Malicious Web Pages Can Install Dashboard Widgets

bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.

yes but...

magine porn sites auto-installing adware widgets without your knowledge.

Yes, but do they install porn?
-SJ53

Re:yes but...

[mike518]

"magine porn sites auto-installing adware widgets without your knowledge."

i dont need to imagine, im running windows xp.

widgets limited

[RobertTaylor]

this page at Apple's Developer Connection says that a 'widget' cannot ask for any resources or do anything to the filesystem outside of the widgets bundle.

Re:widgets limited

[ender81b]

True, true. But hasn't apple learned anything from MS? Automatically running/installing *anything* from the internet is a bad, bad idea. And a widget could, in theory, do things like make widget pop up ads, revolving goatse/tubgirl widget, etc.

Basically, bad apple bad. Fix.

Re:widgets limited

[antibryce]

True, but widgets can run external programs if certain permissions are set. The most insane part is that the widget itself sets the permissions it's allowed to have. Putting a key in the Info.plist file with "AllowFullAccess" set to "Yes" will allow the widget to run anything, access the network, etc. Basically at that point it's a full featured app. How hard would it be to make a widget that's invisible but periodically queries Safari's browser history, or songs played in itunes, or do a spotlight search for "password" and email the results to some guy in Russia? The widget could even be invisible to the user, with a 1x1 transparent gif as it's screen.

It seems really really dumb in this light to have Safari not only automatically download zip files, but uncompress them and if it finds a Widget bundle inside to install it. All without user intervention.

Re:widgets limited

[ender81b]

I meant they should fix it in not allowing an untrusted remote application to be downloaded on a local computer with no interaction from the user.

Re:widgets limited

[Arrgh]

It's not a bad idea per se to automatically download and run stuff from the Internet, but any software designed to do so had better be designed and implemented properly. The dozens (hundreds?) of "cross-site scripting" bugs that have surfaced in popular browsers in the past few years are evidence that this is rarely done well. Java's 10 year old sandbox design has been quite successful, and Flash has followed a substantially similar design.

Unfortunately, code signing, as currently implemented and (mis)understood by users, is an all-or-nothing proposition. There are certainly legitimate uses for privileged mobile code, but most users don't really read or understand security warning dialogs, they just think "I just clicked the Start Game button, and now it's asking me if I really want to Start the Game. How stupid."

Marimba actually came up with a good partial solution ages ago. When their framework loaded and executed a Java app, the framework would closely manage exactly what resources could be exploited by the app. Each application's ability to read and write files was restricted by default to its own tiny corner of the filesystem, and the amount of space it could occupy with its files was constrained as well.

Note that Java's security manager infrastructure has allowed these sorts of fine-grained controls since 1.2 (circa 1998), but no one to my knowledge has yet found a way to effectively communicate to a user:

• what resources a given piece of mobile code will want to exploit;
• what the risks of running it might be;
• some assurance that the code is published by someone they trust;

...While maintaining some degree of user-friendliness. It's a tough problem.

MSIE's concept of local policies set according to centrally defined security zones was a step in the right direction; it's too bad its development stalled when the Browser War was "won."

Too integrated

[m50d]

This is what happens when you tie together parts of the OS that shouldn't be put together. In particular, has apple not realised that having the browser tied to anything that expects local rather than remote content is fundamentally an incredibly stupid idea?

In soviet russia

[zkn]

Apple copies Microsoft.....

Not much of a problem...

[InternationalCow]

If you do not tick the "open safe files" check box in the prefs. Which you should left unchecked if you're not entirely stupid, as there is no way to tell whether any file is actually "safe". Good Internet Practice, as I like to call it.

Re:Not much of a problem...

No, it should be pretty easy to tell what is a "safe" file. PDF, for example, is a safe file, as is HTML, as is a GIF. A dashboard widget is NOT.

Apple really screwed up with allowing dashboard widgets to be listed as a "safe" file and they need to patch this as soon as possible. This is one of the big problems with IE, that they went from "autoopen anything, even unsafe stuff" to "warn you about viruses when you try to download ANYTHING, including a PDF". Clearly identifying what is safe is as important as identifying what is unsafe, otherwise people just double-click everything they download not realizing it's a .app.

Re:Not much of a problem...

[Mike+McTernan]

Which you should left unchecked if you're not entirely stupid

I always thought that one of Apple's selling points was that they are made for non-experts. So giving users an option to potentially shoot their foot off seems to be a little unfortunate. Almost by definition, few people are experts.

The solution

[Little+Grey]

Is to turn off "Open 'Safe' downloads" in Safari's Options.

It's just common sense anyways

Re:The solution

[ender81b]

The solution to spyware on windows is to turn off activex in internet explorer and set it to run as guest...

It's just common sense.

Seriously though this is a very bad idea and apple needs to fix this ASAP.

Re:Serves you right

[Janitha]

There is no such thing is a secure OS, all Operating systems have flaws.

Re:Firefox asks what to do

[Bungopolis]

This warning applies specifically to Safari. It's obviously not going to affect Firefox, because Firefox does not have the widget auto-installation feature that Safari does. Most users of Tiger, however, are probably using Safari, so this most certainly is dangerous.

Re:Thanks Slashdot!

[jericho4.0]

Oh. My. God. There's a zip file on your desktop. Holy Shit. A zip file, for Christ's sake! What will your fate be? Long and painful, or medium and painful? How will your family go on?

Several levels of control

[pelorus]

First, when a widget starts to download, Tiger prompts me and says "This download contains an application, do you want to continue?" That should be the first dead-giveaweay.

Secondly, while the OS DOES copy downloaded widgets to the Widgets folder in the Users directory, the widgets do not become active until you actually activate them. (of course there's nothing stopping you from usign the same name and icon as ...say Calculator).

Getting widgets to do complex system-level stuff you WANT them to do is tough enough.

O Great Oracle of Slashdot

[Dachannien]

If there's anything that Slashdot has taught us, it's that it's never safe to use your computer.

Re:Serves you right

[EtherAlchemist]

That's quite apt. And I imagine you will be modded down due to the OS in question here.

When a Windows OS exploit is discovered there are thousands of zealots who scream "USE LINUX, STUPID" and "I use a Mac, there are not exploits for my OS" but whenever either of those OSes is found to have a flaw, those zealots are awfully quiet.

The best thing for me reading the comments so far has been the Mac users who point out that settings can be changed to allow or deny this action. They treat that like it's a magic feature only Mac has, when the truth of the matter is shit like that can be turned off in Windows also.

All of the common OSes can be locked down tight, IF THE USER CHOOSES TO. Every OS ships with the potential to be exploited, and even if it comes out the box secure, the user can always undo that.

I guess the difference when it's a Mac OS, it's a big deal because someone actually bothered to write something malicious for a small segment of the computer population.

This is actually a good thing though. It's lets all of you Mac users know that the security you've been takeing for granted is only as good as long as their is no attention to you.

Looks like this is changing.

Imagine it?

imagine porn sites auto-installing adware widgets without your knowledge

Imagine it? I'm a Windows/IE user...I live it!

Re:Ouch!

[mrchaotica]

Yeah, but "unchecked" should be the default.

Re:Serves you right

[diamondsw]

No, because as you said, out of the box security is important. Mac OS X has no services running out of the box; Windows had several exploitable ones prior to XP SP2 (which I give them credit for doing a good job with).

As for this vulnerability, it is Safari categorizing a Dashboard widget as "safe" when it clearly isn't. Yes, it's a vulnerability, one with an exploit already shown, and it needs to be fixed NOW. No one is saying Apple is perfect or OS X is immune, but so far there has been very little to point to in Apple's track record.

What's really important is Apple's response. Anyone post this in RADAR yet? "As Seen On TV", any thoughts from your unique position?

Didn't work on my system

[1nhuman]

I do use Tiger and Safari, but it didn't work on my system. Primarily because in Safari > System Preferences > General, I Unchecked the check box that automatically open's up Safe files, which includes archives (which I do not consider safe).

Another thing I did, was to redirect downloads to a special download folder which has a special Folder Action attached that scans new files for viruses and then changes new files permissions to "No Access" (even if there are no viruses). If I want to open/read a downloaded file I have to change it permissions to read/write, for which I made a single-click Apple script that I dragged in the Finders top bar thingie. Ok I'm slightly paranoid, mainly because IT security is my thing (btw the reason why I switched to Mac OS X last year), But it works.

Important correction

[daveschroeder]

Well, it turns out I spoke too soon.

I said that Dashboard would prompt you when the widget was run for the first time. It turns out that for auto-installed Safari widgets, it does NOT prompt you the first time the widget is run.

Interesting.

This is indeed a security issue, and it should be made to at least prompt the user.

Considering that ALL other new widgets always prompt when first run, this appears to be a bug, and not the intended behavior.

The temporary fix (and what I always recommend anyway) is to disable "Open 'safe' files after downloading" in Safari.

Re:Ouch!

[LO0G]

So does IE. ActiveX controls have ALWAYS prompted.

And with XP SP2 (released in AUGUST) unsigned binaries simply can't be installed, and the default is "NO" for signed binaries...

Somebody thought they had a cool feature and didn't think about the consequences.

Re:Ouch!

[soulhuntre]

Um, never? Because it actually prompts you and asks you if you're sure you want to run it?

So the fact that IE does the same thing for, say, ActiveX and has similar options for control is consistently ignored on /. int he name of the great Jihad but a exactly similar (or worse) Apple problem gets apologists running.

So amusing.

Re:Sky not falling, Safari warns user twice.

[mithras+the+prophet]

Safari will warn you when downloading a widget with cocoa calls in it by saying "widgetname contains an application. Are you sure you want to continue downloading widgetname?". You have the option to abort download and installation.

Yes, but you won't get that prompt for a widget that doesn't have Cocoa code, but does contain widget.System() calls -- which effectively means it's an application. You could put an executable in your widget, not set the executable bit, but then chmod a+x and run it from widget.System() calls.

Dashboard will ask you the first time a third-party widget is run and give you the option of not running it.

It's so bizarre I didn't believe myself at first, but this is not true of widgets that are auto-installed. Try it yourself -- here is my example exploit page with an entire set of widgets that look identical to the Apple widgets. You will be prompted for permission with none of them, including the `Calculator' widget, which makes a widget.System() call and could conceivably have deleted your home directory.

Re:Ouch!

[mithras+the+prophet]

I think you already corrected yourself above, but for others reading this, no, it doesn't prompt the user before running an auto-installed widget, which is such a fantastically bad idea I can't believe it didn't occur to anyone what a security flaw that is.

Oh but it has, and you've proved part of my point

[EtherAlchemist]

Good thing it hasn't happened then.

Sure it has. Still does, past and present examples.

Joke or not, your comment is indicative of the denial most Mac users seem to live in- "If it's not Windows, it's secure" and "If I don't hear about it, I must be OK" but the fact is that Mac OS X uses BSD, BSD has holes == Mac OS X has holes. Mac OS X is written by people who want users to have the easiest possible experience using their Mac. As a result, some of the things in place to make usability easier open up holes. This is the same for any OS. Anytime you cater to the user first and security second (or later) you will always ALWAYS provide someone else a way in.

I have no problem with using one OS or another, I use whatever the hell I need to get the job done- to me it's a tool, not a lifestyle. As such, I make sure my tools are safe and pay attention when someone says my OS has a hole or exploit or vulnerability, rather than just refusing to believe it's true.

Afraid that won't work cuz...

[NoData]

IN SOVIET RUSSIA...some guy kicks ass of YOU!

(Oh christ, why? The karma, it burns like my shame)

Dashboard tips

[Absentminded-Artist]

Fascinating article. I installed zaptastic_evil and was amused by it. Very annoying indeed. Widgets simply should not do this.

Just a few points of interest.

1) The widget may automatically download and get copied into the widgets folder, but it is not automatically installed onto the active dashboard. Therefor the user would have to manually click on it. Without knowing the widget is there, the user may not ever notice it. Of course, this is still a security risk, but this isn't the best way to propogate malware.

2) Widgets can be deleted manually as pointed out in the article by going into ~/Library/Widgets and removing the unwanted widget

3) The Dashboard can be reinitialized by killing the Dock. Those not familiar with terminal can just fire up Activity Monitor and kill the Dock there. The Dock immediately relaunches, then Dashboard reinitializes when it is launched again and the offending widgets are gone.

4) Apple should allow us to delete widgets from the dashboard, but the behavior when clicking and dragging a widget off of the Dashboard installs the widget instead of bringing up the delete puff of smoke. This behavior is at odds with every other taskbar/dock/menubar in OS X. I would recommend Apple change this.

5) We ARE dealing with Dashboard 1.0 so there are bound to be bugs needing to be squashed. Personally, I enjoy Dashboard but find it difficult to manage when there are too many widgets deployed. I find myself wishing for Exposé for Dashboard! LOL I also wish that widgets would reinitialize without force quiting the dock and that the dashboard would be a bit more dynamic. Sometimes deleted widgets take a while to disappear off the dashboard as well as newly installed widgets. I look forward to the upcoming 10.4.1 release.

Re:Dashboard tips

[Kyusaku+Natsume]

Certainly the cleanup and prevention is easy, but the fact that Safari downloads automatically widgets without user intervention/request is incredibly stupid, even more than the autoinstall -this is already stupid-, the guys who put those "features" on an fairly secure, wonderful and useful system sould be fired; this is seer incompetence, and a disservice for the rest of the fine, great OS X team. What the hell where they thinking? This sould have been scrapped in the design phase of Dashboard.

I read this 5 hours ago and still I'm amazed. I say this has a -otherwise- happy mac user, and someone that made 6 friends switch to the mac.

Re:Firefox asks what to do

[Lussarn]

It still fills up your harddrive with possibly malicious crap. If thats ok for you Apple didn't do anything wrong even this time.

Re:Serves you right

[teh+kurisu]

No, it's Safari categorising a ZIP archive as safe. To quote Safari:

"Safe" files include movies, pictures, sounds, PDF and text documents, and disk images and other archives.

The ZIP archive extracts automatically, and just happens to place the file in ~/Library/Widgets/. Dashboard runs the Widget from there.

You're right, it's not safe. I think the solution to this should be to first of all disable the whole opening safe files functionality by default. The second should be to declassify archive files as 'safe' (with the exception of disk images), because it makes it easy to write files in this way.

Personally I've set administrator priveledges on my ~/Library/Widgets/ folder so that I now need to enter a password to write to it.