Tiger Update Patches Dashboard Security Hole [UPDATE]

Apple has patched at least some aspects of a Dashboard security hole in Mac OS X 10.4, Tiger. The company included the patch in the Mac OS X 10.4.1 update released on May 16th, 2005, but as noted by eWeek, just made the details of the security features of the update available today. Other security problems addressed in the 10.4.1 update include a Bluetooth issue, two problems with the kernel, and a means of getting around a screen saver.

The problem with Dashboard was first by Stephan Meyer, writing under the pseudonym Stephan.com. Mr. Meyer found that one could use Safariis auto-open safe files to force people visiting you Web page to download and install a widget without the user knowing. He further found that said widget could be made to do malicious things that could compromise a Mac, or make it unusable (see TMOis full coverage for more information).

Apple addressed at least part of this concern in the 10.4.1 update by closing the ability for Widgets to install themselves without permission.

"This update blocks the automatic installation of Dashboard widgets," Apple wrote in a security update document published Friday, May 20th." Mac OS Xis Safe Download Validation warning is enabled, requiring user approval before a Dashboard widget is installed by Safari. This issue does not affect Mac OS X versions prior to 10.4. Further information on removing Dashboard widgets that you have installed is available here."

The Bluetooth security hole patched could have allowed an attacker to access files outside of the designated file exchange directory. Apple patched this by better filtering data being sent via Bluetooth.

The issues affecting screensavers allowed someone with physical access to a Mac to bypass password protection via a contextual menu option in order to open a URL from a text input field. In other words, someone could open a Web page, whatever it may contain, by typing in a URL into one of the text fields, and right clicking (or control clicking) on it. The fix simply removed the contextual menu from screensaver text input fields.

The two kernel issues were more esoteric, but those interested can find full details in the security update document at Appleis Web site.