- Related Stories
-
Apple: Widget writers wanted
December 9, 2004 -
Mac users face rare threat
October 25, 2004 -
Apple: Open-source pedigree will protect Tiger
September 1, 2004
Apple has been encouraging developers to create new widgets for Tiger's Dashboard--a semi-transparent layer of everyday, often-used applications such as a calculator or currency converter that appears over the user's desktop--but within days of its public release, one developer claims to have already found a way to turn widgets into potential malicious software.
Developer Stephan, who has posted the widgets to his blog, has created two mini-apps which he describes as "slightly evil." One widget, he says, will automatically install itself on users' desktops when his "Zaptastic" Web site is visited using Apple's Safari browser.
This, according to Stephan, is a golden opportunity for porn scammers, enabling them to auto-install widgets that can hijack browsers.
According to Stephan's blog: "I happen to like (auto-install). I think it's a great thing. But, as I have demonstrated here, it has the side effect of setting up a situation where a user can be given an application without their knowledge.
"That's not such a big deal; by default, widgets can't do much damage, and they can't run unless you drop them into your dashboard. The funny thing is that once that widget is there, according to Apple, you CANNOT remove it."
Widgets cannot be removed directly from the toolbar, but they can however be deleted from the Library folder.
"The average user, who can't find their Library folder with two mice and a spotlight, is stuck. It would take all of 30 seconds for me to pick out a nice porn image, make it the icon of a widget, drop it in your dashboard and you're stuck with it. It doesn't even need any Javascript," Stephan added.
Stephan has also created the zaptastic_evil widget, which redirects the user's browser to a Web site every time the widget Dashboard is launched--and drops the user out of Dashboard, preventing the widget from being closed.
A fellow blogger, going by the name of Aaron, has created a series of widgets that closely resemble Apple's own set of widgets and can be used to displace the genuine ones. One of these fake widgets can run with full system access without the user's express permission.
Apple declined to comment for this report.
Despite the potential for mayhem, Mac users can simply kill the widgets by deleting them from their Library folder, and using Activity Monitor to kill any instance of the widget already running.
Jo Best of Silicon.com reported from London.
See more CNET content tagged:
dashboard, Apple Computer, malware, Apple Macintosh, blog
damage, and they can't run unless you drop them into your
dashboard. The funny thing is that once that widget is there,
according to Apple, you CANNOT remove it."
Widgets cannot be removed directly from the toolbar, but they
can however be deleted from the Library folder.
"The average user, who can't find their Library folder with two
mice and a spotlight, is stuck. It would take all of 30 seconds for
me to pick out a nice porn image, make it the icon of a widget,
drop it in your dashboard and you're stuck with it. It doesn't
even need any Javascript," Stephan added.
Stephan has also created the zaptastic_evil widget, which
redirects the user's browser to a Web site every time the widget
Dashboard is launched-?and drops the user out of Dashboard,
preventing the widget from being closed."
---- OK ... nice, but there IS a "spotlight", so users CAN easily
find them. In order for them to run, they have to be in the
library folder where Dashboard can find them. Again, no prob.
Hmmm have to try and get "infected", but I bet a simple app in
automater, can easily clean them out.
Oh yeah, if anyone has a problem, give me a call and I will post a
simple automater script. Peace Out.
nuff said.
preferences.
This is not a big deal.
inspected by Apple of course. That's the end of it right there.
damage, and they can't run unless you drop them into your
dashboard. The funny thing is that once that widget is there,
according to Apple, you CANNOT remove it."
Widgets cannot be removed directly from the toolbar, but they
can however be deleted from the Library folder.
"The average user, who can't find their Library folder with two
mice and a spotlight, is stuck. It would take all of 30 seconds for
me to pick out a nice porn image, make it the icon of a widget,
drop it in your dashboard and you're stuck with it. It doesn't
even need any Javascript," Stephan added.
Stephan has also created the zaptastic_evil widget, which
redirects the user's browser to a Web site every time the widget
Dashboard is launched-?and drops the user out of Dashboard,
preventing the widget from being closed."
---- OK ... nice, but there IS a "spotlight", so users CAN easily
find them. In order for them to run, they have to be in the
library folder where Dashboard can find them. Again, no prob.
Hmmm have to try and get "infected", but I bet a simple app in
automater, can easily clean them out.
Oh yeah, if anyone has a problem, give me a call and I will post a
simple automater script. Peace Out.
nuff said.
preferences.
This is not a big deal.
inspected by Apple of course. That's the end of it right there.
damage... they can execute shell scripts & unix commands, as well
as applescript... meaning they can delete your hard drive, etc.
Bad news.
damage... they can execute shell scripts & unix commands, as well
as applescript... meaning they can delete your hard drive, etc.
Bad news.
find it in Dashboard and open it yourself.
Widgets run in a sandbox. If it has any sophistication, it has an
application in it, and the system ASKS you if you want to run it. If
it does anything with the system, the system REQUIRES an
administrator password. Any bad widget has to be social
engineering based - the user needs to be tricked into running it.
Widgets can be easily closed, you don't need Activity Viewer or
any such thing. Click the big "X" in the corner of the screen and
all widgets get close buttons. Or, simply hold down Option and
mouse over a widget, and a close button will appear - no matter
if it was programmed to show one or not.
No system can protect a user from a Trojan Horse where they
are tricked into authorizing something bad to happen. You can't
blame the system software authors. The system does all it can -
makes you open it, asks if you really wanted to run an app,
requires admin authorization to do system stuff, even lets you
turn off automatically making the widget available at all.
This is another tempest in a teapot.
are tricked into authorizing something bad to happen. You can't
blame the system software authors. "
Seems everyone blames MS when that happens.
find it in Dashboard and open it yourself.
Widgets run in a sandbox. If it has any sophistication, it has an
application in it, and the system ASKS you if you want to run it. If
it does anything with the system, the system REQUIRES an
administrator password. Any bad widget has to be social
engineering based - the user needs to be tricked into running it.
Widgets can be easily closed, you don't need Activity Viewer or
any such thing. Click the big "X" in the corner of the screen and
all widgets get close buttons. Or, simply hold down Option and
mouse over a widget, and a close button will appear - no matter
if it was programmed to show one or not.
No system can protect a user from a Trojan Horse where they
are tricked into authorizing something bad to happen. You can't
blame the system software authors. The system does all it can -
makes you open it, asks if you really wanted to run an app,
requires admin authorization to do system stuff, even lets you
turn off automatically making the widget available at all.
This is another tempest in a teapot.
are tricked into authorizing something bad to happen. You can't
blame the system software authors. "
Seems everyone blames MS when that happens.
find feature of Tiger), that is another matter. Using Spotlight, a user
can find their widgets. In the Search box, if you type in "widget"
you'll quickly find the pesky widget to delete.
find feature of Tiger), that is another matter. Using Spotlight, a user
can find their widgets. In the Search box, if you type in "widget"
you'll quickly find the pesky widget to delete.
preference panes and allows you to turn off widgets you don't want
to have loaded or remove them (moves the widget to the trash).
Pretty handy.
preference panes and allows you to turn off widgets you don't want
to have loaded or remove them (moves the widget to the trash).
Pretty handy.
That is all it takes. Do that to the widget directory and there is no way to get mal-widge installed without admin ok.
Next chicken little story!
The VAST MAJORITY of Apple users have no idea what chmod even is, let alone how to use it.
If this same situation were to arise on Windows, everyone would be all over MS for this "security hole", yet when it happens to beloved Apple it's a "chicken little" story.
Hypocrites.
That is all it takes. Do that to the widget directory and there is no way to get mal-widge installed without admin ok.
Next chicken little story!
The VAST MAJORITY of Apple users have no idea what chmod even is, let alone how to use it.
If this same situation were to arise on Windows, everyone would be all over MS for this "security hole", yet when it happens to beloved Apple it's a "chicken little" story.
Hypocrites.
stuff. I haven't gotten around to writing my own yet but I do
understand the architecture and I HIGHLY doubt his assertion.
Widgets are basically web pages. I believe the perferred
language is javascript. The underlying architecture is Apple's
webcore.
So, unless you can craft a web page that can run arbitrary code
on your Mac, you shouldn't be able to create a widget that runs
arbitrary code on your mac. The dashboard vulnerability
REQUIRES another vulnerability to take advantage of. This is, as
yet, a 'sky is falling' story.
with the widget. architecture Apple built for them. In addition,
widgets can also make use of Cocoa for even more extensive
functionality. While this makes them as dangerous as applications,
it also makes them as powerful as applications. As I've commented
above, this has been blown completely out of proportion.
stuff. I haven't gotten around to writing my own yet but I do
understand the architecture and I HIGHLY doubt his assertion.
Widgets are basically web pages. I believe the perferred
language is javascript. The underlying architecture is Apple's
webcore.
So, unless you can craft a web page that can run arbitrary code
on your Mac, you shouldn't be able to create a widget that runs
arbitrary code on your mac. The dashboard vulnerability
REQUIRES another vulnerability to take advantage of. This is, as
yet, a 'sky is falling' story.
with the widget. architecture Apple built for them. In addition,
widgets can also make use of Cocoa for even more extensive
functionality. While this makes them as dangerous as applications,
it also makes them as powerful as applications. As I've commented
above, this has been blown completely out of proportion.
First of all, you HAVE to intentionally drag the darn things into
your Dashboard. Second, you have to authorize it. Third even
if you do ALL of that, then any devious actions are
compartmentalized. DOH ... windows can't even do that!
The part of the story that kind of REALLY pissed me off were the
blatantly false and misleading statements. Coloring a statement
by leaving out its original context is flat out lying. I don't play
that stupid child games. News stories are supposed to be about
facts, not twists on words. #1 -- You cannot remove a widget
from the Dashboard. Of course the next statement they tell you
where it is located. ??? *** ???
- NOT A BIG DEAL
- by Thomas, David May 10, 2005 7:37 AM PDT
- Look the article contradicts itself ... see my previous post.
- Like this Reply to this comment
-
-
- WHY?!
- by Thomas, David May 10, 2005 7:39 AM PDT
- Because the article is pure sensationalism
- Like this
-
Showing 1 of 2 pages (102 Comments)First of all, you HAVE to intentionally drag the darn things into
your Dashboard. Second, you have to authorize it. Third even
if you do ALL of that, then any devious actions are
compartmentalized. DOH ... windows can't even do that!
The part of the story that kind of REALLY pissed me off were the
blatantly false and misleading statements. Coloring a statement
by leaving out its original context is flat out lying. I don't play
that stupid child games. News stories are supposed to be about
facts, not twists on words. #1 -- You cannot remove a widget
from the Dashboard. Of course the next statement they tell you
where it is located. ??? *** ???