Follow Slashdot stories on Twitter


Forgot your password?
Security Businesses OS X Operating Systems Apple

Malicious Web Pages Can Install Dashboard Widgets 610

bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.
This discussion has been archived. No new comments can be posted.

Malicious Web Pages Can Install Dashboard Widgets

Comments Filter:
  • yes but... (Score:5, Funny)

    by Anonymous Coward on Sunday May 08, 2005 @05:51PM (#12470934)
    magine porn sites auto-installing adware widgets without your knowledge.

    Yes, but do they install porn?
  • by th1ckasabr1ck ( 752151 ) on Sunday May 08, 2005 @05:51PM (#12470936)
    If people would just run a secure OS like Linux or Windows, they wouldn't be hit with attacks like this. When will people learn?
    • by Janitha ( 817744 ) on Sunday May 08, 2005 @05:56PM (#12470980) Homepage
      There is no such thing is a secure OS, all Operating systems have flaws.
      • by EtherAlchemist ( 789180 ) on Sunday May 08, 2005 @06:17PM (#12471135)

        That's quite apt. And I imagine you will be modded down due to the OS in question here.

        When a Windows OS exploit is discovered there are thousands of zealots who scream "USE LINUX, STUPID" and "I use a Mac, there are not exploits for my OS" but whenever either of those OSes is found to have a flaw, those zealots are awfully quiet.

        The best thing for me reading the comments so far has been the Mac users who point out that settings can be changed to allow or deny this action. They treat that like it's a magic feature only Mac has, when the truth of the matter is shit like that can be turned off in Windows also.

        All of the common OSes can be locked down tight, IF THE USER CHOOSES TO. Every OS ships with the potential to be exploited, and even if it comes out the box secure, the user can always undo that.

        I guess the difference when it's a Mac OS, it's a big deal because someone actually bothered to write something malicious for a small segment of the computer population.

        This is actually a good thing though. It's lets all of you Mac users know that the security you've been takeing for granted is only as good as long as their is no attention to you.

        Looks like this is changing.
        • God damn I wish I had some mod points. Very well said, my friend.
        • by diamondsw ( 685967 ) on Sunday May 08, 2005 @06:57PM (#12471460)
          No, because as you said, out of the box security is important. Mac OS X has no services running out of the box; Windows had several exploitable ones prior to XP SP2 (which I give them credit for doing a good job with).

          As for this vulnerability, it is Safari categorizing a Dashboard widget as "safe" when it clearly isn't. Yes, it's a vulnerability, one with an exploit already shown, and it needs to be fixed NOW. No one is saying Apple is perfect or OS X is immune, but so far there has been very little to point to in Apple's track record.

          What's really important is Apple's response. Anyone post this in RADAR yet? "As Seen On TV", any thoughts from your unique position?
          • Re:Serves you right (Score:4, Informative)

            by teh kurisu ( 701097 ) on Monday May 09, 2005 @06:49AM (#12475557) Homepage

            No, it's Safari categorising a ZIP archive as safe. To quote Safari:

            "Safe" files include movies, pictures, sounds, PDF and text documents, and disk images and other archives.

            The ZIP archive extracts automatically, and just happens to place the file in ~/Library/Widgets/. Dashboard runs the Widget from there.

            You're right, it's not safe. I think the solution to this should be to first of all disable the whole opening safe files functionality by default. The second should be to declassify archive files as 'safe' (with the exception of disk images), because it makes it easy to write files in this way.

            Personally I've set administrator priveledges on my ~/Library/Widgets/ folder so that I now need to enter a password to write to it.

  • by HermanAB ( 661181 ) on Sunday May 08, 2005 @05:52PM (#12470941)
    with Interesting, but not dangerous.
    • by Bungopolis ( 763083 ) on Sunday May 08, 2005 @05:57PM (#12470985)
      This warning applies specifically to Safari. It's obviously not going to affect Firefox, because Firefox does not have the widget auto-installation feature that Safari does. Most users of Tiger, however, are probably using Safari, so this most certainly is dangerous.
    • I generally disable the automatic opening of files in safari, so while it may download, it should serve the same purpose, although I'm on 10.3 and the widget files don't do anything, so I can't be sure. By the way, does Safari 2.0 at least have the option of letting bringing up a dialog box asking where to download. that is one of my biggest pet peeves with Safari.
    • Same thing on my computer. I'm running Firefox 1.0.1 on FreeBSD, and the exact same thing happened. At least Firefox asked what to do with the file before downloading it, but still it is a bit weird.

      I guess that you can run away from Windows and all of its problems with ActiveX and Internet Explorer, but you can't hide from all of the problems of Internet security. All this takes is for some clueless Mac users to just say "Yes" when Safari asks does the program want to be downloaded/run, and voila, they

  • widgets limited (Score:5, Informative)

    this page [] at Apple's Developer Connection says that a 'widget' cannot ask for any resources or do anything to the filesystem outside of the widgets bundle.
    • True, true. But hasn't apple learned anything from MS? Automatically running/installing *anything* from the internet is a bad, bad idea. And a widget could, in theory, do things like make widget pop up ads, revolving goatse/tubgirl widget, etc.

      Basically, bad apple bad. Fix.
      • Re:widgets limited (Score:3, Interesting)

        by taybin ( 622573 )
        How would you suggest they "fix" widgets to keep them from pulling offensive images? I can't think of a reasonable way (and I don't consider a blacklist reasonable) that wouldn't cripple the functionality.
        • I meant they should fix it in not allowing an untrusted remote application to be downloaded on a local computer with no interaction from the user.
          • Re:widgets limited (Score:3, Insightful)

            by BasilBrush ( 643681 )
            It's not an application, it's a widget. On your preferred browser, are you asked everytime before a flash plugin is downloaded and executed? No, not unless you disable flash. It's similar with these widgets, except they are not executed automatically, only downloaded.
          • So turn it off (Score:4, Informative)

            by __aafutm5472 ( 188247 ) on Monday May 09, 2005 @09:59AM (#12476791)
            I meant they should fix it in not allowing an untrusted remote application to be downloaded on a local computer with no interaction from the user.

            So turn off the ability. In Safari, open Preferences, and on the first tab, de-select 'automatically run "safe" files upon download.' Then, it'll download it, and you can manually install the widget by copying it to /Library/Widgets. No need to restart OS X or Dashboard, it just shows up.

            This was one of the first things I tweaked after switching to a Mac. I noticed it'd automatically mount disk image files, and I could see the potential security implication, so I found the checkbox and tunred it off.

            It's not rocket science, just basic research.
      • Re:widgets limited (Score:3, Informative)

        by Ilgaz ( 86384 )
        The software which they didn't steal :) is a very advanced application in fact. I tried it myself just recently and for windows people out there, Konfubulator XP has shipped, give it a try until it gets this time into longhorn *g*

        Asked myself why such advanced coders give plain sit,sitx,zip files for installing manually to widgets directory (or anywhere) and require user to double click it to launch.

        Now I had my answer ;)
      • But you would only see the popup when you go to Dashboard. Widgets basically stop running when you leave dashboard and start up again when you enter dashboard. I do agree that this is a concern however. I never understood why apple sets to default "Open safe attachments" in Safari. I understand that it helps the less experienced but it also creates a bit of a security problem IMO.
        • Re:widgets limited (Score:3, Informative)

          by Jeffrey Baker ( 6191 )
          The bit about widgets stopping is completely false. You can connect to native code (or Java code) from your widget, and the native/Java code can do all types of things, even when the widget is off-screen.
      • Until they fix it, take a look at this Mac LiveCD linux. []

        That ought to be a lot of fun, in addition to providing a way to run another OS on your Mac.

    • Re:widgets limited (Score:2, Interesting)

      by Anonymous Coward
      They can take up RAM.

      And in fact they often take up lots and lots of RAM.

      A widget forkbomb wouldn't be so hard I don't think.

      Widgets shouldn't be able to install this way.
    • Re:widgets limited (Score:5, Interesting)

      by antibryce ( 124264 ) on Sunday May 08, 2005 @06:02PM (#12471025)

      True, but widgets can run external programs if certain permissions are set. The most insane part is that the widget itself sets the permissions it's allowed to have. Putting a key in the Info.plist file with "AllowFullAccess" set to "Yes" will allow the widget to run anything, access the network, etc. Basically at that point it's a full featured app. How hard would it be to make a widget that's invisible but periodically queries Safari's browser history, or songs played in itunes, or do a spotlight search for "password" and email the results to some guy in Russia? The widget could even be invisible to the user, with a 1x1 transparent gif as it's screen.

      It seems really really dumb in this light to have Safari not only automatically download zip files, but uncompress them and if it finds a Widget bundle inside to install it. All without user intervention.
      • by mcc ( 14761 ) <> on Sunday May 08, 2005 @06:15PM (#12471112) Homepage
        Safari is uber paranoid about other filetypes now-- if you download a tar or a dmg it says "warning, this file may contain an application, are you sure you want to uncompress this?" It didn't do this before Tiger.

        The unzip/install widgets thing wasn't a conscious decision. This is clearly a bug.
        • The first thing i did when i opened up safari in tiger was to uncheck the "Open Safe files after downloading" option , visted the site in safari and it just automaticaly downloaded the file and did nothing more .So theres a quick workaround till a patch is out

          I have no idea how this potential exploit slipped past , bad show indeed and rather disapointing.
          But clearly it is a bug not poor judgment.

      • Almost as scary as an "invisible" keystroke logger or spotlight hijacker is the possibility of your Dashboard becoming a battleground for full-screen adverts from auto-installed ad-widgets. Close the widget and it auto-starts a secondary one in its place. Rinse and repeat.

        Glad I've stuck with 10.3 for now.
      • "some guy in Russia"

        Just find this guy and kick his ass. Problem fixed, no need to patch shit.

  • Too integrated (Score:5, Insightful)

    by m50d ( 797211 ) on Sunday May 08, 2005 @05:53PM (#12470957) Homepage Journal
    This is what happens when you tie together parts of the OS that shouldn't be put together. In particular, has apple not realised that having the browser tied to anything that expects local rather than remote content is fundamentally an incredibly stupid idea?
  • by zkn ( 704992 ) on Sunday May 08, 2005 @05:54PM (#12470958)
    Apple copies Microsoft.....
  • HAH! (Score:3, Funny)

    by JoeCommodore ( 567479 ) <> on Sunday May 08, 2005 @05:54PM (#12470960) Homepage
    I'm running Jaguar!

    I can't afford to buy all the Apple "upgrades of the month."
  • 1st real ad-ware? (Score:3, Interesting)

    by EggyToast ( 858951 ) on Sunday May 08, 2005 @05:54PM (#12470967) Homepage
    Definitely easier to remove than most Windows Ad/spyware, but still a pain in the butt. Just goes to show that making something painless for the user can often lead to the technology being abused by more nefarious individuals.

    I know that Windows usually posts security fixes and doesn't address spyware exploits specifically in many cases -- it'll be interesting to see if Apple addresses this in 10.4.1 or if we see a patch sooner (or later!)

    • Re:1st real ad-ware? (Score:3, Interesting)

      by Aphrika ( 756248 )
      "Just goes to show that making something painless for the user can often lead to the technology being abused by more nefarious individuals"

      Yup, it's a bit like scripting in Outlook and ActiveX in IE; incredibly useful in a fully controlled environment, but incredibly vulnerable in the wild and hugely open to exploitation. I would have assumed Apple would've seen the fun and games that MS has had with scripting, embedding and browser/OS interaction over the years to not let something like this happen.

  • Yeah... (Score:3, Funny)

    by Nanoda ( 591299 ) on Sunday May 08, 2005 @05:54PM (#12470968)
    imagine porn sites auto-installing adware widgets without your knowledge.

    Yeah... I'm imagining those porn sites.........

  • If you do not tick the "open safe files" check box in the prefs. Which you should left unchecked if you're not entirely stupid, as there is no way to tell whether any file is actually "safe". Good Internet Practice, as I like to call it.
  • The solution (Score:5, Informative)

    by Little Grey ( 571460 ) on Sunday May 08, 2005 @05:56PM (#12470979)
    Is to turn off "Open 'Safe' downloads" in Safari's Options.

    It's just common sense anyways
  • uh... (Score:2, Funny)

    by pkboy ( 864629 )
    "imagine porn sites auto-installing adware widgets without your knowledge." I guess Mac users can now blame their browsers for the pr0n popping up on their computers as well.
  • by justforaday ( 560408 ) on Sunday May 08, 2005 @06:02PM (#12471022)
    Looks like he was nice and made us a widget []. Too bad I don't have Tiger yet... :'(
    • Re:Awww...How cute! (Score:3, Informative)

      by flowerp ( 512865 )
      Holy Shit! I have OS X Tiger, and behold. Klicking on that link installed Goatse right into my Widget collection with NO CONFIRMATION DIALOG WHATSOEVER.

      So whenever someone clicks on the "Add Widget" symbol (the circled plus sign) he gets to see a barenaked goatse in full glory.

  • it's not totally evil.

    It installs the widget, but does not activate it.. it just makes it available.

    Further, widgets do run in a sandbox, and require user approval to execute if they want to do certain things (like erase your HD).

    Honestly, apple should have said "would you like to install this widget?".. that would be sensible and courteous.
  • by pelorus ( 463100 ) on Sunday May 08, 2005 @06:07PM (#12471063)
    First, when a widget starts to download, Tiger prompts me and says "This download contains an application, do you want to continue?" That should be the first dead-giveaweay.

    Secondly, while the OS DOES copy downloaded widgets to the Widgets folder in the Users directory, the widgets do not become active until you actually activate them. (of course there's nothing stopping you from usign the same name and icon as ...say Calculator).

    Getting widgets to do complex system-level stuff you WANT them to do is tough enough.
    • First, when a widget starts to download, Tiger prompts me and says "This download contains an application, do you want to continue?" That should be the first dead-giveaweay.

      Social engineering around that would be easy. "Mac's are immune to viruses, right? At least that's what everyone tells me."

      (of course there's nothing stopping you from usign the same name and icon as ...say Calculator).


  • by Dachannien ( 617929 ) on Sunday May 08, 2005 @06:13PM (#12471104)
    If there's anything that Slashdot has taught us, it's that it's never safe to use your computer.

  • The default settings I used on my Mac stopped this cold. First, I have the setting in Safari to not automatically run 'safe' files after download. Thus, it just downloaded, didn't install.

    Second, I don't have a personal Widgets folder. I only use the system one, and copy the widgets there with su. So, even after setting the 'run safe' option, it still didn't install!

    So, yes, it does affect Macs, but those of us who are completeloy paranoid are pretty safe.

    My suggestion - block auto-open of 'safe' d

  • by SmoothTom ( 455688 ) <> on Sunday May 08, 2005 @06:18PM (#12471139) Homepage
    With this new addition to Safari under Tiger, Apple has made a large step in catching up with Microsoft Windows...

    Now the script kiddies won't feel as limited in their options in annoying Mac users just like they do MS Windows users.

    A nice, new, open window (no pun intended) for the black hats to use... *sigh*

  • If anyone else let the evil version install to see what it did (like me) it's really easy to remove.

    Step 1: Remove the folder zaptastic_evil.wdgt from ~/Library/Widgets.

    Step 2: Using Activity Monitor to kill any running instance of it (yes Activity Monitor shows each widget as a separate process).

    No reboot.
  • Imagine it? (Score:4, Funny)

    by Anonymous Coward on Sunday May 08, 2005 @06:20PM (#12471152)

    imagine porn sites auto-installing adware widgets without your knowledge

    Imagine it? I'm a Windows/IE user...I live it!

  • by uprock_x ( 855650 ) on Sunday May 08, 2005 @06:21PM (#12471160) Homepage Journal
    Click OnLine, BBC's tech show: /worl_click_030505_show_hi.rm?Media=60506 []

    Cole asks Apple manager: is Dashboard a big rip off of Konfabulator?

    Apple manager's response:um,
  • by Pedrito ( 94783 ) on Sunday May 08, 2005 @06:24PM (#12471186)
    I'm just glad I'm running Firefox [] under Windows. No need for me to worry about nefarious web sites.
  • You would think that Apple, being such an innovative company, would learn from Microsoft's mistakes.

    Yes, I know that Dashboard programs cannot (supposedly) affect the filesystem outside of their bundle. And I know that if you uncheck the "automatically open downloaded blah blah blah" then Safari won't do that.

    But the default is not secure! And that's what will cause the computer to do "weird" stuff like the above; the same type of stuff that annoys Windows users and gets them thinking about buying a Mac ne

  • by rudy_wayne ( 414635 ) on Sunday May 08, 2005 @06:34PM (#12471258)
    This can't possibly be true.

    Everyone knows that Linux and OS X are perfect and only Windows has security exploits.

    Let's get it right people! You're slipping!

  • by 1nhuman ( 597328 ) on Sunday May 08, 2005 @07:15PM (#12471612)
    I do use Tiger and Safari, but it didn't work on my system. Primarily because in Safari > System Preferences > General, I Unchecked the check box that automatically open's up Safe files, which includes archives (which I do not consider safe).

    Another thing I did, was to redirect downloads to a special download folder which has a special Folder Action attached that scans new files for viruses and then changes new files permissions to "No Access" (even if there are no viruses). If I want to open/read a downloaded file I have to change it permissions to read/write, for which I made a single-click Apple script that I dragged in the Finders top bar thingie. Ok I'm slightly paranoid, mainly because IT security is my thing (btw the reason why I switched to Mac OS X last year), But it works.
  • by MsGeek ( 162936 ) on Sunday May 08, 2005 @10:10PM (#12472917) Homepage Journal
    Today has really been a bad day for computer users. All we need next is Yet Another New Windows Exploit/Virus/Trojan/Worm and our day will be complete. :P
  • by Animats ( 122034 ) on Monday May 09, 2005 @01:26AM (#12474000) Homepage
    The whole concept of browsers installing executables is just wrong. Microsoft created Active-X as a way to make sites incompatible with non-IE browsers and to fight Java, not because it was a useful idea. So then Mozilla goes and implements their own answer to Active-X for downloading and installing executable add-ons. Then Apple does the same.

    Then these downloaded executables then get run with all the user's privileges, not in a jail or sandbox. Java may not be perfect, but at least Sun understood they had to run applets with less privileges than user applications.

  • Dashboard tips (Score:4, Informative)

    by Absentminded-Artist ( 560582 ) on Monday May 09, 2005 @02:28AM (#12474219) Homepage
    Fascinating article. I installed zaptastic_evil and was amused by it. Very annoying indeed. Widgets simply should not do this.

    Just a few points of interest.

    1) The widget may automatically download and get copied into the widgets folder, but it is not automatically installed onto the active dashboard. Therefor the user would have to manually click on it. Without knowing the widget is there, the user may not ever notice it. Of course, this is still a security risk, but this isn't the best way to propogate malware.

    2) Widgets can be deleted manually as pointed out in the article by going into ~/Library/Widgets and removing the unwanted widget

    3) The Dashboard can be reinitialized by killing the Dock. Those not familiar with terminal can just fire up Activity Monitor and kill the Dock there. The Dock immediately relaunches, then Dashboard reinitializes when it is launched again and the offending widgets are gone.

    4) Apple should allow us to delete widgets from the dashboard, but the behavior when clicking and dragging a widget off of the Dashboard installs the widget instead of bringing up the delete puff of smoke. This behavior is at odds with every other taskbar/dock/menubar in OS X. I would recommend Apple change this.

    5) We ARE dealing with Dashboard 1.0 so there are bound to be bugs needing to be squashed. Personally, I enjoy Dashboard but find it difficult to manage when there are too many widgets deployed. I find myself wishing for Exposé for Dashboard! LOL I also wish that widgets would reinitialize without force quiting the dock and that the dashboard would be a bit more dynamic. Sometimes deleted widgets take a while to disappear off the dashboard as well as newly installed widgets. I look forward to the upcoming 10.4.1 release.
    • Re:Dashboard tips (Score:5, Insightful)

      by Kyusaku Natsume ( 1098 ) on Monday May 09, 2005 @04:12AM (#12474655)
      Certainly the cleanup and prevention is easy, but the fact that Safari downloads automatically widgets without user intervention/request is incredibly stupid, even more than the autoinstall -this is already stupid-, the guys who put those "features" on an fairly secure, wonderful and useful system sould be fired; this is seer incompetence, and a disservice for the rest of the fine, great OS X team. What the hell where they thinking? This sould have been scrapped in the design phase of Dashboard.

      I read this 5 hours ago and still I'm amazed. I say this has a -otherwise- happy mac user, and someone that made 6 friends switch to the mac.
  • by TomorrowPlusX ( 571956 ) on Monday May 09, 2005 @07:45AM (#12475836)
    When I installed Tiger I thought to myself "why hasn't apple provided a mechanism for Widget management?"

    Secondly, I thought to myself "it would be so easy for a widget to do nasty things"

    So, here's what I'm going to do: I'm going to write a preference pane to manage widgets. It'll come in a few phases:

    Phase 1) Preference pane which will allow you to turn on/off particular widgets in your ~/Library/Widgets folder by moving turned-off widgets to, say, ~/Library/Widgets (Disabled). I just did a test and discovered that the parent process of Widgets is the Dock, which means that the Dashboard is just a Dock mechanism. So, killing the dock ( politely, even ) will give Dashboard a chance to reload, since the Dock restarts automatically.

    Phase 2) Write a widget scanner -- something which greps the widget source for keywords like widget.System() and whatever parameters are required for custom binaries which widgets can run. Now, I recognize I can't tell *what* those calls do, but I can at least put up a big red exclamation point next to the widget in the preference pane saying "This widget is potentially dangerous"

    Phase 3) Write a small bundled app to be packaged with the preference pane which associates itself with the .wdgt extension, and (somehow) gets higher association relevance than the Dock for execution. Then, when a widget is double-clicked on it gets copied directly into ~/Library/Widgets ( Disabled ) -- giving you the chance to enable it or not before the Dashboard gets it.

    This sounds like a PITA, but Apple shoulda done this in the first place.

    Apple: You're drunk on the perceived security of your platform. Don't keep making the stupid mistakes.

    A -- potentially better -- option is to have something like an "approved" widget download area. Say, apple's servers, where you know widgets hosted there have been given the thumbs up. Doesn't Firefox do something sort of like this for extensions?

Nothing will ever be attempted if all possible objections must be first overcome. -- Dr. Johnson