Slashdot Mirror
Malicious Web Pages Can Install Dashboard Widgets
bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.
This is what happens when you tie together parts of the OS that shouldn't be put together. In particular, has apple not realised that having the browser tied to anything that expects local rather than remote content is fundamentally an incredibly stupid idea?
I am trolling
There is no such thing is a secure OS, all Operating systems have flaws.
True, true. But hasn't apple learned anything from MS? Automatically running/installing *anything* from the internet is a bad, bad idea. And a widget could, in theory, do things like make widget pop up ads, revolving goatse/tubgirl widget, etc.
Basically, bad apple bad. Fix.
The solution to spyware on windows is to turn off activex in internet explorer and set it to run as guest...
It's just common sense.
Seriously though this is a very bad idea and apple needs to fix this ASAP.
No, it should be pretty easy to tell what is a "safe" file. PDF, for example, is a safe file, as is HTML, as is a GIF. A dashboard widget is NOT.
.app.
Apple really screwed up with allowing dashboard widgets to be listed as a "safe" file and they need to patch this as soon as possible. This is one of the big problems with IE, that they went from "autoopen anything, even unsafe stuff" to "warn you about viruses when you try to download ANYTHING, including a PDF". Clearly identifying what is safe is as important as identifying what is unsafe, otherwise people just double-click everything they download not realizing it's a
I meant they should fix it in not allowing an untrusted remote application to be downloaded on a local computer with no interaction from the user.
First, when a widget starts to download, Tiger prompts me and says "This download contains an application, do you want to continue?" That should be the first dead-giveaweay.
...say Calculator).
Secondly, while the OS DOES copy downloaded widgets to the Widgets folder in the Users directory, the widgets do not become active until you actually activate them. (of course there's nothing stopping you from usign the same name and icon as
Getting widgets to do complex system-level stuff you WANT them to do is tough enough.
Which you should left unchecked if you're not entirely stupid
I always thought that one of Apple's selling points was that they are made for non-experts. So giving users an option to potentially shoot their foot off seems to be a little unfortunate. Almost by definition, few people are experts.
-- Mike
Safari is uber paranoid about other filetypes now-- if you download a tar or a dmg it says "warning, this file may contain an application, are you sure you want to uncompress this?" It didn't do this before Tiger.
The unzip/install widgets thing wasn't a conscious decision. This is clearly a bug.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
That's quite apt. And I imagine you will be modded down due to the OS in question here.
When a Windows OS exploit is discovered there are thousands of zealots who scream "USE LINUX, STUPID" and "I use a Mac, there are not exploits for my OS" but whenever either of those OSes is found to have a flaw, those zealots are awfully quiet.
The best thing for me reading the comments so far has been the Mac users who point out that settings can be changed to allow or deny this action. They treat that like it's a magic feature only Mac has, when the truth of the matter is shit like that can be turned off in Windows also.
All of the common OSes can be locked down tight, IF THE USER CHOOSES TO. Every OS ships with the potential to be exploited, and even if it comes out the box secure, the user can always undo that.
I guess the difference when it's a Mac OS, it's a big deal because someone actually bothered to write something malicious for a small segment of the computer population.
This is actually a good thing though. It's lets all of you Mac users know that the security you've been takeing for granted is only as good as long as their is no attention to you.
Looks like this is changing.
R(k)
Yeah, but "unchecked" should be the default.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
No, because as you said, out of the box security is important. Mac OS X has no services running out of the box; Windows had several exploitable ones prior to XP SP2 (which I give them credit for doing a good job with).
As for this vulnerability, it is Safari categorizing a Dashboard widget as "safe" when it clearly isn't. Yes, it's a vulnerability, one with an exploit already shown, and it needs to be fixed NOW. No one is saying Apple is perfect or OS X is immune, but so far there has been very little to point to in Apple's track record.
What's really important is Apple's response. Anyone post this in RADAR yet? "As Seen On TV", any thoughts from your unique position?
I don't know what kind of crack I was on, but I suspect it was decaf.
So does IE. ActiveX controls have ALWAYS prompted.
And with XP SP2 (released in AUGUST) unsigned binaries simply can't be installed, and the default is "NO" for signed binaries...
Somebody thought they had a cool feature and didn't think about the consequences.
Um, never? Because it actually prompts you and asks you if you're sure you want to run it?
/. int he name of the great Jihad but a exactly similar (or worse) Apple problem gets apologists running.
So the fact that IE does the same thing for, say, ActiveX and has similar options for control is consistently ignored on
So amusing.
--> Fight tyranny and repression.... read
It certainly makes you wonder -- what was apple thinking? How many years have there been security issues with ActiveX? How could anybody with an IQ above tepid water possibly think an autoinstallation feature is a good idea in a web browser at this late date?
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Is it "exactly" or is it "similar"?
Or is it "worse"?
I'm confused here but I'm not running. Of course I'm not an apologist either.
Whether you're talking about IE or Safari the same thing holds true. Saying "yes" when you're prompted despite not knowing what you're installing means you're a fucking moron and you deserve whatever you get.
Appended to the end of comments you post. 120 chars.
Good thing it hasn't happened then.
Sure it has. Still does, past and present examples.
Joke or not, your comment is indicative of the denial most Mac users seem to live in- "If it's not Windows, it's secure" and "If I don't hear about it, I must be OK" but the fact is that Mac OS X uses BSD, BSD has holes == Mac OS X has holes. Mac OS X is written by people who want users to have the easiest possible experience using their Mac. As a result, some of the things in place to make usability easier open up holes. This is the same for any OS. Anytime you cater to the user first and security second (or later) you will always ALWAYS provide someone else a way in.
I have no problem with using one OS or another, I use whatever the hell I need to get the job done- to me it's a tool, not a lifestyle. As such, I make sure my tools are safe and pay attention when someone says my OS has a hole or exploit or vulnerability, rather than just refusing to believe it's true.
R(k)
It still fills up your harddrive with possibly malicious crap. If thats ok for you Apple didn't do anything wrong even this time.
Certainly the cleanup and prevention is easy, but the fact that Safari downloads automatically widgets without user intervention/request is incredibly stupid, even more than the autoinstall -this is already stupid-, the guys who put those "features" on an fairly secure, wonderful and useful system sould be fired; this is seer incompetence, and a disservice for the rest of the fine, great OS X team. What the hell where they thinking? This sould have been scrapped in the design phase of Dashboard.
I read this 5 hours ago and still I'm amazed. I say this has a -otherwise- happy mac user, and someone that made 6 friends switch to the mac.
Mexico: 100% conservative's America now!
When I installed Tiger I thought to myself "why hasn't apple provided a mechanism for Widget management?"
.wdgt extension, and (somehow) gets higher association relevance than the Dock for execution. Then, when a widget is double-clicked on it gets copied directly into ~/Library/Widgets ( Disabled ) -- giving you the chance to enable it or not before the Dashboard gets it.
Secondly, I thought to myself "it would be so easy for a widget to do nasty things"
So, here's what I'm going to do: I'm going to write a preference pane to manage widgets. It'll come in a few phases:
Phase 1) Preference pane which will allow you to turn on/off particular widgets in your ~/Library/Widgets folder by moving turned-off widgets to, say, ~/Library/Widgets (Disabled). I just did a test and discovered that the parent process of Widgets is the Dock, which means that the Dashboard is just a Dock mechanism. So, killing the dock ( politely, even ) will give Dashboard a chance to reload, since the Dock restarts automatically.
Phase 2) Write a widget scanner -- something which greps the widget source for keywords like widget.System() and whatever parameters are required for custom binaries which widgets can run. Now, I recognize I can't tell *what* those calls do, but I can at least put up a big red exclamation point next to the widget in the preference pane saying "This widget is potentially dangerous"
Phase 3) Write a small bundled app to be packaged with the preference pane which associates itself with the
This sounds like a PITA, but Apple shoulda done this in the first place.
Apple: You're drunk on the perceived security of your platform. Don't keep making the stupid mistakes.
A -- potentially better -- option is to have something like an "approved" widget download area. Say, apple's servers, where you know widgets hosted there have been given the thumbs up. Doesn't Firefox do something sort of like this for extensions?
lorem ipsum, dolor sit amet