Malicious Web Pages Can Install Dashboard Widgets 610
bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.
yes but... (Score:5, Funny)
Yes, but do they install porn?
-SJ53
Well, Yes (Score:2)
Re:yes but... (Score:5, Funny)
i dont need to imagine, im running windows xp.
"Solution" (Score:3, Informative)
But either way, if you installed Paranoid Android [haxies.com] (direct link [unsanity.net]) it will ask you to approve the url. And it is opensourced too.
Re:"Solution" (Score:3, Informative)
sudo chmod a-x
in the Terminal. Of course this prevents all Widgets from running.
Serves you right (Score:3, Funny)
Re:Serves you right (Score:5, Insightful)
Re:Serves you right (Score:4, Insightful)
That's quite apt. And I imagine you will be modded down due to the OS in question here.
When a Windows OS exploit is discovered there are thousands of zealots who scream "USE LINUX, STUPID" and "I use a Mac, there are not exploits for my OS" but whenever either of those OSes is found to have a flaw, those zealots are awfully quiet.
The best thing for me reading the comments so far has been the Mac users who point out that settings can be changed to allow or deny this action. They treat that like it's a magic feature only Mac has, when the truth of the matter is shit like that can be turned off in Windows also.
All of the common OSes can be locked down tight, IF THE USER CHOOSES TO. Every OS ships with the potential to be exploited, and even if it comes out the box secure, the user can always undo that.
I guess the difference when it's a Mac OS, it's a big deal because someone actually bothered to write something malicious for a small segment of the computer population.
This is actually a good thing though. It's lets all of you Mac users know that the security you've been takeing for granted is only as good as long as their is no attention to you.
Looks like this is changing.
Re:Serves you right (Score:3, Funny)
Re:Serves you right (Score:5, Insightful)
As for this vulnerability, it is Safari categorizing a Dashboard widget as "safe" when it clearly isn't. Yes, it's a vulnerability, one with an exploit already shown, and it needs to be fixed NOW. No one is saying Apple is perfect or OS X is immune, but so far there has been very little to point to in Apple's track record.
What's really important is Apple's response. Anyone post this in RADAR yet? "As Seen On TV", any thoughts from your unique position?
Re:Serves you right (Score:4, Informative)
No, it's Safari categorising a ZIP archive as safe. To quote Safari:
The ZIP archive extracts automatically, and just happens to place the file in ~/Library/Widgets/. Dashboard runs the Widget from there.
You're right, it's not safe. I think the solution to this should be to first of all disable the whole opening safe files functionality by default. The second should be to declassify archive files as 'safe' (with the exception of disk images), because it makes it easy to write files in this way.
Personally I've set administrator priveledges on my ~/Library/Widgets/ folder so that I now need to enter a password to write to it.
Oh but it has, and you've proved part of my point (Score:5, Insightful)
Good thing it hasn't happened then.
Sure it has. Still does [secunia.com], past [utah.edu] and present [geek.com] examples.
Joke or not, your comment is indicative of the denial most Mac users seem to live in- "If it's not Windows, it's secure" and "If I don't hear about it, I must be OK" but the fact is that Mac OS X uses BSD, BSD has holes == Mac OS X has holes. Mac OS X is written by people who want users to have the easiest possible experience using their Mac. As a result, some of the things in place to make usability easier open up holes. This is the same for any OS. Anytime you cater to the user first and security second (or later) you will always ALWAYS provide someone else a way in.
I have no problem with using one OS or another, I use whatever the hell I need to get the job done- to me it's a tool, not a lifestyle. As such, I make sure my tools are safe and pay attention when someone says my OS has a hole or exploit or vulnerability, rather than just refusing to believe it's true.
Re:Oh but it has, and you've proved part of my poi (Score:4, Informative)
Re:Oh but it has, and you've proved part of my poi (Score:3, Informative)
Wow, have you got a lot to learn... Did you not read the article AT ALL? Claiming that the apple system is a "properly layered security system" is an opinion, not a fact. Some might agree it is more proper than windows XP. I'm not here to argue wether that is true or not. I'm here to argue that either 1) a properly layered security system doesn't give you a secure
Re:Oh but it has, and you've proved part of my poi (Score:3, Insightful)
Whatever. An exploit is an exploit. Patched or not, a hole is a fucking hole.
I use a Mac, I know damn well updates are up to ME to install if I choose so. Any exploit and vulnerability EVER found in a Mac still exists, simply releasing a patch DOES NOT MAKE IT GO AWAY.
Case in point, last week 20 patches for vulnerabilities for 10.3.9 were released. Those are fixed in 10.4. Does that mean the hole is plugged? NO. A patch was released and the new software doesn't have the flaw, but anyone still running 1
Re:Oh but it has, and you've proved part of my poi (Score:3, Funny)
I use a Mac
We could tell from your beret.
Firefox asks what to do (Score:3, Informative)
Re:Firefox asks what to do (Score:5, Informative)
Re:Firefox asks what to do (Score:4, Insightful)
Re:Firefox asks what to do (Score:5, Insightful)
Re:Firefox asks what to do (Score:2)
Re:Firefox asks what to do (Score:3, Insightful)
Same thing on my computer. I'm running Firefox 1.0.1 on FreeBSD, and the exact same thing happened. At least Firefox asked what to do with the file before downloading it, but still it is a bit weird.
I guess that you can run away from Windows and all of its problems with ActiveX and Internet Explorer, but you can't hide from all of the problems of Internet security. All this takes is for some clueless Mac users to just say "Yes" when Safari asks does the program want to be downloaded/run, and voila, they
widgets limited (Score:5, Informative)
Re:widgets limited (Score:5, Insightful)
Basically, bad apple bad. Fix.
Re:widgets limited (Score:3, Interesting)
Re:widgets limited (Score:5, Insightful)
Re:widgets limited (Score:3, Insightful)
So turn it off (Score:4, Informative)
So turn off the ability. In Safari, open Preferences, and on the first tab, de-select 'automatically run "safe" files upon download.' Then, it'll download it, and you can manually install the widget by copying it to
This was one of the first things I tweaked after switching to a Mac. I noticed it'd automatically mount disk image files, and I could see the potential security implication, so I found the checkbox and tunred it off.
It's not rocket science, just basic research.
Re:widgets limited (Score:3, Informative)
Asked myself why such advanced coders give plain sit,sitx,zip files for installing manually to widgets directory (or anywhere) and require user to double click it to launch.
Now I had my answer
Re:widgets limited (Score:2)
Re:widgets limited (Score:3, Informative)
Re:widgets limited (Score:2, Informative)
That ought to be a lot of fun, in addition to providing a way to run another OS on your Mac.
Re:widgets limited (Score:3, Funny)
> Like yourself and your hypocritical vulgar potty mouth?
Of course, we can't forget the "joke went *whooooosh* RIGHT over my head" crowd! Thanks for reminding us!
Re:widgets limited (Score:5, Interesting)
Unfortunately, code signing, as currently implemented and (mis)understood by users, is an all-or-nothing proposition. There are certainly legitimate uses for privileged mobile code, but most users don't really read or understand security warning dialogs, they just think "I just clicked the Start Game button, and now it's asking me if I really want to Start the Game. How stupid."
Marimba actually came up with a good partial solution ages ago. When their framework loaded and executed a Java app, the framework would closely manage exactly what resources could be exploited by the app. Each application's ability to read and write files was restricted by default to its own tiny corner of the filesystem, and the amount of space it could occupy with its files was constrained as well.
Note that Java's security manager infrastructure has allowed these sorts of fine-grained controls since 1.2 (circa 1998), but no one to my knowledge has yet found a way to effectively communicate to a user:
MSIE's concept of local policies set according to centrally defined security zones was a step in the right direction; it's too bad its development stalled when the Browser War was "won."
Re:widgets limited (Score:2, Interesting)
And in fact they often take up lots and lots of RAM.
A widget forkbomb wouldn't be so hard I don't think.
Widgets shouldn't be able to install this way.
Re:widgets limited (Score:5, Interesting)
True, but widgets can run external programs if certain permissions are set. The most insane part is that the widget itself sets the permissions it's allowed to have. Putting a key in the Info.plist file with "AllowFullAccess" set to "Yes" will allow the widget to run anything, access the network, etc. Basically at that point it's a full featured app. How hard would it be to make a widget that's invisible but periodically queries Safari's browser history, or songs played in itunes, or do a spotlight search for "password" and email the results to some guy in Russia? The widget could even be invisible to the user, with a 1x1 transparent gif as it's screen.
It seems really really dumb in this light to have Safari not only automatically download zip files, but uncompress them and if it finds a Widget bundle inside to install it. All without user intervention.
The really funny part is (Score:4, Insightful)
The unzip/install widgets thing wasn't a conscious decision. This is clearly a bug.
Re:The really funny part is (Score:3, Informative)
I have no idea how this potential exploit slipped past , bad show indeed and rather disapointing.
But clearly it is a bug not poor judgment.
Re:widgets limited (Score:2)
Glad I've stuck with 10.3 for now.
some guy in Russia (Score:3, Funny)
Just find this guy and kick his ass. Problem fixed, no need to patch shit.
Afraid that won't work cuz... (Score:5, Funny)
(Oh christ, why? The karma, it burns like my shame)
Re:widgets limited (Score:2)
Dashboard feels like it was really rushed out the door in general. Everyone I know who upgraded to Tiger had to go through a reboot to install their first widget, and I've managed to crash Dashboard several times now just by trying to write a simple widget. I agree that Apple didn't do it's best work here (but I'm hopeful they can get it cleaned up, because outside of the bugs it's extremely handy.)
Although it's still better than the Mail.app UI changes they made (wtf were they thinking?!?)
Re:widgets limited (Score:3)
If the widget is added without requiring permissions, but as it's first it act modifies its own plist file, the next time dashboard is run it is given permissions without asking the user since it is already added to the dashboard.
Thats the way it seems to work anyway.
Too integrated (Score:5, Insightful)
In soviet russia (Score:4, Funny)
HAH! (Score:3, Funny)
I can't afford to buy all the Apple "upgrades of the month."
1st real ad-ware? (Score:3, Interesting)
I know that Windows usually posts security fixes and doesn't address spyware exploits specifically in many cases -- it'll be interesting to see if Apple addresses this in 10.4.1 or if we see a patch sooner (or later!)
Re:1st real ad-ware? (Score:3, Interesting)
Yup, it's a bit like scripting in Outlook and ActiveX in IE; incredibly useful in a fully controlled environment, but incredibly vulnerable in the wild and hugely open to exploitation. I would have assumed Apple would've seen the fun and games that MS has had with scripting, embedding and browser/OS interaction over the years to not let something like this happen.
Micr
Yeah... (Score:3, Funny)
Yeah... I'm imagining those porn sites.........
Not much of a problem... (Score:5, Informative)
Re:Not much of a problem... (Score:3, Insightful)
Re:Not much of a problem... (Score:3, Insightful)
Re:Not much of a problem... (Score:5, Insightful)
Apple really screwed up with allowing dashboard widgets to be listed as a "safe" file and they need to patch this as soon as possible. This is one of the big problems with IE, that they went from "autoopen anything, even unsafe stuff" to "warn you about viruses when you try to download ANYTHING, including a PDF". Clearly identifying what is safe is as important as identifying what is unsafe, otherwise people just double-click everything they download not realizing it's a
Re:Not much of a problem... (Score:3, Insightful)
Wrong. Text files are "safe". JPEG files are "safe". Java applets are "safe". Flash is "safe". Any software written in a verifiable-bytecode-based, pointer-safe language with capability-based security should be "safe".
Obviously a dashboard widget should not be considered safe, but that doesn't prove that it's impossible to tell if a file is safe. It only proves that the Safari developers made a mistake when deciding what should be consi
Re:Not much of a problem... (Score:2, Funny)
hello.jpg, tubgirl, need I go on?
Re:Not much of a problem... (Score:4, Informative)
http://www.kb.cert.org/vuls/id/297462 [cert.org], http://www.linuxsecurity.com/content/view/102413/1 10/ [linuxsecurity.com]
Re:Not much of a problem... (Score:5, Insightful)
Which you should left unchecked if you're not entirely stupid
I always thought that one of Apple's selling points was that they are made for non-experts. So giving users an option to potentially shoot their foot off seems to be a little unfortunate. Almost by definition, few people are experts.
Re:Not much of a problem... (Score:3, Informative)
The solution (Score:5, Informative)
It's just common sense anyways
Re:The solution (Score:5, Insightful)
It's just common sense.
Seriously though this is a very bad idea and apple needs to fix this ASAP.
uh... (Score:2, Funny)
Awww...How cute! (Score:4, Funny)
Re:Awww...How cute! (Score:3, Informative)
So whenever someone clicks on the "Add Widget" symbol (the circled plus sign) he gets to see a barenaked goatse in full glory.
Bad design, for sure, however. (Score:2, Informative)
It installs the widget, but does not activate it.. it just makes it available.
Further, widgets do run in a sandbox, and require user approval to execute if they want to do certain things (like erase your HD).
Honestly, apple should have said "would you like to install this widget?".. that would be sensible and courteous.
Several levels of control (Score:4, Insightful)
Secondly, while the OS DOES copy downloaded widgets to the Widgets folder in the Users directory, the widgets do not become active until you actually activate them. (of course there's nothing stopping you from usign the same name and icon as
Getting widgets to do complex system-level stuff you WANT them to do is tough enough.
Re:Several levels of control (Score:2)
Social engineering around that would be easy. "Mac's are immune to viruses, right? At least that's what everyone tells me."
(of course there's nothing stopping you from usign the same name and icon as ...say Calculator).
Precisely.
Re:Several levels of control (Score:3, Interesting)
Theres a link to an example on another part.
O Great Oracle of Slashdot (Score:5, Funny)
Install failed on my Mac!!! How to protect yours! (Score:2)
The default settings I used on my Mac stopped this cold. First, I have the setting in Safari to not automatically run 'safe' files after download. Thus, it just downloaded, didn't install.
Second, I don't have a personal Widgets folder. I only use the system one, and copy the widgets there with su. So, even after setting the 'run safe' option, it still didn't install!
So, yes, it does affect Macs, but those of us who are completeloy paranoid are pretty safe.
My suggestion - block auto-open of 'safe' d
More 'Windows like' (Score:3, Insightful)
Now the script kiddies won't feel as limited in their options in annoying Mac users just like they do MS Windows users.
A nice, new, open window (no pun intended) for the black hats to use... *sigh*
--
Tomas
How To Remove (Score:2)
Step 1: Remove the folder zaptastic_evil.wdgt from ~/Library/Widgets.
Step 2: Using Activity Monitor to kill any running instance of it (yes Activity Monitor shows each widget as a separate process).
No reboot.
Imagine it? (Score:4, Funny)
imagine porn sites auto-installing adware widgets without your knowledge
Imagine it? I'm a Windows/IE user...I live it!
Dashboard: Slightly OT but worth a look (Score:3, Interesting)
http://stream.servstream.com/ViewWeb/BBCWorld/Fil
Cole asks Apple manager: is Dashboard a big rip off of Konfabulator?
Apple manager's response:um, er...Desk..Accessory...um...things......from before....like
Thank God for Firefox and Windows (Score:4, Funny)
Re:Thank God for Firefox and Windows (Score:3, Informative)
Require password to set execute bit! (Score:2, Insightful)
Yes, I know that Dashboard programs cannot (supposedly) affect the filesystem outside of their bundle. And I know that if you uncheck the "automatically open downloaded blah blah blah" then Safari won't do that.
But the default is not secure! And that's what will cause the computer to do "weird" stuff like the above; the same type of stuff that annoys Windows users and gets them thinking about buying a Mac ne
This can't possibly be true (Score:4, Funny)
Everyone knows that Linux and OS X are perfect and only Windows has security exploits.
Let's get it right people! You're slipping!
Didn't work on my system (Score:5, Interesting)
Another thing I did, was to redirect downloads to a special download folder which has a special Folder Action attached that scans new files for viruses and then changes new files permissions to "No Access" (even if there are no viruses). If I want to open/read a downloaded file I have to change it permissions to read/write, for which I made a single-click Apple script that I dragged in the Finders top bar thingie. Ok I'm slightly paranoid, mainly because IT security is my thing (btw the reason why I switched to Mac OS X last year), But it works.
First Moz, now this... (Score:3, Insightful)
Why do we still have auto-installers in browsers? (Score:3, Insightful)
Then these downloaded executables then get run with all the user's privileges, not in a jail or sandbox. Java may not be perfect, but at least Sun understood they had to run applets with less privileges than user applications.
Dashboard tips (Score:4, Informative)
Just a few points of interest.
1) The widget may automatically download and get copied into the widgets folder, but it is not automatically installed onto the active dashboard. Therefor the user would have to manually click on it. Without knowing the widget is there, the user may not ever notice it. Of course, this is still a security risk, but this isn't the best way to propogate malware.
2) Widgets can be deleted manually as pointed out in the article by going into ~/Library/Widgets and removing the unwanted widget
3) The Dashboard can be reinitialized by killing the Dock. Those not familiar with terminal can just fire up Activity Monitor and kill the Dock there. The Dock immediately relaunches, then Dashboard reinitializes when it is launched again and the offending widgets are gone.
4) Apple should allow us to delete widgets from the dashboard, but the behavior when clicking and dragging a widget off of the Dashboard installs the widget instead of bringing up the delete puff of smoke. This behavior is at odds with every other taskbar/dock/menubar in OS X. I would recommend Apple change this.
5) We ARE dealing with Dashboard 1.0 so there are bound to be bugs needing to be squashed. Personally, I enjoy Dashboard but find it difficult to manage when there are too many widgets deployed. I find myself wishing for Exposé for Dashboard! LOL I also wish that widgets would reinitialize without force quiting the dock and that the dashboard would be a bit more dynamic. Sometimes deleted widgets take a while to disappear off the dashboard as well as newly installed widgets. I look forward to the upcoming 10.4.1 release.
Re:Dashboard tips (Score:5, Insightful)
I read this 5 hours ago and still I'm amazed. I say this has a -otherwise- happy mac user, and someone that made 6 friends switch to the mac.
Here's my plan -- I'll do what Apple hasn't done (Score:4, Insightful)
Secondly, I thought to myself "it would be so easy for a widget to do nasty things"
So, here's what I'm going to do: I'm going to write a preference pane to manage widgets. It'll come in a few phases:
Phase 1) Preference pane which will allow you to turn on/off particular widgets in your ~/Library/Widgets folder by moving turned-off widgets to, say, ~/Library/Widgets (Disabled). I just did a test and discovered that the parent process of Widgets is the Dock, which means that the Dashboard is just a Dock mechanism. So, killing the dock ( politely, even ) will give Dashboard a chance to reload, since the Dock restarts automatically.
Phase 2) Write a widget scanner -- something which greps the widget source for keywords like widget.System() and whatever parameters are required for custom binaries which widgets can run. Now, I recognize I can't tell *what* those calls do, but I can at least put up a big red exclamation point next to the widget in the preference pane saying "This widget is potentially dangerous"
Phase 3) Write a small bundled app to be packaged with the preference pane which associates itself with the
This sounds like a PITA, but Apple shoulda done this in the first place.
Apple: You're drunk on the perceived security of your platform. Don't keep making the stupid mistakes.
A -- potentially better -- option is to have something like an "approved" widget download area. Say, apple's servers, where you know widgets hosted there have been given the thumbs up. Doesn't Firefox do something sort of like this for extensions?
Re:Thanks Slashdot! (Score:5, Funny)
Re:Thanks Slashdot! (Score:4, Informative)
Dumb to do, but it can be set like that.
Re:But... (Score:2)
I had it on by default because in Panther it was fine. It only opened PDFs and Zip files and mp3s and some other non-executable formats. If Safari just downloaded and unzipped the zip files it would be one thing, but to automatically install the Widget bundle is just dumb.
Re:Ouch! (Score:4, Informative)
Problem solved. Having that pref checked is asking for trouble. You can drop whatever you want in my downloads, I'll open it myself when I'm ready.
Disclaimer: I am not running Tiger, so this may not be 100% correct.
Re:Ouch! (Score:5, Insightful)
Re:Ouch! (Score:5, Insightful)
And with XP SP2 (released in AUGUST) unsigned binaries simply can't be installed, and the default is "NO" for signed binaries...
Somebody thought they had a cool feature and didn't think about the consequences.
Re:Ouch! (Score:3, Insightful)
Second Active X is a cool feature and nobody thought of the consequences at MSFT. there were reports in the late 90's about active X showing it's potential for harm. It took a few years, but guess what people.
I will give MSFT this much at least a full third of the crap they have to deal with is stupid users. And stupid users can fsck up any
Re:Ouch! (Score:5, Insightful)
So the fact that IE does the same thing for, say, ActiveX and has similar options for control is consistently ignored on
So amusing.
Re:Ouch! (Score:4, Insightful)
Or is it "worse"?
I'm confused here but I'm not running. Of course I'm not an apologist either.
Whether you're talking about IE or Safari the same thing holds true. Saying "yes" when you're prompted despite not knowing what you're installing means you're a fucking moron and you deserve whatever you get.
Re:Ouch! (Score:5, Informative)
Re:Like everyone else in the tech industry, (Score:3, Insightful)
Troll?
What is so great about the integration between Safari and Dashboard and what's so bad about the integration between Internet Explorer and ActiveX? Why should a web browser be allowed to automatically download and install certain types of programs remotely? These programs could access the Internet, too. I can see a lot of problems with this. Imagine widgets displaying pop-up adertisements, hardcore porn widgets, spyware widgets, you name it... I don't think that these widgets have the power to
Re:Whether it's a security problem or not, (Score:3, Insightful)
Re:Whether it's a security problem or not, (Score:3, Insightful)
FUD? What is one of the first things you should do to lock down any box? How about turning off any unnessecery services. Things that you can't turn off is one of things people blast Windows for all the time. Why should any other OS be any different?
And even if the program poses no risk, if I don't use it, why would I want it sitting
Important correction (Score:5, Informative)
I said that Dashboard would prompt you when the widget was run for the first time. It turns out that for auto-installed Safari widgets, it does NOT prompt you the first time the widget is run.
Interesting.
This is indeed a security issue, and it should be made to at least prompt the user.
Considering that ALL other new widgets always prompt when first run, this appears to be a bug, and not the intended behavior.
The temporary fix (and what I always recommend anyway) is to disable "Open 'safe' files after downloading" in Safari.
Re:Not an exploit (Score:3, Insightful)
Millions of email viruses and Windows spyware rely on exactly the same thing. That d
Re:Nice try (Score:3, Interesting)
That's the thing; a good OS *should* be able to prevent those. The OS should be able to recognize that what claimed to be a screensaver is attempting to access your Quicken files and open a connection to somewhere in Russia, and it would probably be a good idea to deny that and let you know what's going on.
User education is a
Re:Sky not falling, Safari warns user twice. (Score:5, Informative)
Yes, but you won't get that prompt for a widget that doesn't have Cocoa code, but does contain widget.System() calls -- which effectively means it's an application. You could put an executable in your widget, not set the executable bit, but then chmod a+x and run it from widget.System() calls.
It's so bizarre I didn't believe myself at first, but this is not true of widgets that are auto-installed. Try it yourself -- here is my example exploit page [columbia.edu] with an entire set of widgets that look identical to the Apple widgets. You will be prompted for permission with none of them, including the `Calculator' widget, which makes a widget.System() call and could conceivably have deleted your home directory.