Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious Web Pages Can Install Dashboard Widgets

Posted by timothy on from the not-good dept.

bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.

18 of 610 comments (clear)

  1. yes but... by Anonymous Coward · · Score: 5, Funny

    magine porn sites auto-installing adware widgets without your knowledge.

    Yes, but do they install porn?
    -SJ53

    1. Re:yes but... by mike518 · · Score: 5, Funny

      "magine porn sites auto-installing adware widgets without your knowledge."

      i dont need to imagine, im running windows xp.

      --
      Mike
      I heart the RIAA & MPAA, im sure its mutual...
  2. Not much of a problem... by InternationalCow · · Score: 5, Informative

    If you do not tick the "open safe files" check box in the prefs. Which you should left unchecked if you're not entirely stupid, as there is no way to tell whether any file is actually "safe". Good Internet Practice, as I like to call it.

    --
    ----- One learns to itch where one can scratch.
    1. Re:Not much of a problem... by Anonymous Coward · · Score: 5, Insightful

      No, it should be pretty easy to tell what is a "safe" file. PDF, for example, is a safe file, as is HTML, as is a GIF. A dashboard widget is NOT.

      Apple really screwed up with allowing dashboard widgets to be listed as a "safe" file and they need to patch this as soon as possible. This is one of the big problems with IE, that they went from "autoopen anything, even unsafe stuff" to "warn you about viruses when you try to download ANYTHING, including a PDF". Clearly identifying what is safe is as important as identifying what is unsafe, otherwise people just double-click everything they download not realizing it's a .app.

    2. Re:Not much of a problem... by Mike+McTernan · · Score: 5, Insightful

      Which you should left unchecked if you're not entirely stupid

      I always thought that one of Apple's selling points was that they are made for non-experts. So giving users an option to potentially shoot their foot off seems to be a little unfortunate. Almost by definition, few people are experts.

      --
      -- Mike
  3. The solution by Little+Grey · · Score: 5, Informative

    Is to turn off "Open 'Safe' downloads" in Safari's Options.

    It's just common sense anyways

    1. Re:The solution by ender81b · · Score: 5, Insightful

      The solution to spyware on windows is to turn off activex in internet explorer and set it to run as guest...

      It's just common sense.

      Seriously though this is a very bad idea and apple needs to fix this ASAP.

  4. Re:Serves you right by Janitha · · Score: 5, Insightful

    There is no such thing is a secure OS, all Operating systems have flaws.

  5. Re:Firefox asks what to do by Bungopolis · · Score: 5, Informative

    This warning applies specifically to Safari. It's obviously not going to affect Firefox, because Firefox does not have the widget auto-installation feature that Safari does. Most users of Tiger, however, are probably using Safari, so this most certainly is dangerous.

  6. Re:widgets limited by ender81b · · Score: 5, Insightful

    True, true. But hasn't apple learned anything from MS? Automatically running/installing *anything* from the internet is a bad, bad idea. And a widget could, in theory, do things like make widget pop up ads, revolving goatse/tubgirl widget, etc.

    Basically, bad apple bad. Fix.

  7. Re:widgets limited by antibryce · · Score: 5, Interesting


    True, but widgets can run external programs if certain permissions are set. The most insane part is that the widget itself sets the permissions it's allowed to have. Putting a key in the Info.plist file with "AllowFullAccess" set to "Yes" will allow the widget to run anything, access the network, etc. Basically at that point it's a full featured app. How hard would it be to make a widget that's invisible but periodically queries Safari's browser history, or songs played in itunes, or do a spotlight search for "password" and email the results to some guy in Russia? The widget could even be invisible to the user, with a 1x1 transparent gif as it's screen.

    It seems really really dumb in this light to have Safari not only automatically download zip files, but uncompress them and if it finds a Widget bundle inside to install it. All without user intervention.

  8. O Great Oracle of Slashdot by Dachannien · · Score: 5, Funny

    If there's anything that Slashdot has taught us, it's that it's never safe to use your computer.

  9. Didn't work on my system by 1nhuman · · Score: 5, Interesting

    I do use Tiger and Safari, but it didn't work on my system. Primarily because in Safari > System Preferences > General, I Unchecked the check box that automatically open's up Safe files, which includes archives (which I do not consider safe).

    Another thing I did, was to redirect downloads to a special download folder which has a special Folder Action attached that scans new files for viruses and then changes new files permissions to "No Access" (even if there are no viruses). If I want to open/read a downloaded file I have to change it permissions to read/write, for which I made a single-click Apple script that I dragged in the Finders top bar thingie. Ok I'm slightly paranoid, mainly because IT security is my thing (btw the reason why I switched to Mac OS X last year), But it works.

    --
    The glass is half-full. With poison. And there are cracks in the glass. The dirty, dirty glass.
  10. Important correction by daveschroeder · · Score: 5, Informative

    Well, it turns out I spoke too soon.

    I said that Dashboard would prompt you when the widget was run for the first time. It turns out that for auto-installed Safari widgets, it does NOT prompt you the first time the widget is run.

    Interesting.

    This is indeed a security issue, and it should be made to at least prompt the user.

    Considering that ALL other new widgets always prompt when first run, this appears to be a bug, and not the intended behavior.

    The temporary fix (and what I always recommend anyway) is to disable "Open 'safe' files after downloading" in Safari.

  11. Re:Ouch! by LO0G · · Score: 5, Insightful

    So does IE. ActiveX controls have ALWAYS prompted.

    And with XP SP2 (released in AUGUST) unsigned binaries simply can't be installed, and the default is "NO" for signed binaries...

    Somebody thought they had a cool feature and didn't think about the consequences.

  12. Re:Ouch! by soulhuntre · · Score: 5, Insightful

    Um, never? Because it actually prompts you and asks you if you're sure you want to run it?

    So the fact that IE does the same thing for, say, ActiveX and has similar options for control is consistently ignored on /. int he name of the great Jihad but a exactly similar (or worse) Apple problem gets apologists running.

    So amusing.

    --
    --> Fight tyranny and repression.... read /. at -1!
  13. Re:Sky not falling, Safari warns user twice. by mithras+the+prophet · · Score: 5, Informative
    Safari will warn you when downloading a widget with cocoa calls in it by saying "widgetname contains an application. Are you sure you want to continue downloading widgetname?". You have the option to abort download and installation.

    Yes, but you won't get that prompt for a widget that doesn't have Cocoa code, but does contain widget.System() calls -- which effectively means it's an application. You could put an executable in your widget, not set the executable bit, but then chmod a+x and run it from widget.System() calls.

    Dashboard will ask you the first time a third-party widget is run and give you the option of not running it.

    It's so bizarre I didn't believe myself at first, but this is not true of widgets that are auto-installed. Try it yourself -- here is my example exploit page with an entire set of widgets that look identical to the Apple widgets. You will be prompted for permission with none of them, including the `Calculator' widget, which makes a widget.System() call and could conceivably have deleted your home directory.

    --
    four nine eighteen twenty-7 thirty-nine forty-7 fiftyeight sixty-nine seventy-9 eighty-8 one-hundred-and-nine one-twenty
  14. Oh but it has, and you've proved part of my point by EtherAlchemist · · Score: 5, Insightful


    Good thing it hasn't happened then.

    Sure it has. Still does, past and present examples.

    Joke or not, your comment is indicative of the denial most Mac users seem to live in- "If it's not Windows, it's secure" and "If I don't hear about it, I must be OK" but the fact is that Mac OS X uses BSD, BSD has holes == Mac OS X has holes. Mac OS X is written by people who want users to have the easiest possible experience using their Mac. As a result, some of the things in place to make usability easier open up holes. This is the same for any OS. Anytime you cater to the user first and security second (or later) you will always ALWAYS provide someone else a way in.

    I have no problem with using one OS or another, I use whatever the hell I need to get the job done- to me it's a tool, not a lifestyle. As such, I make sure my tools are safe and pay attention when someone says my OS has a hole or exploit or vulnerability, rather than just refusing to believe it's true.

    --
    R(k)