Mac malware door creaks open

Dashboard, one of the much-publicized features of Apple Computer's latest OS, Tiger, could be ripe for exploitation by porn scammers.

Apple has been encouraging developers to create new widgets for Tiger's Dashboard--a semi-transparent layer of everyday, often-used applications such as a calculator or currency converter that appears over the user's desktop--but within days of its public release, one developer claims to have already found a way to turn widgets into potential malicious software.

Developer Stephan, who has posted the widgets to his blog, has created two mini-apps which he describes as "slightly evil." One widget, he says, will automatically install itself on users' desktops when his "Zaptastic" Web site is visited using Apple's Safari browser.

This, according to Stephan, is a golden opportunity for porn scammers, enabling them to auto-install widgets that can hijack browsers.

According to Stephan's blog: "I happen to like (auto-install). I think it's a great thing. But, as I have demonstrated here, it has the side effect of setting up a situation where a user can be given an application without their knowledge.

"That's not such a big deal; by default, widgets can't do much damage, and they can't run unless you drop them into your dashboard. The funny thing is that once that widget is there, according to Apple, you CANNOT remove it."

Widgets cannot be removed directly from the toolbar, but they can however be deleted from the Library folder.

"The average user, who can't find their Library folder with two mice and a spotlight, is stuck. It would take all of 30 seconds for me to pick out a nice porn image, make it the icon of a widget, drop it in your dashboard and you're stuck with it. It doesn't even need any Javascript," Stephan added.

Stephan has also created the zaptastic_evil widget, which redirects the user's browser to a Web site every time the widget Dashboard is launched--and drops the user out of Dashboard, preventing the widget from being closed.

A fellow blogger, going by the name of Aaron, has created a series of widgets that closely resemble Apple's own set of widgets and can be used to displace the genuine ones. One of these fake widgets can run with full system access without the user's express permission.

Apple declined to comment for this report.

Despite the potential for mayhem, Mac users can simply kill the widgets by deleting them from their Library folder, and using Activity Monitor to kill any instance of the widget already running.

Jo Best of Silicon.com reported from London.

[Thomas, David]

Really Now?

""That's not such a big deal; by default, widgets can't do much
damage, and they can't run unless you drop them into your
dashboard. The funny thing is that once that widget is there,
according to Apple, you CANNOT remove it."

Widgets cannot be removed directly from the toolbar, but they
can however be deleted from the Library folder.

"The average user, who can't find their Library folder with two
mice and a spotlight, is stuck. It would take all of 30 seconds for
me to pick out a nice porn image, make it the icon of a widget,
drop it in your dashboard and you're stuck with it. It doesn't
even need any Javascript," Stephan added.

Stephan has also created the zaptastic_evil widget, which
redirects the user's browser to a Web site every time the widget
Dashboard is launched-?and drops the user out of Dashboard,
preventing the widget from being closed."

---- OK ... nice, but there IS a "spotlight", so users CAN easily
find them. In order for them to run, they have to be in the
library folder where Dashboard can find them. Again, no prob.
Hmmm have to try and get "infected", but I bet a simple app in
automater, can easily clean them out.

Oh yeah, if anyone has a problem, give me a call and I will post a
simple automater script. Peace Out.

nuff said.

[Thomas, David]

Really Now?

""That's not such a big deal; by default, widgets can't do much
damage, and they can't run unless you drop them into your
dashboard. The funny thing is that once that widget is there,
according to Apple, you CANNOT remove it."

Widgets cannot be removed directly from the toolbar, but they
can however be deleted from the Library folder.

"The average user, who can't find their Library folder with two
mice and a spotlight, is stuck. It would take all of 30 seconds for
me to pick out a nice porn image, make it the icon of a widget,
drop it in your dashboard and you're stuck with it. It doesn't
even need any Javascript," Stephan added.

Stephan has also created the zaptastic_evil widget, which
redirects the user's browser to a Web site every time the widget
Dashboard is launched-?and drops the user out of Dashboard,
preventing the widget from being closed."

---- OK ... nice, but there IS a "spotlight", so users CAN easily
find them. In order for them to run, they have to be in the
library folder where Dashboard can find them. Again, no prob.
Hmmm have to try and get "infected", but I bet a simple app in
automater, can easily clean them out.

Oh yeah, if anyone has a problem, give me a call and I will post a
simple automater script. Peace Out.

nuff said.

[Andrew J Glina]

Sounds like a cat-flap to me

This is hardly serious. The article itself says that dashboard apps cannot do much damage. (Anyone know what they can do?)

[Andrew J Glina]

Sounds like a cat-flap to me

This is hardly serious. The article itself says that dashboard apps cannot do much damage. (Anyone know what they can do?)

[Dibbs]

apple update coming?

i think apple does a pretty good job fixing bugs. maybe this one will be taken care of in the usual manner. i'm not that concerned about it.

[Dibbs]

apple update coming?

i think apple does a pretty good job fixing bugs. maybe this one will be taken care of in the usual manner. i'm not that concerned about it.

[lepton68]

Tempest in a Teapot

The "malware" Widget is installed but doesn't open. You have to
find it in Dashboard and open it yourself.

Widgets run in a sandbox. If it has any sophistication, it has an
application in it, and the system ASKS you if you want to run it. If
it does anything with the system, the system REQUIRES an
administrator password. Any bad widget has to be social
engineering based - the user needs to be tricked into running it.

Widgets can be easily closed, you don't need Activity Viewer or
any such thing. Click the big "X" in the corner of the screen and
all widgets get close buttons. Or, simply hold down Option and
mouse over a widget, and a close button will appear - no matter
if it was programmed to show one or not.

No system can protect a user from a Trojan Horse where they
are tricked into authorizing something bad to happen. You can't
blame the system software authors. The system does all it can -
makes you open it, asks if you really wanted to run an app,
requires admin authorization to do system stuff, even lets you
turn off automatically making the widget available at all.

This is another tempest in a teapot.

[lepton68]

Tempest in a Teapot

The "malware" Widget is installed but doesn't open. You have to
find it in Dashboard and open it yourself.

Widgets run in a sandbox. If it has any sophistication, it has an
application in it, and the system ASKS you if you want to run it. If
it does anything with the system, the system REQUIRES an
administrator password. Any bad widget has to be social
engineering based - the user needs to be tricked into running it.

Widgets can be easily closed, you don't need Activity Viewer or
any such thing. Click the big "X" in the corner of the screen and
all widgets get close buttons. Or, simply hold down Option and
mouse over a widget, and a close button will appear - no matter
if it was programmed to show one or not.

No system can protect a user from a Trojan Horse where they
are tricked into authorizing something bad to happen. You can't
blame the system software authors. The system does all it can -
makes you open it, asks if you really wanted to run an app,
requires admin authorization to do system stuff, even lets you
turn off automatically making the widget available at all.

This is another tempest in a teapot.

2 mice & a spotlight

A spotlight might not be of much help, but Spotlight (the updated
find feature of Tiger), that is another matter. Using Spotlight, a user
can find their widgets. In the Search box, if you type in "widget"
you'll quickly find the pesky widget to delete.

2 mice & a spotlight

A spotlight might not be of much help, but Spotlight (the updated
find feature of Tiger), that is another matter. Using Spotlight, a user
can find their widgets. In the Search box, if you type in "widget"
you'll quickly find the pesky widget to delete.

Widget Manager

There is a program called Widget Manager that installs into the
preference panes and allows you to turn off widgets you don't want
to have loaded or remove them (moves the widget to the trash).
Pretty handy.

Widget Manager

There is a program called Widget Manager that installs into the
preference panes and allows you to turn off widgets you don't want
to have loaded or remove them (moves the widget to the trash).
Pretty handy.

[Below Meigh]

This is news?

chmod 755

That is all it takes. Do that to the widget directory and there is no way to get mal-widge installed without admin ok.

Next chicken little story!

[Below Meigh]

This is news?

chmod 755

That is all it takes. Do that to the widget directory and there is no way to get mal-widge installed without admin ok.

Next chicken little story!

[aabcdefghij987654321]

This is bad, very bad

Drive-by installs are bad, always bad. If the default is that just visiting a site can leave with additional software on your machine then you've got a situation that's ripe for exploitation. That the demonstration example is so innocuous shouldn't leave you feeling this is not a problem and years of similar problems with Windows boxes should make you aware of how well social engineering works in getting users to perform actions they shouldn't.

[aabcdefghij987654321]

This is bad, very bad

Drive-by installs are bad, always bad. If the default is that just visiting a site can leave with additional software on your machine then you've got a situation that's ripe for exploitation. That the demonstration example is so innocuous shouldn't leave you feeling this is not a problem and years of similar problems with Windows boxes should make you aware of how well social engineering works in getting users to perform actions they shouldn't.

What damage can it do

Someone posited earlier that a widget can do all kinds of nasty
stuff. I haven't gotten around to writing my own yet but I do
understand the architecture and I HIGHLY doubt his assertion.
Widgets are basically web pages. I believe the perferred
language is javascript. The underlying architecture is Apple's
webcore.
So, unless you can craft a web page that can run arbitrary code
on your Mac, you shouldn't be able to create a widget that runs
arbitrary code on your mac. The dashboard vulnerability
REQUIRES another vulnerability to take advantage of. This is, as
yet, a 'sky is falling' story.

What damage can it do

Someone posited earlier that a widget can do all kinds of nasty
stuff. I haven't gotten around to writing my own yet but I do
understand the architecture and I HIGHLY doubt his assertion.
Widgets are basically web pages. I believe the perferred
language is javascript. The underlying architecture is Apple's
webcore.
So, unless you can craft a web page that can run arbitrary code
on your Mac, you shouldn't be able to create a widget that runs
arbitrary code on your mac. The dashboard vulnerability
REQUIRES another vulnerability to take advantage of. This is, as
yet, a 'sky is falling' story.

[Thomas, David]

NOT A BIG DEAL

Look the article contradicts itself ... see my previous post.

First of all, you HAVE to intentionally drag the darn things into
your Dashboard. Second, you have to authorize it. Third even
if you do ALL of that, then any devious actions are
compartmentalized. DOH ... windows can't even do that!

The part of the story that kind of REALLY pissed me off were the
blatantly false and misleading statements. Coloring a statement
by leaving out its original context is flat out lying. I don't play
that stupid child games. News stories are supposed to be about
facts, not twists on words. #1 -- You cannot remove a widget
from the Dashboard. Of course the next statement they tell you
where it is located. ??? *** ???

[Thomas, David]

NOT A BIG DEAL

Look the article contradicts itself ... see my previous post.

First of all, you HAVE to intentionally drag the darn things into
your Dashboard. Second, you have to authorize it. Third even
if you do ALL of that, then any devious actions are
compartmentalized. DOH ... windows can't even do that!

The part of the story that kind of REALLY pissed me off were the
blatantly false and misleading statements. Coloring a statement
by leaving out its original context is flat out lying. I don't play
that stupid child games. News stories are supposed to be about
facts, not twists on words. #1 -- You cannot remove a widget
from the Dashboard. Of course the next statement they tell you
where it is located. ??? *** ???