Apple To Patch Dashboard Vulnerability

bonch writes "Apple has quickly patched a previously reported security hole that allows websites to auto-install potentially malicious widgets without prompting the user. The fix is one of over three dozen miscellanous fixes to be included in OS X 10.4.1, code-named 'Atlanta', and may appear by the end of the week. Users will now be prompted before a widget downloads to their hard drive."

They should post an advisory

[mithras+the+prophet]

It's pretty stupid that Apple's policy prevents them from discussing the issue before they have a patch for Safari. They really ought to post an advisory urging users of their shiny new operating system to turn off the ``open safe files after downloading" preference in Safari. Considering that it's now established that malicious widgets can replace the Apple-supplied widgets, run with full user privileges once activated, and execute arbitrary binary code, Apple really owes it to its users to warn them.

Re:They should post an advisory

[goombah99]

When I have downloaded application containing widgets they all came packaged as Zip files. the OS warned me that the file I was downloading contained an application. Safari then unzipped and the widget was autoinstalled into the dashbar. The first time I ran it it said this is the first time you are running this and gave me a warning dialog before executing it.

So really I had my warnings. If you are worried that people get inured to click through warnings then you might as well worry about people running any application they downloaded.

The only thing that was even vaguely troubling was that it was never stated the item would be auto-installed in the dashboard. Thus even though I was not in danger of running something I did not ask for, I was in danger of installing something in the dashbar I did not understand that I was approving when I allowed it to unzip.

So the advisory you want is pretty pointless. if people dont listen to the warnings of their own computer then why an advisory. The advisory is more likely just to make people needlessly fearful.

Re:A suggestion for improvement

It would be awfully difficult to do in this case. It's kind of tough for the software to tell, without actually running it, if a simple Dashboard Widget is intended to be malicious.

If you wrote a code to watch for such a thing, you would probably be so flooded with false positives that the detection system would be rendered useless.

Re:A suggestion for improvement

[geoffspear]

If I'm not mistaken, the "exploit" in question is the same technique used by many download sites (including, e.g., Sourceforge) to serve files. You navigate to a web page which displays HTML content and then triggers a download of a file while the page is being displayed.

In Safari, if the file happens to be a widget, it gets installed for you so you can activate it from within Dashboard. If it's a disk image containing an application, the disk image gets opened (in Tiger, with a warning) so the user can take the right steps to install the application.

There are substantial non-abusive uses of this technology and, right now, basically one abusive use of it (sending a file that will auto-install without having the website actually ask the user if he/she wants to install it.)

It's perfectly legitimate to have a site that contains a "Download my widget" link which sends the user to a page like this. Whether the widget can be harmful or not is irrelevant; there's nothing Apple can reasonably do to prevent someone from distributing malicious software to users who trust the person distributing it and intentionally install it.

Removing the auto-install of widgets, replacing it with a "Are you sure you want to install this widget" dialog, is the reasonable solution, and brings it in line with how Safari acts when any other executable is downloaded.

Re:3 Dozen?

[rokzy]

"fixes" means little things mostly.

Apple releases a new OS and the biggest thing people can find to bitch about is that if you have the auto-open option set, it auto-opens.

MS releases a new OS claiming great security and within a couple of months the internet is crippled by Blaster.

compare and contrast.

great!

[sootman]

now if they'd quit bugging me every time I download a .dmg we'd be set!

Worst-case scenario for Dashboard malware?

[yardbird]

What's the worst that a malicious widget can do? Presumably it has access to the network, so it could be a DDOS client (as someone mentioned above). What can widgets do locally?

Quick little rebuttal

[daviddennis]

Someone discovers a nasty possibility, and in two days Apple announces a fix. It will be ready within a few more days and then the problem's gone for good.

I don't think it's hypocrtiical to praise that kind of fast response. If my memory serves, the problems that allowed the Blaster Worm and others to work were publically known for months and MS didn't do anything about them. That's where the condemnation of Microsoft comes from.

D

Learn from ActiveX?

[lbya]

Actually in my mind this Dashboard security hole, while perhaps minor, is one of the most disappointing things Apple has ever done. The line continues to blur between surfing and running code -- or between documents and executables -- and this trend, while important, of course presents serious, inherent security challenges, since it places the user in a passive position with respect to the code being executed on their computer. It's disturbing that Apple apparently didn't think much at all about that very well-known issue, before creating an auto-install, auto-execute system for Javascript apps with file system access.

Isn't this the same major (and irrevocable) mistake that Microsoft made when they let the ActiveX genie out of the bottle? If Apple is going to walk into the same traps that Microsoft walked into years ago, it makes me question the purpose of OS X. Plus as an invention Dashboard isn't even as useful as ActiveX.

Re:Learn from ActiveX?

[argent]

Isn't this the same major (and irrevocable) mistake that Microsoft made when they let the ActiveX genie out of the bottle?

No, not quite. While it's a step along the dark path it's a long way from ActiveX, for a couple of reasons.

First, it's not QUITE autoexecute. It's close enough that a naive user could easily step off the cliff, it doesn't actually push them over. It can be avoided if you're wary.

Second, it's not irrevocable. Apple can disable "open safe files" and remove the code from Safari that autoinstalls widgets without breaking anyone's software. It's not like these capabilities are core elements of a desktop-browser integration like ActiveX is in Microsoft.

Dashboard isn't the problem, if it's treated as "a new way to write applications" and the token attempt at sandboxing doesn't lead Apple to take it lightly.

Re:Learn from ActiveX?

[ciroknight]

You are blowing things way out of porportion.

First of all, the VERY first patch to this new operating system, 10.4.1, will fix this bug. Developers can't always catch everything, and honestly, I wouldn't even have thought about it, so I can't blame Apple for not thinking about it. I'm just happy to know when my laptop arrives with Tiger installed that the very first thing that will happen is it will patch all of the holes they let slip in 10.4.0.

Second of all, deadlines like this are vicious. If you ask me, they rushed the release of Tiger a bit just to counteract some of the press Longhorn betas and Longhorn reviews were getting, and to help the sells of Mini Macs. So some of the things they released were a little broken.

Lastly, you said it yourself. Dashboard isn't even as useful as ActiveX, and is entirely deniable. You can turn it off and not ever use it if you choose, making any bugs like this completely null to you. ActiveX quickly became something that wasn't deniable; if you weren't running ActiveX, your bank's website would refuse to do business with you. Now doesn't that mean a flaw in ActiveX is a lot more critical than a flaw in some easily ignorable post-it note board?