's Safari categorising a ZIP archive as safe. To quote Safari:

    "Safe" files include movies, pictures, sounds, PDF and text documents, and disk images and other archives.

    The ZIP archive extracts automatically, and just happens to place the file in ~/Library/Widgets/. Dashboard runs the Widget from there.

    You're right, it's not safe. I think the solution to this should be to first of all disable the whole opening safe files functionality by default. The second should be to declassify archive files as 'safe' (with the exception of disk images), because it makes it easy to write files in this way.

    Personally I've set administrator priveledges on my ~/Library/Widgets/ folder so that I now need to enter a password to write to it.

  13. So turn it off by __aafutm5472 · · Score: 3, Informative

    I meant they should fix it in not allowing an untrusted remote application to be downloaded on a local computer with no interaction from the user.

    So turn off the ability. In Safari, open Preferences, and on the first tab, de-select 'automatically run "safe" files upon download.' Then, it'll download it, and you can manually install the widget by copying it to /Library/Widgets. No need to restart OS X or Dashboard, it just shows up.

    This was one of the first things I tweaked after switching to a Mac. I noticed it'd automatically mount disk image files, and I could see the potential security implication, so I found the checkbox and tunred it off.

    It's not rocket science, just basic research.