The Mac Observer

Skip navigational links

DealsOnTheWeb Daily Deal: J&R ComputerWorld's Weekend Sale - Save on TVs, Digital Cameras, Games & Tons More

Developer Demonstrates Dashboard Exploit [UPDATE]

by , 10:45 AM EDT, May 9th, 2005

A developer has demonstrated a Dashboard exploit in Mac OS X 10.4 "Tiger" that a malicious Web site owner could use to install Widgets you might not want on your Mac. Writing under the name of Stephan.com, the developer said that a combination of Apple's lack of documentation for removing Widgets, Safari's download controls, and a Widget feature all make it possible for the bad guys to use Dashboard to take you to any Web site of their choosing, hijacking Dashboard for their nefarious purposes.

At issue is a feature in Safari called "Open safe files" that is turned on by default. This feature allows your Mac to automatically open image files, PDFs, movies, disk images, and other files considered safe when downloaded. Unfortunately, this also includes Widget files downloaded, which are installed when opened.

When combined with the ability to automatically download a file when visiting a Web page (an HTML feature not limited to Safari), Stephan.com demonstrated how easy it is for a Web site operator to autoinstall a Dashboard Widget without the consent of the user.

Where this really becomes a problem, however, is what the designer of the Widget does. According to Stephan.com, a Widget can be made to do such things as automatically send the user to a given Web page whenever the Widget is clicked on, and even when a user simply switches to Dashboard.

"This could be taken further, of course," wrote Stephan.com, "using all the nasty tricks developed by the [porn] industry over the last few years - opening hundreds of different pages in a few seconds, or moving the close box around quickly. I haven't tried this, but it looks like you can trivially make a Dashboard widget continue to execute even when Dashboard isn't open."

What makes the issue particularly difficult to deal with, according to Stephan.com, is Apple's decision not to provide a documented way to remove Widgets once installed. In fact, Apple's Mac OS X Help files state specifically that "You cannot remove widgets from the Widget Bar or change their order."

The work around for this is to manually remove any particular Widget from your ~Library/Widget directory, and rebooting your Mac, but this is something that many, if not most, users won't know. That means that for many people, once a malicious Widget is installed, it's going to stay installed.

He details further examples of areas of potential problem at his Web site. Please note that visiting the demonstration page with Safari in Tiger with the "Open safe files" option turned on will install his demonstration Widget, called Zaptastic, into your Dashboard panel.

Warning: In his discussion of the issue, Stephan.com links to (but does not display) a porn image that many will find offensive and/or disturbing.

Update: A safety precaution for those worried about these problems is to turn off "Open safe files" in your Safari general preferences. This will not prevent someone from auto-downloading a Widget to your system, but it will prevent it from being auto-installed.

Observer Comments

Show: Subjects Only | Full Comments
Close Name:Small White Car Posts: 1960 Joined: 02 Jul 2004
Subject:

So if I'm reading this right, as long as I only download Widgets from trusted sites (like Apple.com) then I should be ok?

I'm guessing the eventual fix to this will be to disable the automatic openning of the Widget. Well, and an easy way to remove it. You could still load a bad one on purpose if it's mis-labled.

But hey, this wouldn't ACTUALLY happen, right? I mean, everyone's been telling me for years that the only reason Macs don't have viruses is because the market-share is so small. So of that means no one would take the time to write bad Widgets either! Right?

View Name:Guest
Subject: Mac Users should Call Apple on this one
Close Name:kenaustus Posts: 601 Joined: 27 Jun 2003
Subject: Oooops

Stephan has done us a bit of a favor identifying a potential problem for users of Widgets and identified a need for users to find and download Widgets from safe sites, like Apple.com.

It also presents a good opportunity for others (like TMO) to review and list Widgets that are "safe" and, hopefully, generate a little big of revenue from the service. Maybe TMO can provide a page called "The Widget Shop" where we know the code has been checked and cleared.

This brings into focus that Widgets are programs and, like any other program, can be either good or dangerous.

Close Name:sbstaskiewicz Posts: 2 Joined: 09 May 2005
Subject: Widget Manager available on VersionTracker

Just released this morning is Widget Manager 1.0.1, which "is a Preference Pane for OSX 10.4 that allows you to inspect, remove, and disable Dashboard Widgets. To remove a widget without it, you would have to browse your Library/Widgets folder, delete the .wdgt file, and either log out or force-quit the Dock... what a pain!

Widget Manager also shows you the version numbers of widgets installed on your system, so you know when it's time to look for updates. It can also disable Widgets you don't want cluttering up the Widget bar, but don't necessarily want to delete, either.

What's new in this version:
Widget Manager will now show Widgets in the system Widget library folder.
Widgets are now sent to the Trash, rather than deleted immediately.
Widgets which cannot be deleted will be shown as read-only.
Minor bugfixes and improvements."

I think this should handle removing and knowing what widgets are on your system. Once again, it comes down to people being aware of what they are doing. Common sense is all it takes.

Close Name:ireid2k Posts: 125 Joined: 07 Apr 2003
Subject: Firefox forever!

Well it aint a solution, more an opinion. lol Prefer firefox actually.

View Name:Guest
Subject: Safe widgets comments
Close Name:John F. Braun -   TMO Staff Posts: 229 Joined: 11 Jun 2001
Subject: Yay Paranoid Android

Glad I installed Paranoid Android during the last big Mac OS X malware scare. It detected the odd type of URL used to install the widget, and allowed me to block it. But, like the last malware scare, those with less than honorable intentions could install a nastly widget.

Close Name:Mikuro Posts: 451 Joined: 15 Jun 2002
Subject: Shame on you, Apple

The possibilities of this extend far beyond "opening unwanted web sites". A widget can execute shell scripts. That means it can, quite trivially, erase your entire hard drive, or do pretty much anything. (Source: http://www.macosx.com/forums/showthread.php?t=52482 )

And the whole point here is that it doesn't require you to download the Widget yourself. So the whole "only download from trusted sources" thing (which is not an acceptable solution anyway) is irrelevant.

This is truly a Microsoftian security hole, and it should NEVER have made it through the front gate. Safari's "Open 'safe' files after downloading" feature has always been ill-conceived and dangerous. Personally, I think it just needs to go outright. Or at the very least, make it a little smarter!

I'm really disgusted at Apple. I'm sorry, but we Mac users have just officially lost the right to talk about security.

View Name:Guest
Subject: whine, whine, whine...
Close Name:Billy K Posts: 297 Joined: 06 May 2004
Subject: Awful. Fix it Immediately.

This is, truly "Microsoftian" in lack of foresight. If Apple doesn't address this immediately, it's gonna get out into the press, and all those years of creating a locked-down, safe, virus-free OS will be down the toilet. Once OSX is just as bad as Windows in the average user's mind, a HUGE advantage Apple has will be erased.

Fix it now, Apple. This could blow up in your face.

Close Name:Stormbringer Posts: 28 Joined: 13 Apr 2005
Subject: I guess billg was right

Apple is coping Microsoft. Now anyone can automatically download something on my machine that I don't want.

Do the widgets install without asking for the admin password? I know it can be a pain having to type the password in, but its the safest way to know what goes on your machine.

View Name:Guest
Subject: I guess billg was right
View Name:Guest
Subject: Two things going on here..
Close Name:Biff Posts: 1479 Joined: 08 Apr 2004
Subject:

Yeah its not like I am going to be installing 10 widegets per minute. I agree with the password prompt idea.

View Name:Guest
Subject: Blah blah blah - a non-issue (but it will be fixed anyway)
View Name:Guest
Subject: Two things going on here..
Close Name:jimothy Posts: 594 Joined: 04 Jun 2004
Subject: Widget running shell script

Quote
Mikuro wrote:
The possibilities of this extend far beyond "opening unwanted web sites". A widget can execute shell scripts. That means it can, quite trivially, erase your entire hard drive, or do pretty much anything. (Source: http://www.macosx.com/forums/showthread.php?t=52482 )

It's bad, but not quite AS bad as you claimed. It could erase your entire home directory, but not the entire hard drive. It'd need root access to do the latter. Still, that would be one nasty widget.

But, don't forget that you need to do more than just visit the page: You have to drag it to from the widget bar before it can do any damage. I'm not saying this isn't a potentially serious problem, but anybody could write a "normal" application that'll also erase your home directory, for any platform (Windows, Mac OS 9 and X, Linux, etc.).

View Name:Guest
Subject: hmm...
View Name:Guest
Subject:
Close Name:Engine Joe Posts: 413 Joined: 29 Jun 2004
Subject:

Quote
Anonymous wrote:

Sorry, but life just got a little bit harder for Mac users.


Well, only those who keep "open safe files" checked in Safari.

Close Name:Planeten Paultje Posts: 71 Joined: 15 Apr 2004
Subject: I prefer to be in the loop when installing software

So I made the ~/Library/Widgets folder "No Access" (chmod 000). I don't want any widgets there anyway, I want them in /Library/Widgets.

I only use my admin account for maintenance, never for daily work.

View Name:Guest
Subject: Tiger Fixes
Close Name:Small White Car Posts: 1960 Joined: 02 Jul 2004
Subject: Re: Tiger Fixes

Quote
Anonymous wrote:
I expect both Apple and third party companies (HP, Symantec, qualcomm etc..) to fix most of these issues in the coming month or so. Or at least I hope so.


It looks like many of your issues are on the list to be fixed in 10.4.1

http://www.appleinsider.com/article.php?id=1058

Hard to say for sure, the descriptions are still kind of vague. But it looks like you'll be happy with it. They're saying you'll see it before the end of the month.

Close Name:macdude Posts: 10 Joined: 27 Aug 2004
Subject: Mac Freezes

I'm not sure that your mac freezing is a Tiger thing. My PowerBook has started freezing the exact same way since the last security update and I'm not running Tiger on it. Once it goes to sleep, with the lid open, for a long period of time it will not wake up. If I close the lid, it works fine. Go figure.

Close Name:ventifact Posts: 1 Joined: 09 May 2005
Subject: Trojan Widgets

My Mac life was pretty good before Dashboard so I've taken it upon myself to totaly uninstall it and the widgets associated with it!

View Name:Guest
Subject: More.. Mac Freezes
View Name:Guest
Subject: Wake up
View Name:Guest
Subject:
View Name:Guest
Subject: Man, just
View Name:Guest
Subject:
Close Name:Small White Car Posts: 1960 Joined: 02 Jul 2004
Subject: Re: Man, just

Quote
Anonymous wrote:
a week ago all the mac people on these forums were praising Tiger and how badass it is. All I can do now it laugh laugh laugh laugh laugh.


Wow, just think how hard you'll laugh when someone actually makes a widget that does all the stuff people are talking about here.

Be sure to tell us when you find one! I'm sure that will make you really happy.

View Name:Guest
Subject: Widgets last week.
Close Name:Small White Car Posts: 1960 Joined: 02 Jul 2004
Subject: Re: Widgets last week.

Quote
Anonymous wrote:
It will make me happy when you go on thinking like you do and all of a sudden your computer is gone. Remember, Windows users were just like you mac users, unconcerned about security, thinking the OS was untouchable.


Right, but when a problem like this comes up Mac users talk about it to death, come up with temporary solutions, and Apple fixes them before they become actual problems.

You act like finding this problem is a bad thing. It's BECAUSE we find problems like these (and Apple fixes them swiftly) that we're safer. Compare that to MS which takes months to fix something, and even then it's usually not totally fixed. (See IE, for example.)

Why is it that Firefox was able to come in and make a much more secure browser than IE is? Maybe it's because MS users DON'T go onto message boards like these and talk about security problems. Instead, you come to Mac boards and tell us about our problems. Spend some time complaining to MS like we do to Apple and maybe your situation will get better.

View Name:Guest
Subject: And who said I use MS?
Close Name:Small White Car Posts: 1960 Joined: 02 Jul 2004
Subject: Re: And who said I use MS?

Quote
Anonymous wrote:
Such a smart one you are.


I'm glad we can agree on something.

Comment on this Article


You cannot edit your comments.   You cannot delete your comments.
Log in | Register | Having Problems? Reset TMO Cookies & Try Again
Username:   Password:   Log me on automatically each visit   

You are not logged in, and this post will appear as "Guest." Log in with your username and password from the TMO forums. If you do not have a username, you can register here.
Please note that guests are limited to including a maximum of two URLs per post.


Post A Comment
  Subject


  Your Comments



Please enter the word exactly as you see it in the image above. Registered users aren't prompted for this. Having trouble reading the image get a new one.


Recent Headlines - Updated Friday, August 29th, 2008

Fri., 7:05 PM
Podcast - Mac Geek Gab #166: Dot-Underscore Files, Cool Stuff Found, Kernel_task, and Listener Tips!
5:45 PM
iPO Free on iTunes - Dinos, U.S. Music, Sci & Tech TV, Rock N Roll TV and More
5:25 PM
Macworld Expo Hotel Deal - Use TMO's Discount at The Hotel Milano
4:45 PM
iPodObserver - Rumor: China Mobile May Subsidize iPhone 3G
4:30 PM
User Friendly Blog by Ted Landau - My iPhone Goes on Vacation
4:25 PM
ChangeWave: Apple Leads Competition in Consumer Buying Plans
3:05 PM
Solver is Back for MS Excel 2008
2:25 PM
CW: SSDs in Laptops Won't Make Real Sense until 2010
2:10 PM
TinyBooks 6 Improves Custom Invoices, Tax Support
1:00 PM
TMO Reports - Psystar's Official Response: Apple Abusing Copyright, Tying OS X to Hardware
11:05 AM
iPodObserver - Rumor: Official iPhone Tethering in the Works
10:15 AM
Hot Forum Topic - Reader Reactions: Bloomberg's Accidental Steve Jobs Obituary
9:45 AM
iPodObserver - iPhone Hack: Changing the Camera Focus
9:15 AM
Comcast to Cap Broadband Use Starting in October
8:25 AM
Final Cut Express 4.0.1 Improves AVCHD Support
8:05 AM
Apple Intros ProRes QuickTime Decoder
7:30 AM
iPO Quick Tip - iTunes: More Info About What's on Your iPod
 

The Mac Observer Reader Specials

  • Download Typestyler, still the Ultimate Styling Tool for Internet, Print and Video Graphics. Works great in Classic with a Native OS X Version on the way. Free Tryout: www.typestyler.com
  • OWC: Burn DVDs, DVD-DL, CDs, DVD-Ram - FAST! Superdrive upgrades from OWC starting from $31.99 with options for nearly every Mac. Models with Lightscribe, Blu-Ray too!
  • MacBook/MacBook Pro / MacMini / iMac Intel Core2 DUO DDR2 667Mhz 4GB Kit $84, 3GB Kit $60, 2GB Kit $40 1GB $20. Click to Maximize your Macs...
  • Mac observers can now play Party Poker for Mac as well as Mac casino games by going to MacPokerOnline.com.
  • RamJet Memory: Mac Pro FB-DIMMs: 2Gig kit $115, 4Gig kit $179, 8Gig kit for $355! 500G Seagate Hard Drive $129! Click here
  • For the latest Apple products use Ciao a comparison website to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate cell phones.

  • Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
  • Special Report: WWDC 2008
  • Special Report: iPhone
  • __________
  • Help TMO Grow
  • Podcast: Mac Geek Gab
  • Podcast: Apple Weekly Report
  • TMO on Twitter!

Apple Stock Quote

  • AAPL: $169.53. Change Today: -4.21.
  • (Prices delayed up to 20 minutes.)
  • Discuss in our Apple Finance Board

Hot Topics

Top Deals From DealsOnTheWeb