Malicious Web Pages Can Install Dashboard Widgets 610
bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.
Firefox asks what to do (Score:3, Informative)
widgets limited (Score:5, Informative)
Not much of a problem... (Score:5, Informative)
The solution (Score:5, Informative)
It's just common sense anyways
Re:Firefox asks what to do (Score:5, Informative)
Bad design, for sure, however. (Score:2, Informative)
It installs the widget, but does not activate it.. it just makes it available.
Further, widgets do run in a sandbox, and require user approval to execute if they want to do certain things (like erase your HD).
Honestly, apple should have said "would you like to install this widget?".. that would be sensible and courteous.
Re:Thanks Slashdot! (Score:4, Informative)
Dumb to do, but it can be set like that.
Re:Ouch! (Score:4, Informative)
Problem solved. Having that pref checked is asking for trouble. You can drop whatever you want in my downloads, I'll open it myself when I'm ready.
Disclaimer: I am not running Tiger, so this may not be 100% correct.
Re:widgets limited (Score:3, Informative)
Asked myself why such advanced coders give plain sit,sitx,zip files for installing manually to widgets directory (or anywhere) and require user to double click it to launch.
Now I had my answer
Re:widgets limited (Score:2, Informative)
That ought to be a lot of fun, in addition to providing a way to run another OS on your Mac.
Re:Thank God for Firefox and Windows (Score:3, Informative)
Re:Not much of a problem... (Score:3, Informative)
Re:Not much of a problem... (Score:4, Informative)
http://www.kb.cert.org/vuls/id/297462 [cert.org], http://www.linuxsecurity.com/content/view/102413/1 10/ [linuxsecurity.com]
Re:Install failed on my Mac!!! How to protect your (Score:2, Informative)
Of course, that doesn't mean that it should install widgets for you in the first place...
Sky not falling, Safari warns user twice. (Score:1, Informative)
Dashboard will ask you the first time a third-party widget is run and give you the option of not running it.
What more should Apple do save crippling the functionality of Dashboard for all users?
Important correction (Score:5, Informative)
I said that Dashboard would prompt you when the widget was run for the first time. It turns out that for auto-installed Safari widgets, it does NOT prompt you the first time the widget is run.
Interesting.
This is indeed a security issue, and it should be made to at least prompt the user.
Considering that ALL other new widgets always prompt when first run, this appears to be a bug, and not the intended behavior.
The temporary fix (and what I always recommend anyway) is to disable "Open 'safe' files after downloading" in Safari.
Re:Not much of a problem... (Score:1, Informative)
Re:The solution (Score:2, Informative)
But without ActiveX you lose the functionality that is the only reason most people still use IE at all. By shutting off "open safe files" you don't lose functionality other than convenience of not having to manually open downloaded files.
Re:Dashboard: Slightly OT but worth a look (Score:2, Informative)
Re:widgets limited (Score:3, Informative)
Re:Sky not falling, Safari warns user twice. (Score:5, Informative)
Yes, but you won't get that prompt for a widget that doesn't have Cocoa code, but does contain widget.System() calls -- which effectively means it's an application. You could put an executable in your widget, not set the executable bit, but then chmod a+x and run it from widget.System() calls.
It's so bizarre I didn't believe myself at first, but this is not true of widgets that are auto-installed. Try it yourself -- here is my example exploit page [columbia.edu] with an entire set of widgets that look identical to the Apple widgets. You will be prompted for permission with none of them, including the `Calculator' widget, which makes a widget.System() call and could conceivably have deleted your home directory.
Re:Awww...How cute! (Score:3, Informative)
So whenever someone clicks on the "Add Widget" symbol (the circled plus sign) he gets to see a barenaked goatse in full glory.
Re:Ouch! (Score:5, Informative)
Re:Not much of a problem... (Score:1, Informative)
"Solution" (Score:3, Informative)
But either way, if you installed Paranoid Android [haxies.com] (direct link [unsanity.net]) it will ask you to approve the url. And it is opensourced too.
Better yet (Score:2, Informative)
How to protect yourself in ONE EASY STEP (Score:2, Informative)
Yeah this exploit is sorta lame, but its also trivial to plug in the meantime.
Dashboard tips (Score:4, Informative)
Just a few points of interest.
1) The widget may automatically download and get copied into the widgets folder, but it is not automatically installed onto the active dashboard. Therefor the user would have to manually click on it. Without knowing the widget is there, the user may not ever notice it. Of course, this is still a security risk, but this isn't the best way to propogate malware.
2) Widgets can be deleted manually as pointed out in the article by going into ~/Library/Widgets and removing the unwanted widget
3) The Dashboard can be reinitialized by killing the Dock. Those not familiar with terminal can just fire up Activity Monitor and kill the Dock there. The Dock immediately relaunches, then Dashboard reinitializes when it is launched again and the offending widgets are gone.
4) Apple should allow us to delete widgets from the dashboard, but the behavior when clicking and dragging a widget off of the Dashboard installs the widget instead of bringing up the delete puff of smoke. This behavior is at odds with every other taskbar/dock/menubar in OS X. I would recommend Apple change this.
5) We ARE dealing with Dashboard 1.0 so there are bound to be bugs needing to be squashed. Personally, I enjoy Dashboard but find it difficult to manage when there are too many widgets deployed. I find myself wishing for Exposé for Dashboard! LOL I also wish that widgets would reinitialize without force quiting the dock and that the dashboard would be a bit more dynamic. Sometimes deleted widgets take a while to disappear off the dashboard as well as newly installed widgets. I look forward to the upcoming 10.4.1 release.
Re:Oh but it has, and you've proved part of my poi (Score:4, Informative)
Re:Ouch! (Score:2, Informative)
The original post is also wrong in claiming that a reboot is necessary to remove it. He must be a Windows user. Clicking close on the widget, then removing it from the user library folder is all that is required. There is no nasty embedding a registry, or auto starting or restarting such as you might expect with spyware on a Windows machine.
Re:The really funny part is (Score:3, Informative)
I have no idea how this potential exploit slipped past , bad show indeed and rather disapointing.
But clearly it is a bug not poor judgment.
Re:"Solution" (Score:3, Informative)
sudo chmod a-x
in the Terminal. Of course this prevents all Widgets from running.
Re:Serves you right (Score:4, Informative)
No, it's Safari categorising a ZIP archive as safe. To quote Safari:
The ZIP archive extracts automatically, and just happens to place the file in ~/Library/Widgets/. Dashboard runs the Widget from there.
You're right, it's not safe. I think the solution to this should be to first of all disable the whole opening safe files functionality by default. The second should be to declassify archive files as 'safe' (with the exception of disk images), because it makes it easy to write files in this way.
Personally I've set administrator priveledges on my ~/Library/Widgets/ folder so that I now need to enter a password to write to it.
Re:Oh but it has, and you've proved part of my poi (Score:3, Informative)
Wow, have you got a lot to learn... Did you not read the article AT ALL? Claiming that the apple system is a "properly layered security system" is an opinion, not a fact. Some might agree it is more proper than windows XP. I'm not here to argue wether that is true or not. I'm here to argue that either 1) a properly layered security system doesn't give you a secure system or 2) the MacOS doesn't have a properly layered security system.
One of the above(or possibly both) is true. It is up to you to decide which and quit sitting up on your high horse thinking you are a god for using MacOS.
So turn it off (Score:4, Informative)
So turn off the ability. In Safari, open Preferences, and on the first tab, de-select 'automatically run "safe" files upon download.' Then, it'll download it, and you can manually install the widget by copying it to
This was one of the first things I tweaked after switching to a Mac. I noticed it'd automatically mount disk image files, and I could see the potential security implication, so I found the checkbox and tunred it off.
It's not rocket science, just basic research.