Malicious Web Pages Can Install Dashboard Widgets

bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.

1st real ad-ware?

[EggyToast]

Definitely easier to remove than most Windows Ad/spyware, but still a pain in the butt. Just goes to show that making something painless for the user can often lead to the technology being abused by more nefarious individuals.

I know that Windows usually posts security fixes and doesn't address spyware exploits specifically in many cases -- it'll be interesting to see if Apple addresses this in 10.4.1 or if we see a patch sooner (or later!)

Re:widgets limited

[Anonymous Coward]

They can take up RAM.

And in fact they often take up lots and lots of RAM.

A widget forkbomb wouldn't be so hard I don't think.

Widgets shouldn't be able to install this way.

Re:widgets limited

[antibryce]

True, but widgets can run external programs if certain permissions are set. The most insane part is that the widget itself sets the permissions it's allowed to have. Putting a key in the Info.plist file with "AllowFullAccess" set to "Yes" will allow the widget to run anything, access the network, etc. Basically at that point it's a full featured app. How hard would it be to make a widget that's invisible but periodically queries Safari's browser history, or songs played in itunes, or do a spotlight search for "password" and email the results to some guy in Russia? The widget could even be invisible to the user, with a 1x1 transparent gif as it's screen.

It seems really really dumb in this light to have Safari not only automatically download zip files, but uncompress them and if it finds a Widget bundle inside to install it. All without user intervention.

Re:widgets limited

[taybin]

How would you suggest they "fix" widgets to keep them from pulling offensive images? I can't think of a reasonable way (and I don't consider a blacklist reasonable) that wouldn't cripple the functionality.

Dashboard: Slightly OT but worth a look

[uprock_x]

Click OnLine, BBC's tech show:

http://stream.servstream.com/ViewWeb/BBCWorld/File /worl_click_030505_show_hi.rm?Media=60506 [servstream.com]

Cole asks Apple manager: is Dashboard a big rip off of Konfabulator?

Apple manager's response:um, er...Desk..Accessory...um...things......from before....like

Re:Not much of a problem...

[geoffspear]

Except that's not one of Apple's selling points; it's FUD spread by Windows and Linux zealots who like to think their computers are more suitable for expert users.

Do you think including sudo is "unfortunate" because of all the damage you can do to your machine with it?

Re:1st real ad-ware?

[Aphrika]

"Just goes to show that making something painless for the user can often lead to the technology being abused by more nefarious individuals"

Yup, it's a bit like scripting in Outlook and ActiveX in IE; incredibly useful in a fully controlled environment, but incredibly vulnerable in the wild and hugely open to exploitation. I would have assumed Apple would've seen the fun and games that MS has had with scripting, embedding and browser/OS interaction over the years to not let something like this happen.

Microsoft seemed to end up in knots trying to sort out the ActiveX and scripting debacles, the result being lots of dialog boxes and the IE info bar (easily faked in a web page too!), so it will be interesting to see how Apple go about fixing it, which I'd assume would be a simple block on automatic installs.

Re:widgets limited

[Ilgaz]

A lot of companies/coders fixed it but just years ago, a malicious jpeg or gif header (can't remember) could rape your application and machine just by stating its a 20.000*10.000 resolution.

No elite asm code, nothing at all. Just a header.

Re:widgets limited

[Anonymous Coward]

It should ask the user each time he installs a widget. Seriously how many widgets do you install each day? Just prompt "Do you want to install widget? [Ok][Cancel]*"

Copyright (c)1984-2005 Microsoft Corporation. All rights reserved.
*United States Patent Application: 0050091614

Didn't work on my system

[1nhuman]

I do use Tiger and Safari, but it didn't work on my system. Primarily because in Safari > System Preferences > General, I Unchecked the check box that automatically open's up Safe files, which includes archives (which I do not consider safe).

Another thing I did, was to redirect downloads to a special download folder which has a special Folder Action attached that scans new files for viruses and then changes new files permissions to "No Access" (even if there are no viruses). If I want to open/read a downloaded file I have to change it permissions to read/write, for which I made a single-click Apple script that I dragged in the Finders top bar thingie. Ok I'm slightly paranoid, mainly because IT security is my thing (btw the reason why I switched to Mac OS X last year), But it works.

Re:widgets limited

[Arrgh]

It's not a bad idea per se to automatically download and run stuff from the Internet, but any software designed to do so had better be designed and implemented properly. The dozens (hundreds?) of "cross-site scripting" bugs that have surfaced in popular browsers in the past few years are evidence that this is rarely done well. Java's [sun.com] 10 year old sandbox design has been quite successful, and Flash [macromedia.com] has followed a substantially similar design.

Unfortunately, code signing, as currently implemented and (mis)understood by users, is an all-or-nothing proposition. There are certainly legitimate uses for privileged mobile code, but most users don't really read or understand security warning dialogs, they just think "I just clicked the Start Game button, and now it's asking me if I really want to Start the Game. How stupid."

Marimba actually came up with a good partial solution ages ago. When their framework loaded and executed a Java app, the framework would closely manage exactly what resources could be exploited by the app. Each application's ability to read and write files was restricted by default to its own tiny corner of the filesystem, and the amount of space it could occupy with its files was constrained as well.

Note that Java's security manager infrastructure has allowed these sorts of fine-grained controls since 1.2 (circa 1998), but no one to my knowledge has yet found a way to effectively communicate to a user:

• what resources a given piece of mobile code will want to exploit;
• what the risks of running it might be;
• some assurance that the code is published by someone they trust;

...While maintaining some degree of user-friendliness. It's a tough problem.

MSIE's concept of local policies set according to centrally defined security zones was a step in the right direction; it's too bad its development stalled when the Browser War was "won."

Re:widgets limited

[Exodious]

I'm running Safari on 10.4 as well, and I tried this.

If I have "Open 'safe' files after downloading" checked, Safari downloads, extracts, and installs the widget without asking.

If I have "Open 'safe' files after downloading" unchecked, Safari just downloads it.

Nowhere am I asked during this process if I want to install it. I'm curious as to what's different on your machine that it asked you.

Re:Nice try

[bnenning]

But a trojan, a social engineering exploit that requires explicit and deliberate user action, is completely uninteresting. That will always be possible on all OSes and all platforms.

That's the thing; a good OS *should* be able to prevent those. The OS should be able to recognize that what claimed to be a screensaver is attempting to access your Quicken files and open a connection to somewhere in Russia, and it would probably be a good idea to deny that and let you know what's going on.

User education is a lost cause. An OS needs to be able to defend against trojans without relying on the user to be particularly intelligent. Unfortunately I have no idea how to actually implement that in a usable manner.

Installed?

[Mr Bubble]

Is this "installed" or just put into a certain directory.

If the widget auto-executed, then that would seem like a REALLY bad idea. But, if "installed" just means the widget is placed where Dashboard expects to find widgets, that seems less unsafe.

You would still have to consciously decide to activate the widget in Dashboard, right? At that point you're at the same security level as any widget regardless of where the browser put it on your system.

Still sounds funky, but not like the sky is falling.

Re:Several levels of control

[SirTalon42]

You could put a space in front of the name, and you wouldn't be able to tell. And if it installed several that all used the same icons and names (but with the space in front), how will you tell which is real? Especially if the real ones are pushed off the screen.

Theres a link to an example on another part.

Safe files - Isn't this the first case of abuse?

[Anonymous Coward]

I've always let safe files be opened by Safari. All this ever seemed to do was autolaunch PDF and media files and autodecompress zip archives. It was nice to have Safari do this for me since it also cleaned up after itself and removed the zip file while leaving the archive I had just downloaded. So automatically opening safe files was something I wanted Safari to do.

Some of you former Windows guys are fairly paranoid, though I can hardly blame you. I've had one virus on my PC in the decade or so that I've used them. I'm very careful on PCs, but never saw the same vulnerability on my Mac. This code (
) is very annoying and I don't like the fact that Safari downloaded that file without my permission. This has happened before when using Safari, but only on sites with PC autodailers or adware installers. Those .exe files don't do anything on the Mac, obviously. And usually uncompressed "safe" files just sit in the default download directory. Isn't this the first time a form of installation actually occurred using Safari?

Couldn't this be fixed if Apple disabled meta pushed downloading from within Safari and didn't auto install the widgets? Then people like me could keep "Open safe files..." checked. I don't open anything I haven't downloaded on purpose. I'm careful and responsible and like the convenience of auto disk image mounting, etc...

Can't I have my cake and eat it too? :(

Re:not insightful

[ashot]

yes it should run in a sandbox, which is essentially means it should not have access to the filesystem, I think java's ability to do so at all is a mistake. Flash doesn't allow this at all, and they have not had any security problems except for one (which was a pretty bad one, but nonetheless) in 2003.

Re:Oh but it has, and you've proved part of my poi

[Anonymous Coward]

BSD has holes == Mac OS X has hole

Oh? And what part of the BSD subsystem has had holes? OSX uses a different kernel, all tcp/ip exploits are in the hands of OSX developers. All the exploits I've seen for Jaguar involve 3rd party software like sendmail and apache (exempting Apple's own software).

The reality is that while BSD has had some security issues (as does everything), few to none of them have to do with OSX.