Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple To Patch Dashboard Vulnerability

Posted by Zonk on from the spackle-makes-a-world-of-difference dept.

bonch writes "Apple has quickly patched a previously reported security hole that allows websites to auto-install potentially malicious widgets without prompting the user. The fix is one of over three dozen miscellanous fixes to be included in OS X 10.4.1, code-named 'Atlanta', and may appear by the end of the week. Users will now be prompted before a widget downloads to their hard drive."

11 of 99 comments (clear)

  1. They should post an advisory by mithras+the+prophet · · Score: 4, Insightful

    It's pretty stupid that Apple's policy prevents them from discussing the issue before they have a patch for Safari. They really ought to post an advisory urging users of their shiny new operating system to turn off the ``open safe files after downloading" preference in Safari. Considering that it's now established that malicious widgets can replace the Apple-supplied widgets, run with full user privileges once activated, and execute arbitrary binary code, Apple really owes it to its users to warn them.

    --
    four nine eighteen twenty-7 thirty-nine forty-7 fiftyeight sixty-nine seventy-9 eighty-8 one-hundred-and-nine one-twenty
    1. Re:They should post an advisory by allgood2 · · Score: 4, Informative

      Apple's already warned users about the "run safe files" function before. The warning indicated that average users should turn the function off, unless you ONLY downloaded files from known, "safe" sites. I had thought that they had released an update that had switch the default in Safari to remove the check from the "open safe files" box, but either Tiger changed that, or I was wrong.

  2. A suggestion for improvement by MobyDisk · · Score: 4, Interesting

    I think that when a company releases a patch for this type of thing, they should also make the patch report attempts to abuse the exploit. That would make it possible not only to secure against the exploit, but to catch the black hats who try to use it.

    So if a site tries to use the Mozilla/XPI script exploit to install a rogue extension, Mozilla should send a report to mozilla.org. Then they can blacklist the site, or even pursue legal action.

    This would be GREAT for anti-spyware programs. When someone tries to auto-install spyware on to IE, Microsoft could get a report and the spyware company would feel the wrath of a monopolistic giant crushing them.

    1. Re:A suggestion for improvement by amichalo · · Score: 4, Interesting

      Good idea but difficult to implement.

      I think that when a company releases a patch for this type of thing, they should also make the patch report attempts to abuse the exploit.

      One problem is that many of the exploits rely on a series of steps being taken, some of which may be perfectly acceptable but in concert, create the exploit.

      If forinstance, an exploit overflowed a buffer with an infinite loop, an Apple patch may rewrite that piece of code so it cannot create that infinite loop scenario. All of a sudden, the exploit code no longer exploits anything, but there is no way to know that it would have since the code has changed.

      I don't know about other programmers, but I find creating good error handling routines to be one of the most challenging aspects of software development because you have to plan for every eventuality, be it expected, malicious, or just a bug.

      --
      I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
    2. Re:A suggestion for improvement by geoffspear · · Score: 4, Insightful
      If I'm not mistaken, the "exploit" in question is the same technique used by many download sites (including, e.g., Sourceforge) to serve files. You navigate to a web page which displays HTML content and then triggers a download of a file while the page is being displayed.

      In Safari, if the file happens to be a widget, it gets installed for you so you can activate it from within Dashboard. If it's a disk image containing an application, the disk image gets opened (in Tiger, with a warning) so the user can take the right steps to install the application.

      There are substantial non-abusive uses of this technology and, right now, basically one abusive use of it (sending a file that will auto-install without having the website actually ask the user if he/she wants to install it.)

      It's perfectly legitimate to have a site that contains a "Download my widget" link which sends the user to a page like this. Whether the widget can be harmful or not is irrelevant; there's nothing Apple can reasonably do to prevent someone from distributing malicious software to users who trust the person distributing it and intentionally install it.

      Removing the auto-install of widgets, replacing it with a "Are you sure you want to install this widget" dialog, is the reasonable solution, and brings it in line with how Safari acts when any other executable is downloaded.

      --
      Don't blame me; I'm never given mod points.
    3. Re:A suggestion for improvement by Have+Blue · · Score: 4, Funny

      an Apple patch may rewrite that piece of code so it cannot create that infinite loop scenario

      Hey, if Apple wants to solve the halting problem as part of their security initiative, that's fine with me. Now that's dedication!

  3. Re:3 Dozen? by rokzy · · Score: 4, Insightful

    "fixes" means little things mostly.

    Apple releases a new OS and the biggest thing people can find to bitch about is that if you have the auto-open option set, it auto-opens.

    MS releases a new OS claiming great security and within a couple of months the internet is crippled by Blaster.

    compare and contrast.

  4. Quick little rebuttal by daviddennis · · Score: 4, Insightful

    Someone discovers a nasty possibility, and in two days Apple announces a fix. It will be ready within a few more days and then the problem's gone for good.

    I don't think it's hypocrtiical to praise that kind of fast response. If my memory serves, the problems that allowed the Blaster Worm and others to work were publically known for months and MS didn't do anything about them. That's where the condemnation of Microsoft comes from.

    D

  5. Re:If we were a Mac house... by remahl · · Score: 4, Informative
    when run in Dashboard they have all the same capabilities as local apps and need to be treated like any other applications.

    They don't actually. They only get complete system access after the user has acknowledged that the widget is being run for the first time.

  6. Re:Learn from ActiveX? by argent · · Score: 4, Insightful

    Isn't this the same major (and irrevocable) mistake that Microsoft made when they let the ActiveX genie out of the bottle?

    No, not quite. While it's a step along the dark path it's a long way from ActiveX, for a couple of reasons.

    First, it's not QUITE autoexecute. It's close enough that a naive user could easily step off the cliff, it doesn't actually push them over. It can be avoided if you're wary.

    Second, it's not irrevocable. Apple can disable "open safe files" and remove the code from Safari that autoinstalls widgets without breaking anyone's software. It's not like these capabilities are core elements of a desktop-browser integration like ActiveX is in Microsoft.

    Dashboard isn't the problem, if it's treated as "a new way to write applications" and the token attempt at sandboxing doesn't lead Apple to take it lightly.

  7. The only real mistake Apple made is... by berndtj · · Score: 4, Interesting

    Automagically moving the downloaded widged directly into the dashboard widgets folder. Some of the responses here are suggesting that widgets in general are a securtity risk, well, so is every other application that you've installed on your machine. The assumption is that you won't install a malicitious application, well the same applies. It is up to the user to decide if an app is safe to install. What more do you want apple to do besides prompt the user and ask if they would like to install a downloaded widget? Yes, this is an issue right now, but I don't think this current issue, which will be fixed as mentioned above, makes Safari and Dashboard a security risk.