Malicious Web Pages Can Install Dashboard Widgets

bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.

Like everyone else in the tech industry,

[Mordant]

the idiots at Apple, completely unheedful and unmindful of prior art and experience - this is especially true of security-related matters - are going about slowly ensuring that OS/X will end up just as full of security holes and vulnerabilities as Windows.

This is sad; I love my PowerBook, I love OS/X, I'm a *NIX switcher (i.e., not an Apple person, but a *NIX person who switched from Linux to the Mac in order to get the benefits of FreeBSD along with all the goodness of Apple's hardware and multimedia capabilities, not to mention Office).

Someone needs to whack Jobs over the head and get him to focus his people on security, or the Mac will end up being as full of malware as Windows, solely because Apple programmers are doing stupid things which undermine the solid security foundation of FreeBSD which OS/X was built upon, but which can be bypassed by doing stupid things with the GUI/APIs layered atop it.

Re:Not an exploit

[ghoda_x]

Isn't it funny how the only "exploits" people can find for Mac OS X almost always exclusively revolve around social engineering, and never real flaws in the platform itself?

Yes, isn't it? Apple Releases Mega Patch to Fix 19 Flaws
/sarcasm

Re:Nice try

[drsmithy]

But the underlying philosophical design principles are fundamentally more secure than Windows, period.

How ?

Since the major ingredient for the success of a worm or virus is some ability to spread, witness the fact that there is no way with anything built into Mac OS X to perform automated propagation of a virus, [...]

OS X has exactly the same functionality "built into" the OS to allow code propogation as Windows does - ie: it can run code.

Any hope for automatic propagation would require a comparatively high level of sophistication, and perhaps even its own mail server - not to mention some intrinsic vulnerability to exploit.

Rubbish. All it needs is a way to get the user to execute it, just like that vast majority of Windows "viruses" do. "Free porn" tends to be reasonably effective at achieving this goal.

On the other hand, there are still, to this moment, unfixed vulnerabilities in certain versions of Outlook that will spread certain virus variants simply by previewing a message, and nothing more.

Links ?

The marketshare argument only goes so far. This seems to be a version of the "Macs have no software" argument.

It's not a variation on that argument at all. OS X's *vastly* smaller marketshare has a significant impact on exploits:

Fewer people who can write the code

Fewer machines to target

Hence, much slower infection rates

Hence, much more limited impact

Hence, much easier to contain

The much smaller community also means news of exploits travels faster.

The user demographic is also significant. Macs are more expensive, so the typical Mac owner is more likely to be a higher income earner. This in turn means they're more likely to be better educated, follow the news and actually think before acting (ie: they're less likely to open that program promising free teen b00bies).

But the argument that it's straight cause-and-effect is disingenuous. If this principle were true, the apache web server platform would have far more vulnerabilities than IIS, since apache is by far the most widely used web server on the internet. But not only does apache not have more vulnerabilities, the disparity is laughable.

Stats ? Methodology ? Do you normalise for the higher likelihood Apache is running on systems more likely to be properly maintained ?

This is a perfect example of greater exposure not necessarily equating to increased vulnerabilities.

That's not the argument (indeed the argument that marketshare has anything to do with the *number* of vulnerabilities is ludicrous). The argument is that higher marketshare means any discovered vulnerabilities will spread faster, have a much greater impact and stick around for much longer.

Indeed, your whole rant against the "marketshare" argument is irrelevant because you've started from an incorrect assumption of what the "marketshare" argument means.

We'd definitely see more bad-guy action. Whether any of it is fruitful remains to be seen.

Nor is it ever likely to "be seen", forming a very handy circular, self-supporting argument against the "marketshare argument".

The vast bulk of malware only gets into the system because *the end user* executes it at the behest of web page dialogs, emails, etc. Somehow I can't see that changing were OS X (or even Linux) to become as omnipresent as Windows.

Or are you saying that after a while, security updates will only be available for relatively recent versions of the core OS, meaning you are more-or-less forced to upgrade? If so, how is that any different than the Windows model?

The difference, at least at this point in time, is that Microsoft support old versions of Windows for about seven years, whereas Apple support old versions of OS X for about three, if that.

But there is simply no suitable vector, akin to similar past (or present) vectors on Windows, for mas