Slashdot Mirror
Apple To Patch Dashboard Vulnerability
bonch writes "Apple has quickly patched a previously reported security hole that allows websites to auto-install potentially malicious widgets without prompting the user. The fix is one of over three dozen miscellanous fixes to be included in OS X 10.4.1, code-named 'Atlanta', and may appear by the end of the week. Users will now be prompted before a widget downloads to their hard drive."
Why Atlanta?
It's pretty stupid that Apple's policy prevents them from discussing the issue before they have a patch for Safari. They really ought to post an advisory urging users of their shiny new operating system to turn off the ``open safe files after downloading" preference in Safari. Considering that it's now established that malicious widgets can replace the Apple-supplied widgets, run with full user privileges once activated, and execute arbitrary binary code, Apple really owes it to its users to warn them.
four nine eighteen twenty-7 thirty-nine forty-7 fiftyeight sixty-nine seventy-9 eighty-8 one-hundred-and-nine one-twenty
They're saving Atalanta for OS X 10.5, code name "Lion".
I think that when a company releases a patch for this type of thing, they should also make the patch report attempts to abuse the exploit. That would make it possible not only to secure against the exploit, but to catch the black hats who try to use it.
So if a site tries to use the Mozilla/XPI script exploit to install a rogue extension, Mozilla should send a report to mozilla.org. Then they can blacklist the site, or even pursue legal action.
This would be GREAT for anti-spyware programs. When someone tries to auto-install spyware on to IE, Microsoft could get a report and the spyware company would feel the wrath of a monopolistic giant crushing them.
Has Microsoft *ever* released patches for three dozen problems?
"fixes" means little things mostly.
Apple releases a new OS and the biggest thing people can find to bitch about is that if you have the auto-open option set, it auto-opens.
MS releases a new OS claiming great security and within a couple of months the internet is crippled by Blaster.
compare and contrast.
The Dashboard behavior they're changing is the rough equivalent in Windows of visiting a web site and having an application (with disk access disabled) appear in your All Programs start menu without warning. If that happened, you can bet that we'd all be bitching about it, and it would be catching an awful lot of users off guard. By now it would be on all the juarez sites as a DDOS client, and probably doing some significant harm to sections of the internet ...
I do think Apple handles security better than Microsoft, but in this case they simply were lucky that no one bothered to exploit their hole.
Uh huh....
3 dozen fixes in a single point release? This is peanuts... a Microsoft service pack is a wholly different animal.
The last combined updates for 10.3 were in the neighborhood of 80-100 megabytes, encompassing every fix from 10.3.1 to the present.
Service pack 2 for Windows XP was, what, 450MB or something?
I smell cluelessness....
bash-3.00$ uname -a
SunOS panda 5.10 Generic sun4u sparc SUNW,Ultra-2
now if they'd quit bugging me every time I download a .dmg we'd be set!
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Microsoft doesn't release patches for 3 dozen problems.
Microsoft releases patches for thousands of problems at once. They are called service packs.
The only updates they release the rest of the time are security updates.
What's the worst that a malicious widget can do? Presumably it has access to the network, so it could be a DDOS client (as someone mentioned above). What can widgets do locally?
Free, legal music for iTunes users.
They really ought to post an advisory urging users of their shiny new operating system to turn off the ``open safe files after downloading" preference in Safari.
That would be a start.
Better would be to quit shipping Safari with that option turned on by default.
Best would be to take that capability out completely, because it's inconvenient as often as it's convenient and it creates an opportunity for exploits that doesn't need to be there.
Someone discovers a nasty possibility, and in two days Apple announces a fix. It will be ready within a few more days and then the problem's gone for good.
I don't think it's hypocrtiical to praise that kind of fast response. If my memory serves, the problems that allowed the Blaster Worm and others to work were publically known for months and MS didn't do anything about them. That's where the condemnation of Microsoft comes from.
D
If we were a Mac house, and I was in charge of security, I would be seriously considering banning the use of Safari at this point.
It's not the slam-dunk that it was for Internet Explorer back in the '90s, when I managed to get IE and Outlook banned just in time to dodge the flood of viruses that resulted from Microsoft's broken security model. The individual problems in Safari and LaunchServices are not nearly as obviously bad as Microsoft's security zones, but they're of the same nature.
This is what Apple really needs to do:
1. Treat Dashboard widgets just like they treat executables. They're not "safe files". It's great that they have isolated the extensions that make dashboard work so they're not available in arbitrary Webcore applications, that's an absolutely critical advantage over Microsoft's HTML control, but when run in Dashboard they have all the same capabilities as local apps and need to be treated like any other applications.
2. Taking this a step further, they need to treat all downloaded files as dangerous, and ensure that no files are opened by an application where they're not sandboxed without the explicit request of the user. In practice, the only way to ensure this is to not pass them to ANY application that hasn't been registered with the browser (for example, as a plugin).
3. This means that LaunchServices shouldn't be used by Webcore or in any other context where there's the potential of an untrusted object being passed to an application, except by the explicit request (not merely confirmation) of the user. A separate database should be provided for applications that ARE prepared to accept untrusted documents or other objects.
This third step would actually increase convenience, because then you could write "safe viewer" apps that provided a strong sandbox instead of having to depend on every application figuring out whether they needed to sandbox a document based on what they could guess, so you could have viewers for files that currently can only be downloaded.
The network install/redist of Service Pack 2 is something like ~270MB, I think most of that is that it can take any machine to Service Pack 2 without having to have Service Pack 1 installed, and it probably includes all the files Service Pack 2 needs rather than patching existing files.
If you hit up Windows Update it'll give you Service Pack 2 as a 70-90MB install if I remember correctly.
the latest verion of shaft has an option to turn off the download executable warning for .dmg etc....
Seriously though it could do anything any script or application could do; use your imagination. It could delete everything in ~/ - that would not be fun. It could send emails to everyone in your address book announcing your engagement to Michael Jackson.
They should. If they didn't have an "open safe files" mechanism, there wouldn't be any rationale for having the browser pop up a warning dialog like this. Not only wouldn't there be a potential for silent exploits from "opening safe files", but they wouldn't be training people to ignore warning dialogs!
Actually in my mind this Dashboard security hole, while perhaps minor, is one of the most disappointing things Apple has ever done. The line continues to blur between surfing and running code -- or between documents and executables -- and this trend, while important, of course presents serious, inherent security challenges, since it places the user in a passive position with respect to the code being executed on their computer. It's disturbing that Apple apparently didn't think much at all about that very well-known issue, before creating an auto-install, auto-execute system for Javascript apps with file system access.
Isn't this the same major (and irrevocable) mistake that Microsoft made when they let the ActiveX genie out of the bottle? If Apple is going to walk into the same traps that Microsoft walked into years ago, it makes me question the purpose of OS X. Plus as an invention Dashboard isn't even as useful as ActiveX.
One simple solution, is obviously to turn off "Open Safe Files" in Safari, but that does make life a bit more difficult, so, for those who want to have their cake and eat it too (at least on this issue) I found it blindingly easy to add what I think should be closer to the default behavior - and it's not dependent on Safari.
1. Run "Folder Actions Setup" (in the Applications/Applescript folder).
2. (if it's not already on) Turn on "Enable Folder Actions".
3. Click the (+) button below the folder column to add a folder.
4. Select ~/Library/Widgets in the dialog that pops up for folder selection.
5. Then another dialog asks what action to take and presents a list of pre-made scripts.
6. Select the "add - new item alert.scpt". (click OK).
7. Close up the folder actions application - you're done.
After this, whenever anything gets put in that folder, the system will alert you that something has been placed in your widgets directory and ask if you want to see it. If you weren't expecting this, say if you visited some evil site and got "drive-by-downloaded" you'll at least get tipped to the situation and can either examine the contents of the widget (if you're a geek like me) or trash it without having to dig through anything. You could also go another step and have Applescript check the contents for certain keys within the widget (say looking for preferences that allow full system access) but I think this will suffice for most people until Apple addresses the problem head on.
There are already a couple packaged scripts that can set this up for people, but I like having done it myself and knowing what it itself is up to.
MSRP - Tax, Title & Licence Extra Your Milage May Vary
One simple solution, is obviously to turn off "Open Safe Files" in Safari, but that does make life a bit more difficult
How do you figure? What does "Open Safe Files" do for you that it's worth even a little risk? Even if it was entirely safe I'd turn it off because it's annoying to download a file and end up with two or three extra icons on my desktop because Safari ran Stuffit which unpacked it and then mounted the DMG inside... or if I configure Stuffit to delete the original now I've lost the file I actually downloaded.
OK, you like that automatic step, it doesn't annoy you, but why is it so important that not having it makes life "more difficult"? I'm not trolling, I honestly don't understand why this is considered a good idea, let alone something important enough to risk the inevitable future security probblems to keep?
Automagically moving the downloaded widged directly into the dashboard widgets folder. Some of the responses here are suggesting that widgets in general are a securtity risk, well, so is every other application that you've installed on your machine. The assumption is that you won't install a malicitious application, well the same applies. It is up to the user to decide if an app is safe to install. What more do you want apple to do besides prompt the user and ask if they would like to install a downloaded widget? Yes, this is an issue right now, but I don't think this current issue, which will be fixed as mentioned above, makes Safari and Dashboard a security risk.
[The only mistake Apple made is] Automagically moving the downloaded widged directly into the dashboard widgets folder.
That's the NEW mistake they made.
The other mistake is the one they made in Safari 0.9 that they haven't yet fixed, and that is to let Safari "open safe files" automatically.
What more do you want apple to do besides prompt the user and ask if they would like to install a downloaded widget?
I want them to do less than that, actually. I want them to just download the widget and wait until the user chooses to install it, or not, and in the meantime leave it sitting in their Downloads folder not bothering anyone.
Because dialog boxes asking users to confirm actions just annoy the user and train them to automatically answer "yes" when a dialog comes up. I see it happen all the time on Windows, some of my users have been infected after reflexively answering "yes" multiple times. NOBODY, though, has ever been infected after manually opening a downloaded virus more than once... because it's more of a deliberate conscious act than clicking on a "yes" button in a dialog you just want to get out of the way.
Users will now be prompted before a widget downloads to their hard drive.
Another problem, besides "auto-install on download" is that Dashboard's "warning" to a user on newly-installed widget launch is a simple yes/no proposition without any indication of the access sought by the widget.
It would be nice to see Apple adopt something similar to Amnesty Widget Browser, which presents the following dialog on newly-installed widget launch.
the post is wrong. you get a warning.
Dashboard's "warning" to a user on newly-installed widget launch is a simple yes/no proposition without any indication of the access sought by the widget.
The fact is, Dashboard shouldn't be doing this check at all. The check implies that Dashboard is a "safe" environment, and it's not any such thing, so all it does is provide an illusion of security that encourages people to treat Widgets cavalierly... and it's truly ironic that the first victim of this illusion is Apple themselves. Same thing with Amnesty Widget Browser. The whole point to the way these programs work is that they provide a NON-sandboxed environment that can be used for Webcore scripting, without weakening the sandbox in Webcore itself.
This "security prompt" in Dashboard is another baby step down the dark path that Microsoft took almost a decade ago. It's a bad idea... they need to step back and ask whether they should even be treating Dashboard any differently from any other application environment.
Only Dashboard or another front end that adds the same capabilities to its instance of WebCore can give you those rights. And THAT restriction is the important one, from the point of view of real security. Does that fit with what you know?
Yes, I think we agree. I think the one addition to point out is that Dashboard will only honor requests in the code for certain methods of the widget object based on the security level specified in the plist. The document I referenced explains this as: if you try to widget var s = widget.createScript ("~/Desktop/malicious.wdgt/evil-binary", null, null); without declaring AllowSystem in the widget's plist it will just ignore that command. As it's been mentioned elsewhere this is really moot at the current time (and hence the biggest problem with Dashboard's security). There is no preference, or application for controlling whether widgets are granted this power. As it stands right now you just have to 'trust' the widget developer that when she puts AllowSystem in her widget that she isn't going to erase your filevault. Without some level of granularity on the widget 'sandbox' this security model is essentially useless [untapped].
Anyway, you are correct that WebCore alone will not honor any calls through the widget object. The widget object is the only facility that allows for capability beyond what is available with today's webpages (ecmascript, flash players, java applets) and the widget object is only available when a widget's script is evaluated by Dashboard.
Read Heinlein's 1953 Revolt in 2100, now more than ever.