Slashdot Mirror
Apple To Patch Dashboard Vulnerability
bonch writes "Apple has quickly patched a previously reported security hole that allows websites to auto-install potentially malicious widgets without prompting the user. The fix is one of over three dozen miscellanous fixes to be included in OS X 10.4.1, code-named 'Atlanta', and may appear by the end of the week. Users will now be prompted before a widget downloads to their hard drive."
Why Atlanta?
I think that when a company releases a patch for this type of thing, they should also make the patch report attempts to abuse the exploit. That would make it possible not only to secure against the exploit, but to catch the black hats who try to use it.
So if a site tries to use the Mozilla/XPI script exploit to install a rogue extension, Mozilla should send a report to mozilla.org. Then they can blacklist the site, or even pursue legal action.
This would be GREAT for anti-spyware programs. When someone tries to auto-install spyware on to IE, Microsoft could get a report and the spyware company would feel the wrath of a monopolistic giant crushing them.
Microsoft doesn't release patches for 3 dozen problems.
Microsoft releases patches for thousands of problems at once. They are called service packs.
The only updates they release the rest of the time are security updates.
If you were in charge of security of a Mac house, you would know better than to install 10.n.0 of any new OS X release on any of your company's computers. I never install a new version of X until at least 10.n.3.
"Was it a millionaire who said 'Imagine No Posessions?'" -- Elvis Costello
They only get complete system access after the user has acknowledged that the widget is being run for the first time.
1. That's not true. There is an attempt at a sandbox but it doesn't apply to Widgets that were installed through the hole in Safari and even if it did there's a hole in the sandbox you can drive a Perl interpreter through.
2. It wouldn't matter if they did, because confirmation dialogs aren't enough. Opening a document or other object in an unsandboxed environment must require an explicit request by the user. Having it appear in that environment with no indication that it came from an untrusted source is not good enough.
The only thing that was even vaguely troubling was that it was never stated the item would be auto-installed in the dashboard.
It's only 'vaguely troubling' because you aren't used to it being done. Installing known files for the user is a good idea in concept. The problem is leaving safeguards so the 'bad files' don't get installed.
They are kind of caught between a rock and a hard place here. They want to move forward and make things easy for the user to get and install without needing to understand how things are done, but they still need to prevent 'bad things'. And yes, power users want to control every step and don't mind decompressing and moving files by hand, but they are trying to get the more casual user with the 'It just works' paradigm.
R: That voice. Where have I heard that voice before? B: In about 365 other episodes. But I don't know who it is either.
Automagically moving the downloaded widged directly into the dashboard widgets folder. Some of the responses here are suggesting that widgets in general are a securtity risk, well, so is every other application that you've installed on your machine. The assumption is that you won't install a malicitious application, well the same applies. It is up to the user to decide if an app is safe to install. What more do you want apple to do besides prompt the user and ask if they would like to install a downloaded widget? Yes, this is an issue right now, but I don't think this current issue, which will be fixed as mentioned above, makes Safari and Dashboard a security risk.
The right thing to do is to not consider widgets to be "safe", and it looks like that's what Apple is going to do.