Malicious Web Pages Can Install Dashboard Widgets
bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.
But wait! I thought Mac was nigh-invulnerable!
That seems liek quite a security flaw... Any timeline on it being patched?
I LIKE TOAST!!!
Macs have security issues too? Who'd a thunk it!
So the worst case scenario is that the icon in de dashboard bar is pornographic? I;m going back to windows instantly, because with windows, I can also immediately dial-up to a porn site, eat that Apple! (no pun intended)
It's true that it's too easy to install a widget with safari, because it unzips and install automatically, but it can't do anyharm but to your eyes..
Still, some sort of warning with a preview would be a good idea.
but you'd also have to have the "open safe items" turned on in safari prefs, and that is kinda dumb.
Pablo Piccaso was never called an asshole. Not like you.
That's interesting, I just tried it with IE, Firefox, and Opera, and all of them simply displayed the standard dialog asking to download the file. Might be worth noting I'm just running XP SP1 though.
D'OH! That about sums it up.
-Tom
I don't care how many remote root vulnerabilities there are if the services that have said vulnerabilities are never even enabled. There have been numerous theoretical remote root exploits in service that ship with OS X. But the services that are affected are, quite literally, almost NEVER ENABLED for the lifetime of the machines in question. So, point 1, that "every Mac in existence" is affected, is completely wrong. To say nothing of the fact that statistically speaking, the vanishingly small relative minority of machines that DO have the service enabled are probably behind a personal firewall/router. In other words, the level of exposure and potential for remote exploitation of the VAST majority of Mac OS X machines is somewhere between zero and nil.
And your other general point about "popularity" is answered below. Nice troll, though.
On this subject, last year I answered a query raised during a Chronicle of Higher Education colloquy. I believe it touches on the major issues here.
Question from Lisa L. Spangenberg, UCLA:
Given that there are no viruses or Trojan horses for the current Macintosh system, OS X 10.3, and given that it is essentially UNIX, and given that the most common applications (Microsoft Office Suite, Adobe applications) work very well on OS X, why don't more institutions adopt Macs and encourage faculty to use them?
Gregory A. Jackson:
Well, first of all, there are viruses and Trojans that afflict MacOS, witness Apple's periodic release of security fixes to counteract them.
First, that isn't true, regarding viruses. To date, there are no known viruses that specifically target Mac OS X. Last week's "trojan" was nothing more than an application with a different icon and misleading name that displayed a dialog box (which was an example posted to a USENET Mac programming group to illustrate this fact that has been known and possible on Mac OS for over twenty years; an antivirus vendor apparently thought this an appropriate time to dress it up, incorrectly, as some new, terrible exploit easily adapted for malicious means, when in reality it's nothing more than an application).
If you're referring more broadly to security issues in general, almost all of the security and security-related updates for Mac OS X to date have been updates for primarily server-type services that ship with the OS, all of which are disabled by default, and the lion's share of which are never even enabled, much less touched, on the vast majority of systems. I'm not saying that they should be ignored, but Apple's comprehensive and swift response to the most minor security issues does not rise to the level of the staggeringly numerous, sometimes completely automated, remote exploits, worms, and so on for Windows. It is no longer possible to even get through a full installation Windows XP on a machine connected to a public network without it being exploited before you even have a chance to patch it.
It's definitely possible for Mac OS X to have viruses, worms, trojans, and other malware - Mac OS X is not invulnerable, and no sensible person would claim it to be. But the underlying philosophical design principles are fundamentally more secure than Windows, period. Since the major ingredient for the success of a worm or virus is some ability to spread, witness the fact that there is no way with anything built into Mac OS X to perform automated propagation of a virus, and no current known ways to exploit a machine remotely, not to mention that potentially exploitable network services are disabled to begin with anyway (and remain that way unless explicitly enabled), a stark contrast to Windows. Any hope for automatic propagation would require a comparatively high level of sophistication, and perhaps even its own mail server - not to mention some intrinsic vulnerability to exploit. On the other hand, there are still, to this moment, unfixed vulnerab
http://shit.slashdot.org/article.pl?sid=05/05/08/2 131208
Also from TFA:
"That's not such a big deal; by default, widgets can't do much damage, and they can't run unless you drop them into your dashboard."
Nothing will be executed unless the user explicitly runs it by dragging the widget from the widget bar to the dashboard.