May 9, 2005 5:20 PM PDT

Mac malware door creaks open

Related Stories

Apple: Widget writers wanted

December 9, 2004

Mac users face rare threat

October 25, 2004

Apple: Open-source pedigree will protect Tiger

September 1, 2004
Dashboard, one of the much-publicized features of Apple Computer's latest OS, Tiger, could be ripe for exploitation by porn scammers.

Apple has been encouraging developers to create new widgets for Tiger's Dashboard--a semi-transparent layer of everyday, often-used applications such as a calculator or currency converter that appears over the user's desktop--but within days of its public release, one developer claims to have already found a way to turn widgets into potential malicious software.

Developer Stephan, who has posted the widgets to his blog, has created two mini-apps which he describes as "slightly evil." One widget, he says, will automatically install itself on users' desktops when his "Zaptastic" Web site is visited using Apple's Safari browser.

This, according to Stephan, is a golden opportunity for porn scammers, enabling them to auto-install widgets that can hijack browsers.

According to Stephan's blog: "I happen to like (auto-install). I think it's a great thing. But, as I have demonstrated here, it has the side effect of setting up a situation where a user can be given an application without their knowledge.

"That's not such a big deal; by default, widgets can't do much damage, and they can't run unless you drop them into your dashboard. The funny thing is that once that widget is there, according to Apple, you CANNOT remove it."

Widgets cannot be removed directly from the toolbar, but they can however be deleted from the Library folder.

"The average user, who can't find their Library folder with two mice and a spotlight, is stuck. It would take all of 30 seconds for me to pick out a nice porn image, make it the icon of a widget, drop it in your dashboard and you're stuck with it. It doesn't even need any Javascript," Stephan added.

Stephan has also created the zaptastic_evil widget, which redirects the user's browser to a Web site every time the widget Dashboard is launched--and drops the user out of Dashboard, preventing the widget from being closed.

A fellow blogger, going by the name of Aaron, has created a series of widgets that closely resemble Apple's own set of widgets and can be used to displace the genuine ones. One of these fake widgets can run with full system access without the user's express permission.

Apple declined to comment for this report.

Despite the potential for mayhem, Mac users can simply kill the widgets by deleting them from their Library folder, and using Activity Monitor to kill any instance of the widget already running.

Jo Best of Silicon.com reported from London.

102 comments

Join the conversation!
Add your comment
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.