Malicious Web Pages Can Install Dashboard Widgets 610
bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.
Too integrated (Score:5, Insightful)
Re:Serves you right (Score:5, Insightful)
Re:widgets limited (Score:5, Insightful)
Basically, bad apple bad. Fix.
Re:Not much of a problem... (Score:3, Insightful)
Re:The solution (Score:5, Insightful)
It's just common sense.
Seriously though this is a very bad idea and apple needs to fix this ASAP.
Re:Not much of a problem... (Score:5, Insightful)
Apple really screwed up with allowing dashboard widgets to be listed as a "safe" file and they need to patch this as soon as possible. This is one of the big problems with IE, that they went from "autoopen anything, even unsafe stuff" to "warn you about viruses when you try to download ANYTHING, including a PDF". Clearly identifying what is safe is as important as identifying what is unsafe, otherwise people just double-click everything they download not realizing it's a
Re:widgets limited (Score:5, Insightful)
Re:Like everyone else in the tech industry, (Score:1, Insightful)
The reason Windows is so full of malware is because everyone uses it.
Re:Not much of a problem... (Score:3, Insightful)
Wrong. Text files are "safe". JPEG files are "safe". Java applets are "safe". Flash is "safe". Any software written in a verifiable-bytecode-based, pointer-safe language with capability-based security should be "safe".
Obviously a dashboard widget should not be considered safe, but that doesn't prove that it's impossible to tell if a file is safe. It only proves that the Safari developers made a mistake when deciding what should be considered safe.
Several levels of control (Score:4, Insightful)
Secondly, while the OS DOES copy downloaded widgets to the Widgets folder in the Users directory, the widgets do not become active until you actually activate them. (of course there's nothing stopping you from usign the same name and icon as
Getting widgets to do complex system-level stuff you WANT them to do is tough enough.
Re:Firefox asks what to do (Score:3, Insightful)
Same thing on my computer. I'm running Firefox 1.0.1 on FreeBSD, and the exact same thing happened. At least Firefox asked what to do with the file before downloading it, but still it is a bit weird.
I guess that you can run away from Windows and all of its problems with ActiveX and Internet Explorer, but you can't hide from all of the problems of Internet security. All this takes is for some clueless Mac users to just say "Yes" when Safari asks does the program want to be downloaded/run, and voila, they get the Macintosh equivalent of spyware. Just as easy as it is in Windows.
This problem needs to be fixed quickly, before spyware widgets start becoming more common on the Mac platform. And users need to be more educated about such dangers such as software automatically downloading themselves. They need to know how to withstand social engineering abuses, and they also need to get into their heads quickly that just because they're away from Windows and Internet Explorer doesn't mean that they're away from crackers and exploiters.
Re:Not much of a problem... (Score:5, Insightful)
Which you should left unchecked if you're not entirely stupid
I always thought that one of Apple's selling points was that they are made for non-experts. So giving users an option to potentially shoot their foot off seems to be a little unfortunate. Almost by definition, few people are experts.
The really funny part is (Score:4, Insightful)
The unzip/install widgets thing wasn't a conscious decision. This is clearly a bug.
Re:Serves you right (Score:4, Insightful)
That's quite apt. And I imagine you will be modded down due to the OS in question here.
When a Windows OS exploit is discovered there are thousands of zealots who scream "USE LINUX, STUPID" and "I use a Mac, there are not exploits for my OS" but whenever either of those OSes is found to have a flaw, those zealots are awfully quiet.
The best thing for me reading the comments so far has been the Mac users who point out that settings can be changed to allow or deny this action. They treat that like it's a magic feature only Mac has, when the truth of the matter is shit like that can be turned off in Windows also.
All of the common OSes can be locked down tight, IF THE USER CHOOSES TO. Every OS ships with the potential to be exploited, and even if it comes out the box secure, the user can always undo that.
I guess the difference when it's a Mac OS, it's a big deal because someone actually bothered to write something malicious for a small segment of the computer population.
This is actually a good thing though. It's lets all of you Mac users know that the security you've been takeing for granted is only as good as long as their is no attention to you.
Looks like this is changing.
More 'Windows like' (Score:3, Insightful)
Now the script kiddies won't feel as limited in their options in annoying Mac users just like they do MS Windows users.
A nice, new, open window (no pun intended) for the black hats to use... *sigh*
--
Tomas
Require password to set execute bit! (Score:2, Insightful)
Yes, I know that Dashboard programs cannot (supposedly) affect the filesystem outside of their bundle. And I know that if you uncheck the "automatically open downloaded blah blah blah" then Safari won't do that.
But the default is not secure! And that's what will cause the computer to do "weird" stuff like the above; the same type of stuff that annoys Windows users and gets them thinking about buying a Mac next time. (Four people at work have already bought a new Mac specifically because of past problems with malicious code in Windows.)
Since OS X is based on UNIX, providing rock-solid security for non-security-conscious users shouldn't be any trouble at all. The mechanism is all there; all Apple needs to change is the policies of the default install, and nearly all users will be safe from crap like this.
First, downloaded files should, by default, not be opened automatically. If the user wishes to change this setting, it's the user's responsibility. Second, any downloaded files, bundles, scripts, etc., should not have the execute bit set by default. When the user tries to run it for the first time, OS X will ask for the password, like it does when you install X11 or Final Cut or something. Only then will the execute bit be set. This is not a small inconvenience; rather, it is a huge convenience. Sure, you have to type a password to run a downloaded program for the first time, but that's only as annoying as finding out the bank put an extra $10,000 in your account by mistake. And your computer won't suddenly acquire programs/spyware/malware/adware/viruses and other nice stuff that you didn't intend it to acquire. This is extremely convenient. It's an additional level of security for safety-conscious parents who use Tiger's new child-safety features. It's good for owners of computers with multiple users, who don't want people to run arbitrary code that came from God knows where.
Apple could and should take this a step further. At some point, people will find ways to screw up Macs with programs/spyware/malware/adware/viruses, especially if they become pretty popular. Apple could prevent this before it happens. Provide an online database of MD5 sums of binaries for OS X, and provide a mechanism in the OS to report bad software and where it came from. Perhaps people could post a comment with their claim. The system would be moderated by the community, so good software won't end up listed as bad. There are plenty of Mac zealots who would participate. When you try to run any program for the first time, whether it comes from the Internet, a CD, or wherever, OS X might first compute the MD5 sum and compare it to the online database. If the MD5 matches, OS X will warn the user and perhaps allow the user to browse the comments posted about this program. Comments like, "This program sends all keystrokes to the goatse site!" The user can then decide whether to run the program or clean it off the system. Not connected to the Internet? The database shouldn't be that large... When you install OS X, the latest version could be placed on the HDD, and when you connect, it could automatically update it. Bam... Pretty good protection against the spyware problem, BEFORE it comes to the Mac. Proactive... not reactive like the Microsoft crowd.
I use Macs, Linux, and the BSDs.
Re:Ouch! (Score:5, Insightful)
Re:Like everyone else in the tech industry, (Score:3, Insightful)
Troll?
What is so great about the integration between Safari and Dashboard and what's so bad about the integration between Internet Explorer and ActiveX? Why should a web browser be allowed to automatically download and install certain types of programs remotely? These programs could access the Internet, too. I can see a lot of problems with this. Imagine widgets displaying pop-up adertisements, hardcore porn widgets, spyware widgets, you name it... I don't think that these widgets have the power to format hard drives, but the integration of the web broswer and external programs is very troublesome to me. Look no further than Internet Explorer and ActiveX if you want an example.
To say a kind of cleaned-up version of what the parent poster said, operating system and desktop designers and programmers should look very carefully about the features that they are adding to the program before they release it to the public. Security should be a major concern, especially if those programs are directly tied to network connections. Programs connected to the Internet should never be integrated with system functions such as installation; that's how you get Internet Explorer and ActiveX. I expected Apple to have a little more sense in feature consideration and design, but I was disappointed. Hopefully they fix this in Tiger 10.4.1 before this becomes more widespread.
Re:Not much of a problem... (Score:3, Insightful)
10.4.1 (Score:2, Insightful)
Re:Serves you right (Score:5, Insightful)
As for this vulnerability, it is Safari categorizing a Dashboard widget as "safe" when it clearly isn't. Yes, it's a vulnerability, one with an exploit already shown, and it needs to be fixed NOW. No one is saying Apple is perfect or OS X is immune, but so far there has been very little to point to in Apple's track record.
What's really important is Apple's response. Anyone post this in RADAR yet? "As Seen On TV", any thoughts from your unique position?
Whether it's a security problem or not, (Score:2, Insightful)
THERE'S the real security hole, IMO.
Re:Whether it's a security problem or not, (Score:3, Insightful)
Re:Whether it's a security problem or not, (Score:2, Insightful)
Re:Whether it's a security problem or not, (Score:3, Insightful)
FUD? What is one of the first things you should do to lock down any box? How about turning off any unnessecery services. Things that you can't turn off is one of things people blast Windows for all the time. Why should any other OS be any different?
And even if the program poses no risk, if I don't use it, why would I want it sitting there chewing up system resources?
Re:Ouch! (Score:2, Insightful)
Widgets seem to be considered "safe" but this could change in a patch.
Re:Ouch! (Score:5, Insightful)
And with XP SP2 (released in AUGUST) unsigned binaries simply can't be installed, and the default is "NO" for signed binaries...
Somebody thought they had a cool feature and didn't think about the consequences.
Re:Ouch! (Score:5, Insightful)
So the fact that IE does the same thing for, say, ActiveX and has similar options for control is consistently ignored on
So amusing.
Re:widgets limited (Score:2, Insightful)
Re:Firefox asks what to do (Score:4, Insightful)
Re:Serves you right (Score:2, Insightful)
Not when they aren't remotely correct in the first place. Apple is the only company where you can count on these arguments being made. And most of the time these people don't even bother to read the comments before posting the "but if this were Microsoft" drivel. This was demonstrated perfectly in the book banning story - someone complained that "if this were Microsoft you guys would be outraged" - completly ignoring the many "Steve Jobs is a consumate asshole" posts modded up to +5 Informative.
You, sir, are a troll.
Wrong. I'm pointing out that these people are hypocrites - the critisize the supposed "group think" of Slashdot, nevermind that they are parroting the "if this were Microsoft" line that was old before Hot Grits went out of style. These comments are just as much trolls as the guy claiming that BSD is dying and the guy wondering why it's taking him 20 minutes to copy a 17 meg file onto a Mac from across a network.
Re:Ouch! (Score:3, Insightful)
Second Active X is a cool feature and nobody thought of the consequences at MSFT. there were reports in the late 90's about active X showing it's potential for harm. It took a few years, but guess what people.
I will give MSFT this much at least a full third of the crap they have to deal with is stupid users. And stupid users can fsck up any OS.
It's just harder to maintain control when windows apps require admin settings.
First Moz, now this... (Score:3, Insightful)
Re:Ouch! (Score:4, Insightful)
Or is it "worse"?
I'm confused here but I'm not running. Of course I'm not an apologist either.
Whether you're talking about IE or Safari the same thing holds true. Saying "yes" when you're prompted despite not knowing what you're installing means you're a fucking moron and you deserve whatever you get.
Re:Not an exploit (Score:3, Insightful)
Millions of email viruses and Windows spyware rely on exactly the same thing. That doesn't appear to have slowed them down any. Hell, there was a not-insignificant outbreak of a particular Windows trojan that required users to extract it from a *password protected zip file* before running it.
Isn't it funny how the only "exploits" people can find for Mac OS X almost always exclusively revolve around social engineering, and never real flaws in the platform itself?
Nearly as funny as the people who hold up the 95%+ of Windows "vulnerabilities" that rely on social engineering as proof of its "insecurity".
Oh but it has, and you've proved part of my point (Score:5, Insightful)
Good thing it hasn't happened then.
Sure it has. Still does [secunia.com], past [utah.edu] and present [geek.com] examples.
Joke or not, your comment is indicative of the denial most Mac users seem to live in- "If it's not Windows, it's secure" and "If I don't hear about it, I must be OK" but the fact is that Mac OS X uses BSD, BSD has holes == Mac OS X has holes. Mac OS X is written by people who want users to have the easiest possible experience using their Mac. As a result, some of the things in place to make usability easier open up holes. This is the same for any OS. Anytime you cater to the user first and security second (or later) you will always ALWAYS provide someone else a way in.
I have no problem with using one OS or another, I use whatever the hell I need to get the job done- to me it's a tool, not a lifestyle. As such, I make sure my tools are safe and pay attention when someone says my OS has a hole or exploit or vulnerability, rather than just refusing to believe it's true.
Re:Oh but it has, and you've proved part of my poi (Score:3, Insightful)
Whatever. An exploit is an exploit. Patched or not, a hole is a fucking hole.
I use a Mac, I know damn well updates are up to ME to install if I choose so. Any exploit and vulnerability EVER found in a Mac still exists, simply releasing a patch DOES NOT MAKE IT GO AWAY.
Case in point, last week 20 patches for vulnerabilities for 10.3.9 were released. Those are fixed in 10.4. Does that mean the hole is plugged? NO. A patch was released and the new software doesn't have the flaw, but anyone still running 10.3.x without the patches installed is still at risk.
Is it stupid to not install the patch, yes, duh. And yet people on all OSes fail do to just that.
Want me to put up? HERE [apple.com] it's from the holy seat itself.
It's a fact, one you overlook so you can act like an ass instead. Do so if you want, but stop pretending Mac OS is invulnerable.
Why do we still have auto-installers in browsers? (Score:3, Insightful)
Then these downloaded executables then get run with all the user's privileges, not in a jail or sandbox. Java may not be perfect, but at least Sun understood they had to run applets with less privileges than user applications.
Re:Serves you right (Score:2, Insightful)
And to be fair, it wasn't a malicious exploit.
"I went to the trouble of making it ostensibly useful: it is a countdown timer for the launch of alleged PayPal competitor GreenZap. GreenZap is probably a Ponzi scheme, but do remember that PayPal gave away money when they were new, and it really would be a good idea on general principle if they had competition."
As he mentions on his site, it could easily have been a lot more evil and/or damaging. Then again, he *does* link to the more evil version... But it should bring it home quite well for the Mac users.
Re:widgets limited (Score:3, Insightful)
Re:Firefox asks what to do (Score:5, Insightful)
Re:Dashboard tips (Score:5, Insightful)
I read this 5 hours ago and still I'm amazed. I say this has a -otherwise- happy mac user, and someone that made 6 friends switch to the mac.
Re:widgets limited (Score:1, Insightful)
Safari installs the widgets without prompting the user. Dashboard DOES NOT prompt the user the first time a widget is run IF the widget was installed via Safari. Widgets can run "rm -rf
Which part of this makes me the idiot?
Here's my plan -- I'll do what Apple hasn't done (Score:4, Insightful)
Secondly, I thought to myself "it would be so easy for a widget to do nasty things"
So, here's what I'm going to do: I'm going to write a preference pane to manage widgets. It'll come in a few phases:
Phase 1) Preference pane which will allow you to turn on/off particular widgets in your ~/Library/Widgets folder by moving turned-off widgets to, say, ~/Library/Widgets (Disabled). I just did a test and discovered that the parent process of Widgets is the Dock, which means that the Dashboard is just a Dock mechanism. So, killing the dock ( politely, even ) will give Dashboard a chance to reload, since the Dock restarts automatically.
Phase 2) Write a widget scanner -- something which greps the widget source for keywords like widget.System() and whatever parameters are required for custom binaries which widgets can run. Now, I recognize I can't tell *what* those calls do, but I can at least put up a big red exclamation point next to the widget in the preference pane saying "This widget is potentially dangerous"
Phase 3) Write a small bundled app to be packaged with the preference pane which associates itself with the
This sounds like a PITA, but Apple shoulda done this in the first place.
Apple: You're drunk on the perceived security of your platform. Don't keep making the stupid mistakes.
A -- potentially better -- option is to have something like an "approved" widget download area. Say, apple's servers, where you know widgets hosted there have been given the thumbs up. Doesn't Firefox do something sort of like this for extensions?
Re:Oh but it has, and you've proved part of my poi (Score:1, Insightful)
Why is it that the energizer bunnies parading back and forth about how win xp is better than mac os x, always insert a caveat that they don't really care about which os they use? Note: i only use the term "energizer bunny" for those win xp fanboys who make the utterly lame claim that mac os x relies entirely on security through obscurity, and that the number of exploits is directly proportional to market share (which it's not).