Slashdot Mirror
Malicious Web Pages Can Install Dashboard Widgets
bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.
magine porn sites auto-installing adware widgets without your knowledge.
Yes, but do they install porn?
-SJ53
If people would just run a secure OS like Linux or Windows, they wouldn't be hit with attacks like this. When will people learn?
with somethingorother.zip. Interesting, but not dangerous.
Oh well, what the hell...
this page at Apple's Developer Connection says that a 'widget' cannot ask for any resources or do anything to the filesystem outside of the widgets bundle.
This is what happens when you tie together parts of the OS that shouldn't be put together. In particular, has apple not realised that having the browser tied to anything that expects local rather than remote content is fundamentally an incredibly stupid idea?
I am trolling
Apple copies Microsoft.....
I'm running Jaguar!
I can't afford to buy all the Apple "upgrades of the month."
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
I know that Windows usually posts security fixes and doesn't address spyware exploits specifically in many cases -- it'll be interesting to see if Apple addresses this in 10.4.1 or if we see a patch sooner (or later!)
Yeah... I'm imagining those porn sites.........
If you do not tick the "open safe files" check box in the prefs. Which you should left unchecked if you're not entirely stupid, as there is no way to tell whether any file is actually "safe". Good Internet Practice, as I like to call it.
----- One learns to itch where one can scratch.
Is to turn off "Open 'Safe' downloads" in Safari's Options.
It's just common sense anyways
"imagine porn sites auto-installing adware widgets without your knowledge." I guess Mac users can now blame their browsers for the pr0n popping up on their computers as well.
"A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
Looks like he was nice and made us a goatse.cx widget. Too bad I don't have Tiger yet... :'(
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
it's not totally evil.
It installs the widget, but does not activate it.. it just makes it available.
Further, widgets do run in a sandbox, and require user approval to execute if they want to do certain things (like erase your HD).
Honestly, apple should have said "would you like to install this widget?".. that would be sensible and courteous.
First, when a widget starts to download, Tiger prompts me and says "This download contains an application, do you want to continue?" That should be the first dead-giveaweay.
...say Calculator).
Secondly, while the OS DOES copy downloaded widgets to the Widgets folder in the Users directory, the widgets do not become active until you actually activate them. (of course there's nothing stopping you from usign the same name and icon as
Getting widgets to do complex system-level stuff you WANT them to do is tough enough.
Dumb to do, but it can be set like that.
Problem solved. Having that pref checked is asking for trouble. You can drop whatever you want in my downloads, I'll open it myself when I'm ready.
Disclaimer: I am not running Tiger, so this may not be 100% correct.
If there's anything that Slashdot has taught us, it's that it's never safe to use your computer.
Safari is uber paranoid about other filetypes now-- if you download a tar or a dmg it says "warning, this file may contain an application, are you sure you want to uncompress this?" It didn't do this before Tiger.
The unzip/install widgets thing wasn't a conscious decision. This is clearly a bug.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
With this new addition to Safari under Tiger, Apple has made a large step in catching up with Microsoft Windows...
Now the script kiddies won't feel as limited in their options in annoying Mac users just like they do MS Windows users.
A nice, new, open window (no pun intended) for the black hats to use... *sigh*
--
Tomas
imagine porn sites auto-installing adware widgets without your knowledge
Imagine it? I'm a Windows/IE user...I live it!
Click OnLine, BBC's tech show:
e /worl_click_030505_show_hi.rm?Media=60506
http://stream.servstream.com/ViewWeb/BBCWorld/Fil
Cole asks Apple manager: is Dashboard a big rip off of Konfabulator?
Apple manager's response:um, er...Desk..Accessory...um...things......from before....like
I'm just glad I'm running Firefox under Windows. No need for me to worry about nefarious web sites.
Yes, I know that Dashboard programs cannot (supposedly) affect the filesystem outside of their bundle. And I know that if you uncheck the "automatically open downloaded blah blah blah" then Safari won't do that.
But the default is not secure! And that's what will cause the computer to do "weird" stuff like the above; the same type of stuff that annoys Windows users and gets them thinking about buying a Mac next time. (Four people at work have already bought a new Mac specifically because of past problems with malicious code in Windows.)
Since OS X is based on UNIX, providing rock-solid security for non-security-conscious users shouldn't be any trouble at all. The mechanism is all there; all Apple needs to change is the policies of the default install, and nearly all users will be safe from crap like this.
First, downloaded files should, by default, not be opened automatically. If the user wishes to change this setting, it's the user's responsibility. Second, any downloaded files, bundles, scripts, etc., should not have the execute bit set by default. When the user tries to run it for the first time, OS X will ask for the password, like it does when you install X11 or Final Cut or something. Only then will the execute bit be set. This is not a small inconvenience; rather, it is a huge convenience. Sure, you have to type a password to run a downloaded program for the first time, but that's only as annoying as finding out the bank put an extra $10,000 in your account by mistake. And your computer won't suddenly acquire programs/spyware/malware/adware/viruses and other nice stuff that you didn't intend it to acquire. This is extremely convenient. It's an additional level of security for safety-conscious parents who use Tiger's new child-safety features. It's good for owners of computers with multiple users, who don't want people to run arbitrary code that came from God knows where.
Apple could and should take this a step further. At some point, people will find ways to screw up Macs with programs/spyware/malware/adware/viruses, especially if they become pretty popular. Apple could prevent this before it happens. Provide an online database of MD5 sums of binaries for OS X, and provide a mechanism in the OS to report bad software and where it came from. Perhaps people could post a comment with their claim. The system would be moderated by the community, so good software won't end up listed as bad. There are plenty of Mac zealots who would participate. When you try to run any program for the first time, whether it comes from the Internet, a CD, or wherever, OS X might first compute the MD5 sum and compare it to the online database. If the MD5 matches, OS X will warn the user and perhaps allow the user to browse the comments posted about this program. Comments like, "This program sends all keystrokes to the goatse site!" The user can then decide whether to run the program or clean it off the system. Not connected to the Internet? The database shouldn't be that large... When you install OS X, the latest version could be placed on the HDD, and when you connect, it could automatically update it. Bam... Pretty good protection against the spyware problem, BEFORE it comes to the Mac. Proactive... not reactive like the Microsoft crowd.
I use Macs, Linux, and the BSDs.
Yeah, but "unchecked" should be the default.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Troll?
What is so great about the integration between Safari and Dashboard and what's so bad about the integration between Internet Explorer and ActiveX? Why should a web browser be allowed to automatically download and install certain types of programs remotely? These programs could access the Internet, too. I can see a lot of problems with this. Imagine widgets displaying pop-up adertisements, hardcore porn widgets, spyware widgets, you name it... I don't think that these widgets have the power to format hard drives, but the integration of the web broswer and external programs is very troublesome to me. Look no further than Internet Explorer and ActiveX if you want an example.
To say a kind of cleaned-up version of what the parent poster said, operating system and desktop designers and programmers should look very carefully about the features that they are adding to the program before they release it to the public. Security should be a major concern, especially if those programs are directly tied to network connections. Programs connected to the Internet should never be integrated with system functions such as installation; that's how you get Internet Explorer and ActiveX. I expected Apple to have a little more sense in feature consideration and design, but I was disappointed. Hopefully they fix this in Tiger 10.4.1 before this becomes more widespread.
This can't possibly be true.
Everyone knows that Linux and OS X are perfect and only Windows has security exploits.
Let's get it right people! You're slipping!
Just setting the permissions to the ~/Library/Widget folder to "Read Only" will do the trick.
Of course, that doesn't mean that it should install widgets for you in the first place...
Just find this guy and kick his ass. Problem fixed, no need to patch shit.
This is why apple is wating a little bit on releasing the first update to tiger, that way they will be able to nip all thoes nasty bugs and oversites in a nice update. Rest assured mac folks, this will get fixed Apple is really up on the security thing and they will problably set it up so that you are asked before installing any widgets. At least no matter how bad the fllaw is it isn't something that can comprimise the system itself.
`B Flicks, `Cool Lick'ah, `Sweet Talk' `in' ManG'
How is this insightful? Having it on does not create a security hole. Security holes are created by flaws in the design but where is the real flaw here? All I see is FUD.
Jesus was a compassionate social conservative who called individuals to sin no more.
Watch Activity Monitor. It doesn't launch until the first time you call it up. Disable the key commands to bring it up and it'll never start.
I do use Tiger and Safari, but it didn't work on my system. Primarily because in Safari > System Preferences > General, I Unchecked the check box that automatically open's up Safe files, which includes archives (which I do not consider safe).
Another thing I did, was to redirect downloads to a special download folder which has a special Folder Action attached that scans new files for viruses and then changes new files permissions to "No Access" (even if there are no viruses). If I want to open/read a downloaded file I have to change it permissions to read/write, for which I made a single-click Apple script that I dragged in the Finders top bar thingie. Ok I'm slightly paranoid, mainly because IT security is my thing (btw the reason why I switched to Mac OS X last year), But it works.
The glass is half-full. With poison. And there are cracks in the glass. The dirty, dirty glass.
Well, it turns out I spoke too soon.
I said that Dashboard would prompt you when the widget was run for the first time. It turns out that for auto-installed Safari widgets, it does NOT prompt you the first time the widget is run.
Interesting.
This is indeed a security issue, and it should be made to at least prompt the user.
Considering that ALL other new widgets always prompt when first run, this appears to be a bug, and not the intended behavior.
The temporary fix (and what I always recommend anyway) is to disable "Open 'safe' files after downloading" in Safari.
How is this insightful? Having it on does not create a security hole. Security holes are created by flaws in the design but where is the real flaw here? All I see is FUD.
FUD? What is one of the first things you should do to lock down any box? How about turning off any unnessecery services. Things that you can't turn off is one of things people blast Windows for all the time. Why should any other OS be any different?
And even if the program poses no risk, if I don't use it, why would I want it sitting there chewing up system resources?
"Safe" files are supposed to be non-executable files. Safari preferences state "Safe files include movies, pictures, sounds, PDF and text documents, and disk images and other (ZIP, .Sit, .rar) archives."
Widgets seem to be considered "safe" but this could change in a patch.
So does IE. ActiveX controls have ALWAYS prompted.
And with XP SP2 (released in AUGUST) unsigned binaries simply can't be installed, and the default is "NO" for signed binaries...
Somebody thought they had a cool feature and didn't think about the consequences.
Um, never? Because it actually prompts you and asks you if you're sure you want to run it?
/. int he name of the great Jihad but a exactly similar (or worse) Apple problem gets apologists running.
So the fact that IE does the same thing for, say, ActiveX and has similar options for control is consistently ignored on
So amusing.
--> Fight tyranny and repression.... read
Yes, but you won't get that prompt for a widget that doesn't have Cocoa code, but does contain widget.System() calls -- which effectively means it's an application. You could put an executable in your widget, not set the executable bit, but then chmod a+x and run it from widget.System() calls.
It's so bizarre I didn't believe myself at first, but this is not true of widgets that are auto-installed. Try it yourself -- here is my example exploit page with an entire set of widgets that look identical to the Apple widgets. You will be prompted for permission with none of them, including the `Calculator' widget, which makes a widget.System() call and could conceivably have deleted your home directory.
four nine eighteen twenty-7 thirty-nine forty-7 fiftyeight sixty-nine seventy-9 eighty-8 one-hundred-and-nine one-twenty
I think you already corrected yourself above, but for others reading this, no, it doesn't prompt the user before running an auto-installed widget, which is such a fantastically bad idea I can't believe it didn't occur to anyone what a security flaw that is.
four nine eighteen twenty-7 thirty-nine forty-7 fiftyeight sixty-nine seventy-9 eighty-8 one-hundred-and-nine one-twenty
First I have seen windows install software without the user being prompted right at work. They ask me when a pop up ad comes up and looks like a regular dialog box.
Second Active X is a cool feature and nobody thought of the consequences at MSFT. there were reports in the late 90's about active X showing it's potential for harm. It took a few years, but guess what people.
I will give MSFT this much at least a full third of the crap they have to deal with is stupid users. And stupid users can fsck up any OS.
It's just harder to maintain control when windows apps require admin settings.
i thought once I was found, but it was only a dream.
Today has really been a bad day for computer users. All we need next is Yet Another New Windows Exploit/Virus/Trojan/Worm and our day will be complete. :P
Knowledge is power. Knowledge shared is power multiplied.
Is it "exactly" or is it "similar"?
Or is it "worse"?
I'm confused here but I'm not running. Of course I'm not an apologist either.
Whether you're talking about IE or Safari the same thing holds true. Saying "yes" when you're prompted despite not knowing what you're installing means you're a fucking moron and you deserve whatever you get.
Appended to the end of comments you post. 120 chars.
But a trojan, a social engineering exploit that requires explicit and deliberate user action, is completely uninteresting. That will always be possible on all OSes and all platforms.
That's the thing; a good OS *should* be able to prevent those. The OS should be able to recognize that what claimed to be a screensaver is attempting to access your Quicken files and open a connection to somewhere in Russia, and it would probably be a good idea to deny that and let you know what's going on.
User education is a lost cause. An OS needs to be able to defend against trojans without relying on the user to be particularly intelligent. Unfortunately I have no idea how to actually implement that in a usable manner.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
Yes, if goatse.cx is porn...
But either way, if you installed Paranoid Android (direct link) it will ask you to approve the url. And it is opensourced too.
Millions of email viruses and Windows spyware rely on exactly the same thing. That doesn't appear to have slowed them down any. Hell, there was a not-insignificant outbreak of a particular Windows trojan that required users to extract it from a *password protected zip file* before running it.
Isn't it funny how the only "exploits" people can find for Mac OS X almost always exclusively revolve around social engineering, and never real flaws in the platform itself?
Nearly as funny as the people who hold up the 95%+ of Windows "vulnerabilities" that rely on social engineering as proof of its "insecurity".
Good thing it hasn't happened then.
Sure it has. Still does, past and present examples.
Joke or not, your comment is indicative of the denial most Mac users seem to live in- "If it's not Windows, it's secure" and "If I don't hear about it, I must be OK" but the fact is that Mac OS X uses BSD, BSD has holes == Mac OS X has holes. Mac OS X is written by people who want users to have the easiest possible experience using their Mac. As a result, some of the things in place to make usability easier open up holes. This is the same for any OS. Anytime you cater to the user first and security second (or later) you will always ALWAYS provide someone else a way in.
I have no problem with using one OS or another, I use whatever the hell I need to get the job done- to me it's a tool, not a lifestyle. As such, I make sure my tools are safe and pay attention when someone says my OS has a hole or exploit or vulnerability, rather than just refusing to believe it's true.
R(k)
IN SOVIET RUSSIA...some guy kicks ass of YOU!
(Oh christ, why? The karma, it burns like my shame)
If you hate the Dashboard and want to get rid of it, just throw Dashboard.app into the Trash and it will never launch again.
Is this "installed" or just put into a certain directory.
If the widget auto-executed, then that would seem like a REALLY bad idea. But, if "installed" just means the widget is placed where Dashboard expects to find widgets, that seems less unsafe.
You would still have to consciously decide to activate the widget in Dashboard, right? At that point you're at the same security level as any widget regardless of where the browser put it on your system.
Still sounds funky, but not like the sky is falling.
"The world is a construct of forceful imagination. Those who don't know walk around in the reailties of those who do"
Whatever. An exploit is an exploit. Patched or not, a hole is a fucking hole.
I use a Mac, I know damn well updates are up to ME to install if I choose so. Any exploit and vulnerability EVER found in a Mac still exists, simply releasing a patch DOES NOT MAKE IT GO AWAY.
Case in point, last week 20 patches for vulnerabilities for 10.3.9 were released. Those are fixed in 10.4. Does that mean the hole is plugged? NO. A patch was released and the new software doesn't have the flaw, but anyone still running 10.3.x without the patches installed is still at risk.
Is it stupid to not install the patch, yes, duh. And yet people on all OSes fail do to just that.
Want me to put up? HERE it's from the holy seat itself.
It's a fact, one you overlook so you can act like an ass instead. Do so if you want, but stop pretending Mac OS is invulnerable.
R(k)
Then these downloaded executables then get run with all the user's privileges, not in a jail or sandbox. Java may not be perfect, but at least Sun understood they had to run applets with less privileges than user applications.
http://www.nonmundane.org/~dspisak/media/slashdot/ howtoprotect.png
Yeah this exploit is sorta lame, but its also trivial to plug in the meantime.
Fascinating article. I installed zaptastic_evil and was amused by it. Very annoying indeed. Widgets simply should not do this.
Just a few points of interest.
1) The widget may automatically download and get copied into the widgets folder, but it is not automatically installed onto the active dashboard. Therefor the user would have to manually click on it. Without knowing the widget is there, the user may not ever notice it. Of course, this is still a security risk, but this isn't the best way to propogate malware.
2) Widgets can be deleted manually as pointed out in the article by going into ~/Library/Widgets and removing the unwanted widget
3) The Dashboard can be reinitialized by killing the Dock. Those not familiar with terminal can just fire up Activity Monitor and kill the Dock there. The Dock immediately relaunches, then Dashboard reinitializes when it is launched again and the offending widgets are gone.
4) Apple should allow us to delete widgets from the dashboard, but the behavior when clicking and dragging a widget off of the Dashboard installs the widget instead of bringing up the delete puff of smoke. This behavior is at odds with every other taskbar/dock/menubar in OS X. I would recommend Apple change this.
5) We ARE dealing with Dashboard 1.0 so there are bound to be bugs needing to be squashed. Personally, I enjoy Dashboard but find it difficult to manage when there are too many widgets deployed. I find myself wishing for Exposé for Dashboard! LOL I also wish that widgets would reinitialize without force quiting the dock and that the dashboard would be a bit more dynamic. Sometimes deleted widgets take a while to disappear off the dashboard as well as newly installed widgets. I look forward to the upcoming 10.4.1 release.
The Splintered Mind - Overcoming
The grandparent was right. There haven't been any exploits. Both you and the link you give confuses the concepts of exploit and vulnerability. Exploit != vulnerability. A vulnerability is only the potential or an exploit, and it often blocked by other security measures in a properly layered security system.
I use a Mac
We could tell from your beret.
"I thought they were the dominant species..."
When I installed Tiger I thought to myself "why hasn't apple provided a mechanism for Widget management?"
.wdgt extension, and (somehow) gets higher association relevance than the Dock for execution. Then, when a widget is double-clicked on it gets copied directly into ~/Library/Widgets ( Disabled ) -- giving you the chance to enable it or not before the Dashboard gets it.
Secondly, I thought to myself "it would be so easy for a widget to do nasty things"
So, here's what I'm going to do: I'm going to write a preference pane to manage widgets. It'll come in a few phases:
Phase 1) Preference pane which will allow you to turn on/off particular widgets in your ~/Library/Widgets folder by moving turned-off widgets to, say, ~/Library/Widgets (Disabled). I just did a test and discovered that the parent process of Widgets is the Dock, which means that the Dashboard is just a Dock mechanism. So, killing the dock ( politely, even ) will give Dashboard a chance to reload, since the Dock restarts automatically.
Phase 2) Write a widget scanner -- something which greps the widget source for keywords like widget.System() and whatever parameters are required for custom binaries which widgets can run. Now, I recognize I can't tell *what* those calls do, but I can at least put up a big red exclamation point next to the widget in the preference pane saying "This widget is potentially dangerous"
Phase 3) Write a small bundled app to be packaged with the preference pane which associates itself with the
This sounds like a PITA, but Apple shoulda done this in the first place.
Apple: You're drunk on the perceived security of your platform. Don't keep making the stupid mistakes.
A -- potentially better -- option is to have something like an "approved" widget download area. Say, apple's servers, where you know widgets hosted there have been given the thumbs up. Doesn't Firefox do something sort of like this for extensions?
lorem ipsum, dolor sit amet
BSD has holes == Mac OS X has hole
Oh? And what part of the BSD subsystem has had holes? OSX uses a different kernel, all tcp/ip exploits are in the hands of OSX developers. All the exploits I've seen for Jaguar involve 3rd party software like sendmail and apache (exempting Apple's own software).
The reality is that while BSD has had some security issues (as does everything), few to none of them have to do with OSX.
The grandparent was right. There haven't been any exploits. Both you and the link you give confuses the concepts of exploit and vulnerability.
Wow, have you got a lot to learn... Did you not read the article AT ALL? Claiming that the apple system is a "properly layered security system" is an opinion, not a fact. Some might agree it is more proper than windows XP. I'm not here to argue wether that is true or not. I'm here to argue that either 1) a properly layered security system doesn't give you a secure system or 2) the MacOS doesn't have a properly layered security system.
One of the above(or possibly both) is true. It is up to you to decide which and quit sitting up on your high horse thinking you are a god for using MacOS.
Your ignorance is infinitely greater than you realize.
I meant they should fix it in not allowing an untrusted remote application to be downloaded on a local computer with no interaction from the user.
/Library/Widgets. No need to restart OS X or Dashboard, it just shows up.
So turn off the ability. In Safari, open Preferences, and on the first tab, de-select 'automatically run "safe" files upon download.' Then, it'll download it, and you can manually install the widget by copying it to
This was one of the first things I tweaked after switching to a Mac. I noticed it'd automatically mount disk image files, and I could see the potential security implication, so I found the checkbox and tunred it off.
It's not rocket science, just basic research.