“One developer claims to have found a security hole in Apple’s new Tiger operating system. According to his website, Apple’s highly touted Dashboard technology, found in the new version of Mac OS X 10.4, has a security vulnerability that could cause malicious third-party sites to auto-install a Widget, a small program designed to display Internet content on the desktop,” MacNN reports.
“If you’re running Safari on OS X Tiger and go to this website, a ‘slightly evil’ Dashboard widget will be automatically downloaded and installed and can’t be removed without manually removing the file from the Library folder and rebooting the computer.”
MacNN reports, “The author says it is a demonstration “how easy it is to exploit Dashboard for nefarious purposes. A subsequent discussion by the author outlines other ‘more evil’ exploits of the security hole.”
Full article, with the link to the demo widget site, here.
Slashdot has a discussion regarding this here.
Apple’s developer pages regarding Dashboard Security note that if a Widget attempts to access your file system, Java applets, and other sensitive parts of your system, and the Widget is located outside of /Library/Widgets/, a dialog is presented to users upon the Widget”s first load. The dialog asks the user whether or not they want to use the widget. If the request is approved, the widget is loaded and granted access to the resources that it requested.
The issue, of course, is that a nefarious Widget could promise you something wonderful, entice you to allow it to load, and then do something unexpected. Apple’s Dashboard Security page is here.
The Widget developer, stephan.com, concludes, “Apple has done a pretty good job of it – the only real change I would consider is re-thinking the logic behind autoinstall, and for heaven’s sake, please provide a way to remove widgets, ideally from outside the Dashboard.”
Yea….heard about this. Goes to show…the more you add to an OS…the more doors you open to attack. This is really a non-issue though. At least I hope. I’m sure this will be fixed/taken care of soon. That’s what is nice about the Mac crowd…always looking out for their buddies.
Malware is not my specialty, but what kind of damage could the widget do once it is installed?
The solution to the problem is to disable the “Open “safe” files after downloading” option in Safari’s preferences.
The widget at that site will just download as a zip file to the location you specified in Safari’s preferences.
Also…
If you have Little Snitch, it will ask you if you want to allow net access to any app (including widgets)… this will help stop malicious widgets from accessing the internet.
Why would a Widget be allowed to access things on a users’ computer (aside from writing a pref file)?
Isn’t the purcpose of the widget to only get contents from the Internet?
I hope Apple fixes this promptly (which I believe they will).
Hopefully Apple will make some changes and reduce the possibility of this becoming a problem. Not auto installing into the Widgets directory would be a start. Especially since if its autoinstalled it doesn’t ask for permissions..oops.
Also an uninstaller would be nice. But in the meantime do a search for Widget Manager on Versiontracker and you will find a nice pref pane that can disable and uninstall widgets from the system preferences.
MW: problem
…
So what’s the absolute WORST thing that could happen with some malware written this way?
This is very bad…
an auto install of an application/program with a malware, virus or spyware payload.
This is what is going to happen go to a site an onload() function will install the widget with the payload. A hidden (1px transparent) widget will be installed and it will delete/destroy your data.
Soon Apple will have more viruses (not just less) then Microsoft Windows…
©
Yeah, that auto-install thing has GOT to go. It’s just plain stupid. This also points something interesting out. It confirms that the Mac is secure because it’s secure, not just because of market share. The second there’s a hole, people will exploit it.
Oh my god, is it true? That 50’s round ball of metal jet trash is back. Sputnik we didn’t miss ya.
I also protected my widgets folder. This forces the widget to install on the desktop. I think I will do this to client machines on a regular basis.
More blah blah blah from Sputnik. As everyone who has installed software on OS X knows, one has to authenticate and give explicit permission for an application to alter system files. The fact that if the “Open safe files after downloading” option is checked in Safari doesn’t mean anything much, all that happens is that the widget is installed in the widget directory, it doesn’t run automatically. One still actually has to RUN a malicious widget from Dashboard for it to do something. This is more of a problem with the user installing untrusted software, in my opinion.
It doesnt auto-install – you have to clic on OK to allow it to do so. Dont beleive the hype.
Putznik,
This is nothing. People in the real IT World see what’s really going on and in ever-increasing numbers, they are switching to OS X… which has NO VIRUSES or other malware associated with it. Meanwhile, you and Bill Gates and Monkey Boy will writhe and scream in pain each time the AAPL market-share stats are released.
Poor Putznik… out there floating in his tin can. Planet Earth is blue, and there’s nothing you can doooooooo….
People who say this isn’t an issue are burying their heads in the sand.
MW: yes, as in ‘yes, this is something Apple needs to address.’
To all you “this is nothing” people —
Malware is *sneaky*, that’s kind of the point. The fact that you have to OK the install is only one level of protection. Nobody who’s not a network administrator (and even some of them) is as paranoid as they ought to be. If I go to a site that says “Here’s a widget that shows the price of tea in China,” and it says “click OK to install,” I’m gonna install it cuz I want it.
Once it’s in, if it has system-level access to my drive, it could install StartupItems, delete files, and all sorts of awful things while it’s happily telling me how much Tea costs.
They gotta close that, and FAST. PC people are switching right now, thanks to the Mini. The idea that Tiger is shipping on all the new systems, with all its bugs, is bad enough; if there’s a Windows-style security flaw in one of the “cool new features”, that could put a stop to the changing tide.
MDN Magic Word: “came”. They came, they saw that it wasn’t so great after all, they went back to Windows.
Ivanna Noe: “So what’s the absolute WORST thing that could happen with some malware written this way?”
I love the attitude of most people on this – if malware is on a mac, so what? But if it´s on windows, window´s sucks.
If someone sticks something in your mac computer its okay.
Sheeesh!!!
——
And why couldn´t you install a legit widget (the weather), but that widget is transmitting things of interest from your computer to another website – like email addresses, passwords, etc, etc, etc.???
How would you know?
Big door opening for all hackers into OSX with Dashboard widgets.
I will not install Tiger, nor can I recommend that anyone does until Apple addresses this issue.
If it is true (???) that you must approve the install of any widget, and they CANNOT autoinstall, this is only a minor annoyance. What exactly should Apple do, NOT permit installs of widgets that you want to have? Seriously, and that wasn’t sarcasm–it was aimed at those more knowledgeable than I am. What is the alternative?
Anyone notice how the weather widget is not very accurate? Can you change the place it gets updated from?.. ’cause “Accuweather.com” ain’t very accurate,and yes its on the proper city, minneapolis, mn.
Helen o’ Troy,
Although you were not addressing my question, I see how my post could be construed as being a “so what” attitude, so I’ll rephrase:
Anyone know if a widget could actually do harm to data and/or system? I would assume (perhaps incorrectly) that the widgets won’t have access to write to those data files, or to access system files. What about installing other software? Perhaps they don’t have that access.
I could be wrong. Obviously they can access my Address Book, so they could transmit that data. Seems they could access other things as well.
Now, I also thought that there was something in the Dashboard where it doesn’t activate until you go to the actual Dashboard. If you saw a widget that should not be there, you should be able to get rid of it, right? While not ideal, at least it’s better than having some hidden program running that you cannot see.
I do agree that Apple needs to do something about this ASAP. Seems that the solution should be fairly simple for them, and perhaps we’ll see a fix before the week is out.
OK, guys, let’s keep it civil. Tiger is brand new. Dashboard and Widgets are brand new. It’s disappointing that Apple hasn’t noticed this vulnerability, and especially as no-automatic-installation has been such a strong part of OSX security. I’ll bet all the “I’m waiting for the problems to be fixed” late adopters are ROFLing right now. Hopefully 10.4.1 will address this; until then it’s safe-computing mode: every strange file is potentially a menace, don’t download from anyone you don’t know…
After you’ve backed up your widgets, remove them from the /Lib folder.
After Apple solves problem, return to folder.
What helen said is true, the usual tunnel vision of the devotees is apparent in this case.
At any rate, windows still leads a zillion to one as far as malware goes.