“One developer claims to have found a security hole in Apple’s new Tiger operating system. According to his website, Apple’s highly touted Dashboard technology, found in the new version of Mac OS X 10.4, has a security vulnerability that could cause malicious third-party sites to auto-install a Widget, a small program designed to display Internet content on the desktop,” MacNN reports.
“If you’re running Safari on OS X Tiger and go to this website, a ‘slightly evil’ Dashboard widget will be automatically downloaded and installed and can’t be removed without manually removing the file from the Library folder and rebooting the computer.”
MacNN reports, “The author says it is a demonstration “how easy it is to exploit Dashboard for nefarious purposes. A subsequent discussion by the author outlines other ‘more evil’ exploits of the security hole.”
Full article, with the link to the demo widget site, here.
Slashdot has a discussion regarding this here.
Apple’s developer pages regarding Dashboard Security note that if a Widget attempts to access your file system, Java applets, and other sensitive parts of your system, and the Widget is located outside of /Library/Widgets/, a dialog is presented to users upon the Widget”s first load. The dialog asks the user whether or not they want to use the widget. If the request is approved, the widget is loaded and granted access to the resources that it requested.
The issue, of course, is that a nefarious Widget could promise you something wonderful, entice you to allow it to load, and then do something unexpected. Apple’s Dashboard Security page is here.
The Widget developer, stephan.com, concludes, “Apple has done a pretty good job of it – the only real change I would consider is re-thinking the logic behind autoinstall, and for heaven’s sake, please provide a way to remove widgets, ideally from outside the Dashboard.”
Can you say Mac OS 10.4.1 update?
Sure you can!
One more thing about accuweather.com. They and TWC are trying to get a bill passed in Congress that will prevent the National Weather Service from providing weather information other than emergency information. They are calling it unfair competition since the NWS is providing their info for free.
I’m sure Apple will address this quickly, but it seems to me that you’d be safe as long as you only downloaded widgets from Apple’s website in the meantime.
How about just downloading Apple approved widgets, it seems that the Apple library would be the first place to go and see if a particular widget is available. Got to keep it skeptical people
Doh!
Should have read till the bottom.
freebee – Here is a good article expounding on exactly the point you make – the Mac Community has ZERO tolerance for security holes – we keep our neighborhood nice – and THAT is a very big reason why OS X is so much more secure.
http://daringfireball.net/2004/06/broken_windows
“This is nothing. People in the real IT World see what’s really going on and in ever-increasing numbers, they are switching to OS X… which has NO VIRUSES or other malware associated with it. Meanwhile, you and Bill Gates and Monkey Boy will writhe and scream in pain each time the AAPL market-share stats are released.”
How’s life over the rainbow in the land of make believe Mac Yak? People in the “real IT world” prefer Linux over OSX for a Windows-alternative OS, as market share stats show. Tiger has a string of vulnerability issues (not just what was mentioned in this article) that needs to be addressed before you try to convince anyone to switch for that very same reason.
Rather annoying of course, but then again Tiger’s only been out for few weeks….there’s always going to be a few necessary security fixes. In comparison, how many people are actually using still using OSX 10.3.0 instead of one of the later updates?
this is quite interesting, i might have to play around with it. the first thing that springs to mind is a transparent widget that when run would just erase the entire HD.
thats quite scary
don’t see what the massive fuss is about
i’ve never had autorun “safe” downloads on
i’ve never installed a widget straight into my widget folder, i’ve always run them from the desktop first, this will run the widget but not install it
and since i use a regular user account and keep a seperate admin account it will require a password before installing it on the hard drive anyway
to paraphrase mattyg, a windows operator regarding malware, etc. on windows computers:
“don’t see what the massive fuss is about
I got my anti-virus and malware software that keeps my system clean.”
C´mon people – the average person knows zip about their computer (Apple or Windowz)- and knowing or wanting to monitor admin and user accounts, weeding things out of the /Lib folder, etc., etc, etc tech-talk mumbo jumbo.
Apple is supposed to be easy, no maintenance, no worries OS, remember???
You guys are all sounding like Windows owners:
No problems with malware or viruses if I get it, I just weed it out, gee, so what?
Dashboard widgets seem like the perfect Trojan Horse tool to tap into anyones computer.
MDN with your new dashboard widget – if I put it on my computer is it sending back data/info/anything from my computer to yours??????
Is there anyway to open up a widget and see all the code and crap that it has in it to get it to work, so one could see if it´s sending data from my computer to another or doing some other mischievous thing that I don´t know about????
helen
fair point but doesn’t the below document not cover a lot of security issues?
http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/
anyway the way i have my sytem setup does prevent a lot flaws effecting me, this being one of them, but this problem should be fixed, just like the first problem that was found with safari auto opening things
p.s. good guess on the windows owner bit, it’s true i use one for games ocassionally and switched to mac about a year ago *hangs head in shame for the past*
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
But what stops a widget that I okay to be on my computer from snooping around at what is inside and forwarding to some place???
Soon there will be zillions of weather, stock, whatever widgets out there – which is the good one which is the bad one that is malware in disguise???
All that document discusses you reference is:
“The dialog asks them whether or not they want to use your widget. If the request is approved, your widget is loaded and granted access to the resources that it requested. The request is not repeated on subsequent loads if approved. If the request is denied, your widget is not allowed to load. If your widget is loaded again, the request is made to the user again.”
Once its loaded, its too late.
And from the story above:
“If you’re running Safari on OS X Tiger and go to this website, a ‘slightly evil’ Dashboard widget will be automatically downloaded and installed and can’t be removed without manually removing the file from the Library folder and rebooting the computer.”
How is the average person supposed to know this? Go to the Library? My parents can barely figure out how to send email and you think they are going to go rooting around their computer????
Soon there will be calls for loading the OSX with or without dashboard installed….
Come on everyone, do some research before blasting off at the mouth.
1. Technically, any program or web page could transmit/receive personal data. Preferably, you should research each developer/company and decide whether to install a program, even the programs you buy in the store. It’s called being responsible for your purchases and yourself.
2. Widgets are not compiled. They are HTML, CSS, and JavaScript, hence human readable. Just bring up the contextual menu for the widget in the Finder using Control-click with the mouse, or the secondary mouse button (if using a mouse with more than one button), or the Action button in the Finder toolbar and select “Show contents”. Then open each file to figure out if it will do what the developer claims. You can’t do this with compiled programs and hence widgets can be safer since they’re “open source” if people take the time to get them confirmed by someone knowledgeable.
3. Once inside a widget, any piece of a widget can be opened by double-clicking. It will open in your default browser. Safari will render the HTML and attempt to run it as a web page (this may or may not work depending on the widget), so consider opening the HTML in a text editor such as TextEdit as a safer option. However, Safari only shows the code for CSS files or JavaScript files, i.e. it doesn’t execute CSS or JavaScript files by themselves.
4. As mentioned several times already: widgets have to be dragged from the Widget bar and dropped onto the Dashboard before they will be activated. Otherwise, even though widgets are installed they never do anything by themselves. You have to do something more to make them work.
Essentially, even with auto-install (which I don’t support), a person still has to cock the gun, aim the gun at one’s foot, and then shoot oneself in the foot. And yes, almost everyone one of us will do something like that on the spur of the moment at sometime in our lives, ignoring all of the warning signs.
But this innate curiosity we have can also help protect us if we also use it to ask questions: Who made this widget? Are they trustworthy? Should I ask someone else whether this widget is safe? Should I wait until other people more gullible than me test it out first?
Those are similar questions to ask when purchasing any software, reading any email, purchasing any product (TVs, cars, toothpaste, etc.), and even reading any information in the media (trustworthy?, references?, sources?, other opinions?).
As individuals we have to take responsibility to look out for ourselves. Who goes to the produce section in a grocery store and just grabs some vegetables without considering whether the food is overly ripe or rotten? Even if you don’t check, you still have to properly prepare the food before eating it. If you choose to bypass any of those steps or refuse to ask yourself any of those questions, you may find many people aren’t going to be very sympathetic to your predicament. You loaded, cocked, aimed, and shot yourself in the foot.
As a side note, restart really shouldn’t be necessary after removing a widget. Has anybody tried simply to logout and login again? Or has everyone forgotten the advantages of having user accounts? That should be much quicker than rebooting if you’re having widget troubles.
” width=”19″ height=”19″ alt=”grin” style=”border:0;” />
MW: straight, as in “Go straight to the source”, as in the source code.
How about this: if Apple took responsibility for confirming the safety of (and offering approval of) all widgets by listing valid ones on their website (like they do for Quicktime movie trailers). Then while there would be other widgets out there, only downloading the Apple-approved widgets would protect you from nefarious mal-widgets (m’idgets?).
To Thom Peters II
Thanks for being rational. The windoze trolls on here are gleeful at a piece of malware. Woohoo! So, for them, all machines must be crap as I can easily write a program that erases a hard drive and get a user to run it. Using their logic, there is no safe OS. I wonder what they do when they’re not pestering this site – have their diapers changed?
Does Tiger still ask for admin passwords when installing stuff? (Havn’t tried it yet). Maybe apple should introduce a system where it asks for your password when you’re download stuff too. Could be a pain in the a$$ though.
for the love-if you’re so worried….just uncheck “open ‘safe’ files after downloading” in safari prefs…is it seriously that hard…….
The problem here is in TIGER’S, auto-download, auto-install and auto-run features – In its default state, Safari is set to open “safe” files after downloading – TIGER takes that a step further by automatically putting that WIDGET file in the appropriate directory in your user account – this is clearly NOT a good idea – anyone could make a widget that is malicious in intent that is AUTOMATICALLY installed on your system under TIGER. The way Dashboard has been designed is to blame – almost as if Apple couldn’t conceive of malicious intent … I expect 10.4.1 to be held up until Apple get a handle on this. I can’t believe they let this through.
Magic word: “average” – how I’m feeling right now.
So summarize:
1. Current setup is not as secure as it could be; turn off Safari auto open. Protect your widget folder so all widget downloads don’t get installed there automatically.
2. The concept of being able to do something “evil” is theoretically possible but not very practical with step one done and some other suggested modus operandi as described by Thom Peters II.
3. Our trolls and the yellow dog journalist are in a feeding frenzy over this thing: the proverbial ant being made into a big ass hill.
4. Winblow$ is still shit and Mac OS X Tiger still ROCKS!
Cheers!
5. Macmania lives in a gilded, rose-colored world where Macs can do no wrong, but in 2 years when the next MacOS comes out he will be telling us he can hardly wait for it to come out because Tiger has some “serious issues”…just like he said about OS 9 and the first OSx versions…
6.MacMania has never owned a PC in his life, plays games on one when he is visiting friends…
thom Peters II – please download the MDN widget and show us the code to see what it is made up of….
All it takes is one malware or virus or something to be introduced/injected by the Dashboard system into a Mac computer and the press and windows flamers will be all over this.