Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple To Patch Dashboard Vulnerability

Posted by Zonk on from the spackle-makes-a-world-of-difference dept.

bonch writes "Apple has quickly patched a previously reported security hole that allows websites to auto-install potentially malicious widgets without prompting the user. The fix is one of over three dozen miscellanous fixes to be included in OS X 10.4.1, code-named 'Atlanta', and may appear by the end of the week. Users will now be prompted before a widget downloads to their hard drive."

10 of 99 comments (clear)

  1. Re:They should post an advisory by allgood2 · · Score: 4, Informative

    Apple's already warned users about the "run safe files" function before. The warning indicated that average users should turn the function off, unless you ONLY downloaded files from known, "safe" sites. I had thought that they had released an update that had switch the default in Safari to remove the check from the "open safe files" box, but either Tiger changed that, or I was wrong.

  2. Re:A suggestion for improvement by nine-times · · Score: 2, Informative
    I think it's a good idea, but doesn't really make sense for this particular issue. As I recall, the issue is that the default for Widgets when downloaded is to install them. Though this doesn't present a real security risk (widgets can't access local files and report back), it presents an opportunity for websites to autoinstall advertisements.

    So I don't think there is any real "offending code". The whole thing of a download commencing when you visit a page is used for a lot of download sites (instead of a direct link to the download, they point to a page which initiates a download). The OS then recognized it was a widget and installed it. It's not like your system is suddenly rooted, but you might end up with some widgets you don't want.

  3. don't dismiss this one so fast by Heisenbug · · Score: 3, Informative

    The Dashboard behavior they're changing is the rough equivalent in Windows of visiting a web site and having an application (with disk access disabled) appear in your All Programs start menu without warning. If that happened, you can bet that we'd all be bitching about it, and it would be catching an awful lot of users off guard. By now it would be on all the juarez sites as a DDOS client, and probably doing some significant harm to sections of the internet ...

    I do think Apple handles security better than Microsoft, but in this case they simply were lucky that no one bothered to exploit their hole.

    1. Re:don't dismiss this one so fast by argent · · Score: 3, Informative
      Can you give me an example of a possible exploit?

      According to this page:

      Dashboard does not present a prompt before running a privileged widget that is one of the Library/Widgets folders, including our auto-installed widgets.

      If a widget contains a native Mach-O executable, Safari will present a warning before downloading the widget. However, because widgets in ~/Library/Widgets can run shell commands with the widget.system() call, this protection is easily defeated.

      And then, even if they fix this, are users going to refuse to allow what appears to be a system-provided widget to run?

      When Dashboard encounters two or more widgets with the same bundle identifier, it only displays the last one loaded. And -- you guessed it -- widgets in ~/Library/Widgets are loaded after the system-supplied widgets in /Library/Widgets.

      And finally, a sandboxed environment is one in which dangerous things are not possible. Not one in which dangerous things are only possible if a user approves them. And Dashboard's "sandbox" is the latter kind of environment, not the former.
  4. If we were a Mac house... by argent · · Score: 1, Informative

    If we were a Mac house, and I was in charge of security, I would be seriously considering banning the use of Safari at this point.

    It's not the slam-dunk that it was for Internet Explorer back in the '90s, when I managed to get IE and Outlook banned just in time to dodge the flood of viruses that resulted from Microsoft's broken security model. The individual problems in Safari and LaunchServices are not nearly as obviously bad as Microsoft's security zones, but they're of the same nature.

    This is what Apple really needs to do:

    1. Treat Dashboard widgets just like they treat executables. They're not "safe files". It's great that they have isolated the extensions that make dashboard work so they're not available in arbitrary Webcore applications, that's an absolutely critical advantage over Microsoft's HTML control, but when run in Dashboard they have all the same capabilities as local apps and need to be treated like any other applications.

    2. Taking this a step further, they need to treat all downloaded files as dangerous, and ensure that no files are opened by an application where they're not sandboxed without the explicit request of the user. In practice, the only way to ensure this is to not pass them to ANY application that hasn't been registered with the browser (for example, as a plugin).

    3. This means that LaunchServices shouldn't be used by Webcore or in any other context where there's the potential of an untrusted object being passed to an application, except by the explicit request (not merely confirmation) of the user. A separate database should be provided for applications that ARE prepared to accept untrusted documents or other objects.

    This third step would actually increase convenience, because then you could write "safe viewer" apps that provided a strong sandbox instead of having to depend on every application figuring out whether they needed to sandbox a document based on what they could guess, so you could have viewers for files that currently can only be downloaded.

    1. Re:If we were a Mac house... by remahl · · Score: 4, Informative
      when run in Dashboard they have all the same capabilities as local apps and need to be treated like any other applications.

      They don't actually. They only get complete system access after the user has acknowledged that the widget is being run for the first time.

  5. Re:Quick little rebuttal by remahl · · Score: 2, Informative

    Apple has not announced a patch. They have not even publicly acknowledged the problem. This is a rumor from a rumor site, based on reports from beta testers (bound by NDA) who probably only have a rough idea of the release schedule.

  6. Until this actually ships... by ka-klick · · Score: 2, Informative

    One simple solution, is obviously to turn off "Open Safe Files" in Safari, but that does make life a bit more difficult, so, for those who want to have their cake and eat it too (at least on this issue) I found it blindingly easy to add what I think should be closer to the default behavior - and it's not dependent on Safari.

    1. Run "Folder Actions Setup" (in the Applications/Applescript folder).
    2. (if it's not already on) Turn on "Enable Folder Actions".
    3. Click the (+) button below the folder column to add a folder.
    4. Select ~/Library/Widgets in the dialog that pops up for folder selection.
    5. Then another dialog asks what action to take and presents a list of pre-made scripts.
    6. Select the "add - new item alert.scpt". (click OK).
    7. Close up the folder actions application - you're done.

    After this, whenever anything gets put in that folder, the system will alert you that something has been placed in your widgets directory and ask if you want to see it. If you weren't expecting this, say if you visited some evil site and got "drive-by-downloaded" you'll at least get tipped to the situation and can either examine the contents of the widget (if you're a geek like me) or trash it without having to dig through anything. You could also go another step and have Applescript check the contents for certain keys within the widget (say looking for preferences that allow full system access) but I think this will suffice for most people until Apple addresses the problem head on.

    There are already a couple packaged scripts that can set this up for people, but I like having done it myself and knowing what it itself is up to.

    --

    MSRP - Tax, Title & Licence Extra Your Milage May Vary

  7. Re:A suggestion for improvement by geoffspear · · Score: 3, Informative

    It absolutely, positively, does NOT run them. It installs them in a directory, which is read when you click the big plus sign at the bottom of the Dashboard screen. They're only run if you click on them there.

    --
    Don't blame me; I'm never given mod points.
  8. Well, that's the new one. by argent · · Score: 3, Informative

    [The only mistake Apple made is] Automagically moving the downloaded widged directly into the dashboard widgets folder.

    That's the NEW mistake they made.

    The other mistake is the one they made in Safari 0.9 that they haven't yet fixed, and that is to let Safari "open safe files" automatically.

    What more do you want apple to do besides prompt the user and ask if they would like to install a downloaded widget?

    I want them to do less than that, actually. I want them to just download the widget and wait until the user chooses to install it, or not, and in the meantime leave it sitting in their Downloads folder not bothering anyone.

    Because dialog boxes asking users to confirm actions just annoy the user and train them to automatically answer "yes" when a dialog comes up. I see it happen all the time on Windows, some of my users have been infected after reflexively answering "yes" multiple times. NOBODY, though, has ever been infected after manually opening a downloaded virus more than once... because it's more of a deliberate conscious act than clicking on a "yes" button in a dialog you just want to get out of the way.