May 9, 2005 5:20 PM PDT

Mac malware door creaks open

Related Stories

Apple: Widget writers wanted

December 9, 2004

Mac users face rare threat

October 25, 2004

Apple: Open-source pedigree will protect Tiger

September 1, 2004
Dashboard, one of the much-publicized features of Apple Computer's latest OS, Tiger, could be ripe for exploitation by porn scammers.

Apple has been encouraging developers to create new widgets for Tiger's Dashboard--a semi-transparent layer of everyday, often-used applications such as a calculator or currency converter that appears over the user's desktop--but within days of its public release, one developer claims to have already found a way to turn widgets into potential malicious software.

Developer Stephan, who has posted the widgets to his blog, has created two mini-apps which he describes as "slightly evil." One widget, he says, will automatically install itself on users' desktops when his "Zaptastic" Web site is visited using Apple's Safari browser.

This, according to Stephan, is a golden opportunity for porn scammers, enabling them to auto-install widgets that can hijack browsers.

According to Stephan's blog: "I happen to like (auto-install). I think it's a great thing. But, as I have demonstrated here, it has the side effect of setting up a situation where a user can be given an application without their knowledge.

"That's not such a big deal; by default, widgets can't do much damage, and they can't run unless you drop them into your dashboard. The funny thing is that once that widget is there, according to Apple, you CANNOT remove it."

Widgets cannot be removed directly from the toolbar, but they can however be deleted from the Library folder.

"The average user, who can't find their Library folder with two mice and a spotlight, is stuck. It would take all of 30 seconds for me to pick out a nice porn image, make it the icon of a widget, drop it in your dashboard and you're stuck with it. It doesn't even need any Javascript," Stephan added.

Stephan has also created the zaptastic_evil widget, which redirects the user's browser to a Web site every time the widget Dashboard is launched--and drops the user out of Dashboard, preventing the widget from being closed.

A fellow blogger, going by the name of Aaron, has created a series of widgets that closely resemble Apple's own set of widgets and can be used to displace the genuine ones. One of these fake widgets can run with full system access without the user's express permission.

Apple declined to comment for this report.

Despite the potential for mayhem, Mac users can simply kill the widgets by deleting them from their Library folder, and using Activity Monitor to kill any instance of the widget already running.

Jo Best of Silicon.com reported from London.

102 comments

Join the conversation!
Add your comment
Really Now?
""That's not such a big deal; by default, widgets can't do much
damage, and they can't run unless you drop them into your
dashboard. The funny thing is that once that widget is there,
according to Apple, you CANNOT remove it."

Widgets cannot be removed directly from the toolbar, but they
can however be deleted from the Library folder.

"The average user, who can't find their Library folder with two
mice and a spotlight, is stuck. It would take all of 30 seconds for
me to pick out a nice porn image, make it the icon of a widget,
drop it in your dashboard and you're stuck with it. It doesn't
even need any Javascript," Stephan added.

Stephan has also created the zaptastic_evil widget, which
redirects the user's browser to a Web site every time the widget
Dashboard is launched-and drops the user out of Dashboard,
preventing the widget from being closed."

---- OK ... nice, but there IS a "spotlight", so users CAN easily
find them. In order for them to run, they have to be in the
library folder where Dashboard can find them. Again, no prob.
Hmmm have to try and get "infected", but I bet a simple app in
automater, can easily clean them out.

Oh yeah, if anyone has a problem, give me a call and I will post a
simple automater script. Peace Out.

nuff said.
Posted by Thomas, David (1947 comments )
Reply Link Flag
easy to fix
Just turn off "open 'safe' file after downloading" in Safari
preferences.
This is not a big deal.
Posted by 198775425444042216790779840523 (102 comments )
Link Flag
No issue
There is no issue IMO. All widgets submitted for review would be
inspected by Apple of course. That's the end of it right there.
Posted by (22 comments )
Link Flag
Really Now?
""That's not such a big deal; by default, widgets can't do much
damage, and they can't run unless you drop them into your
dashboard. The funny thing is that once that widget is there,
according to Apple, you CANNOT remove it."

Widgets cannot be removed directly from the toolbar, but they
can however be deleted from the Library folder.

"The average user, who can't find their Library folder with two
mice and a spotlight, is stuck. It would take all of 30 seconds for
me to pick out a nice porn image, make it the icon of a widget,
drop it in your dashboard and you're stuck with it. It doesn't
even need any Javascript," Stephan added.

Stephan has also created the zaptastic_evil widget, which
redirects the user's browser to a Web site every time the widget
Dashboard is launched-and drops the user out of Dashboard,
preventing the widget from being closed."

---- OK ... nice, but there IS a "spotlight", so users CAN easily
find them. In order for them to run, they have to be in the
library folder where Dashboard can find them. Again, no prob.
Hmmm have to try and get "infected", but I bet a simple app in
automater, can easily clean them out.

Oh yeah, if anyone has a problem, give me a call and I will post a
simple automater script. Peace Out.

nuff said.
Posted by Thomas, David (1947 comments )
Reply Link Flag
easy to fix
Just turn off "open 'safe' file after downloading" in Safari
preferences.
This is not a big deal.
Posted by 198775425444042216790779840523 (102 comments )
Link Flag
No issue
There is no issue IMO. All widgets submitted for review would be
inspected by Apple of course. That's the end of it right there.
Posted by (22 comments )
Link Flag
Sounds like a cat-flap to me
This is hardly serious. The article itself says that dashboard apps cannot do much damage. (Anyone know what they can do?)
Posted by Andrew J Glina (1673 comments )
Reply Link Flag
really a non issure
They can't do anything without your password.
Posted by 198775425444042216790779840523 (102 comments )
Link Flag
Major Damage
I'm an apple lover.... unfortunately, the widgets can do MAJOR
damage... they can execute shell scripts & unix commands, as well
as applescript... meaning they can delete your hard drive, etc.

Bad news.
Posted by mahuti (24 comments )
Link Flag
Sounds like a cat-flap to me
This is hardly serious. The article itself says that dashboard apps cannot do much damage. (Anyone know what they can do?)
Posted by Andrew J Glina (1673 comments )
Reply Link Flag
really a non issure
They can't do anything without your password.
Posted by 198775425444042216790779840523 (102 comments )
Link Flag
Major Damage
I'm an apple lover.... unfortunately, the widgets can do MAJOR
damage... they can execute shell scripts & unix commands, as well
as applescript... meaning they can delete your hard drive, etc.

Bad news.
Posted by mahuti (24 comments )
Link Flag
apple update coming?
i think apple does a pretty good job fixing bugs. maybe this one will be taken care of in the usual manner. i'm not that concerned about it.
Posted by Dibbs (158 comments )
Reply Link Flag
apple update coming?
i think apple does a pretty good job fixing bugs. maybe this one will be taken care of in the usual manner. i'm not that concerned about it.
Posted by Dibbs (158 comments )
Reply Link Flag
Tempest in a Teapot
The "malware" Widget is installed but doesn't open. You have to
find it in Dashboard and open it yourself.

Widgets run in a sandbox. If it has any sophistication, it has an
application in it, and the system ASKS you if you want to run it. If
it does anything with the system, the system REQUIRES an
administrator password. Any bad widget has to be social
engineering based - the user needs to be tricked into running it.

Widgets can be easily closed, you don't need Activity Viewer or
any such thing. Click the big "X" in the corner of the screen and
all widgets get close buttons. Or, simply hold down Option and
mouse over a widget, and a close button will appear - no matter
if it was programmed to show one or not.

No system can protect a user from a Trojan Horse where they
are tricked into authorizing something bad to happen. You can't
blame the system software authors. The system does all it can -
makes you open it, asks if you really wanted to run an app,
requires admin authorization to do system stuff, even lets you
turn off automatically making the widget available at all.

This is another tempest in a teapot.
Posted by lepton68 (28 comments )
Reply Link Flag
Indoctrination
I think the Apple crew have been listening to too many M$ bulletins.
Posted by (409 comments )
Link Flag
Yeah?
"No system can protect a user from a Trojan Horse where they
are tricked into authorizing something bad to happen. You can't
blame the system software authors. "

Seems everyone blames MS when that happens.
Posted by Sboston (498 comments )
Link Flag
Tempest in a Teapot
The "malware" Widget is installed but doesn't open. You have to
find it in Dashboard and open it yourself.

Widgets run in a sandbox. If it has any sophistication, it has an
application in it, and the system ASKS you if you want to run it. If
it does anything with the system, the system REQUIRES an
administrator password. Any bad widget has to be social
engineering based - the user needs to be tricked into running it.

Widgets can be easily closed, you don't need Activity Viewer or
any such thing. Click the big "X" in the corner of the screen and
all widgets get close buttons. Or, simply hold down Option and
mouse over a widget, and a close button will appear - no matter
if it was programmed to show one or not.

No system can protect a user from a Trojan Horse where they
are tricked into authorizing something bad to happen. You can't
blame the system software authors. The system does all it can -
makes you open it, asks if you really wanted to run an app,
requires admin authorization to do system stuff, even lets you
turn off automatically making the widget available at all.

This is another tempest in a teapot.
Posted by lepton68 (28 comments )
Reply Link Flag
Indoctrination
I think the Apple crew have been listening to too many M$ bulletins.
Posted by (409 comments )
Link Flag
Yeah?
"No system can protect a user from a Trojan Horse where they
are tricked into authorizing something bad to happen. You can't
blame the system software authors. "

Seems everyone blames MS when that happens.
Posted by Sboston (498 comments )
Link Flag
2 mice & a spotlight
A spotlight might not be of much help, but Spotlight (the updated
find feature of Tiger), that is another matter. Using Spotlight, a user
can find their widgets. In the Search box, if you type in "widget"
you'll quickly find the pesky widget to delete.
Posted by (5 comments )
Reply Link Flag
2 mice & a spotlight
A spotlight might not be of much help, but Spotlight (the updated
find feature of Tiger), that is another matter. Using Spotlight, a user
can find their widgets. In the Search box, if you type in "widget"
you'll quickly find the pesky widget to delete.
Posted by (5 comments )
Reply Link Flag
Widget Manager
There is a program called Widget Manager that installs into the
preference panes and allows you to turn off widgets you don't want
to have loaded or remove them (moves the widget to the trash).
Pretty handy.
Posted by (3 comments )
Reply Link Flag
Widget Manager
There is a program called Widget Manager that installs into the
preference panes and allows you to turn off widgets you don't want
to have loaded or remove them (moves the widget to the trash).
Pretty handy.
Posted by (3 comments )
Reply Link Flag
This is news?
chmod 755

That is all it takes. Do that to the widget directory and there is no way to get mal-widge installed without admin ok.

Next chicken little story!
Posted by Below Meigh (249 comments )
Reply Link Flag
um, chmod??? Are you serious???
You get the ******* post of the day award.

The VAST MAJORITY of Apple users have no idea what chmod even is, let alone how to use it.

If this same situation were to arise on Windows, everyone would be all over MS for this "security hole", yet when it happens to beloved Apple it's a "chicken little" story.

Hypocrites.
Posted by (127 comments )
Link Flag
This is news?
chmod 755

That is all it takes. Do that to the widget directory and there is no way to get mal-widge installed without admin ok.

Next chicken little story!
Posted by Below Meigh (249 comments )
Reply Link Flag
um, chmod??? Are you serious???
You get the ******* post of the day award.

The VAST MAJORITY of Apple users have no idea what chmod even is, let alone how to use it.

If this same situation were to arise on Windows, everyone would be all over MS for this "security hole", yet when it happens to beloved Apple it's a "chicken little" story.

Hypocrites.
Posted by (127 comments )
Link Flag
This is bad, very bad
Drive-by installs are bad, always bad. If the default is that just visiting a site can leave with additional software on your machine then you've got a situation that's ripe for exploitation. That the demonstration example is so innocuous shouldn't leave you feeling this is not a problem and years of similar problems with Windows boxes should make you aware of how well social engineering works in getting users to perform actions they shouldn't.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
This is bad, very bad
Drive-by installs are bad, always bad. If the default is that just visiting a site can leave with additional software on your machine then you've got a situation that's ripe for exploitation. That the demonstration example is so innocuous shouldn't leave you feeling this is not a problem and years of similar problems with Windows boxes should make you aware of how well social engineering works in getting users to perform actions they shouldn't.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
What damage can it do
Someone posited earlier that a widget can do all kinds of nasty
stuff. I haven't gotten around to writing my own yet but I do
understand the architecture and I HIGHLY doubt his assertion.
Widgets are basically web pages. I believe the perferred
language is javascript. The underlying architecture is Apple's
webcore.
So, unless you can craft a web page that can run arbitrary code
on your Mac, you shouldn't be able to create a widget that runs
arbitrary code on your mac. The dashboard vulnerability
REQUIRES another vulnerability to take advantage of. This is, as
yet, a 'sky is falling' story.
Posted by (3 comments )
Reply Link Flag
Actually
Actually, widgets can issue terminal commands from JavaScript
with the widget. architecture Apple built for them. In addition,
widgets can also make use of Cocoa for even more extensive
functionality. While this makes them as dangerous as applications,
it also makes them as powerful as applications. As I've commented
above, this has been blown completely out of proportion.
Posted by bbatsell (57 comments )
Link Flag
What damage can it do
Someone posited earlier that a widget can do all kinds of nasty
stuff. I haven't gotten around to writing my own yet but I do
understand the architecture and I HIGHLY doubt his assertion.
Widgets are basically web pages. I believe the perferred
language is javascript. The underlying architecture is Apple's
webcore.
So, unless you can craft a web page that can run arbitrary code
on your Mac, you shouldn't be able to create a widget that runs
arbitrary code on your mac. The dashboard vulnerability
REQUIRES another vulnerability to take advantage of. This is, as
yet, a 'sky is falling' story.
Posted by (3 comments )
Reply Link Flag
Actually
Actually, widgets can issue terminal commands from JavaScript
with the widget. architecture Apple built for them. In addition,
widgets can also make use of Cocoa for even more extensive
functionality. While this makes them as dangerous as applications,
it also makes them as powerful as applications. As I've commented
above, this has been blown completely out of proportion.
Posted by bbatsell (57 comments )
Link Flag
NOT A BIG DEAL
Look the article contradicts itself ... see my previous post.

First of all, you HAVE to intentionally drag the darn things into
your Dashboard. Second, you have to authorize it. Third even
if you do ALL of that, then any devious actions are
compartmentalized. DOH ... windows can't even do that!

The part of the story that kind of REALLY pissed me off were the
blatantly false and misleading statements. Coloring a statement
by leaving out its original context is flat out lying. I don't play
that stupid child games. News stories are supposed to be about
facts, not twists on words. #1 -- You cannot remove a widget
from the Dashboard. Of course the next statement they tell you
where it is located. ??? *** ???
Posted by Thomas, David (1947 comments )
Reply Link Flag
WHY?!
Because the article is pure sensationalism
Posted by Thomas, David (1947 comments )
Link Flag
NOT A BIG DEAL
Look the article contradicts itself ... see my previous post.

First of all, you HAVE to intentionally drag the darn things into
your Dashboard. Second, you have to authorize it. Third even
if you do ALL of that, then any devious actions are
compartmentalized. DOH ... windows can't even do that!

The part of the story that kind of REALLY pissed me off were the
blatantly false and misleading statements. Coloring a statement
by leaving out its original context is flat out lying. I don't play
that stupid child games. News stories are supposed to be about
facts, not twists on words. #1 -- You cannot remove a widget
from the Dashboard. Of course the next statement they tell you
where it is located. ??? *** ???
Posted by Thomas, David (1947 comments )
Reply Link Flag
WHY?!
Because the article is pure sensationalism
Posted by Thomas, David (1947 comments )
Link Flag
What's next?
two button mice, expensive software, increased vulnerabilities, security patches being released, viruses, malware, etc...

the merging of mac and peecees begins, and my mac weeps.

there has never been, nor will there ever be a totally secure, virus/malware/spyware/adware free OS...period. Just keep patching the holes that were overlooked at release and update the OS as bad guys attack.
Posted by (34 comments )
Reply Link Flag
bravo!
"there has never been, nor will there ever be a totally secure, virus/malware/spyware/adware free OS...period"

That's the single most enlightened post I've seen on news.com related to security... ever.
Posted by (54 comments )
Link Flag
What's next?
two button mice, expensive software, increased vulnerabilities, security patches being released, viruses, malware, etc...

the merging of mac and peecees begins, and my mac weeps.

there has never been, nor will there ever be a totally secure, virus/malware/spyware/adware free OS...period. Just keep patching the holes that were overlooked at release and update the OS as bad guys attack.
Posted by (34 comments )
Reply Link Flag
bravo!
"there has never been, nor will there ever be a totally secure, virus/malware/spyware/adware free OS...period"

That's the single most enlightened post I've seen on news.com related to security... ever.
Posted by (54 comments )
Link Flag
Another non-story, hyped by security firm PR & taken at face value by CNet
If you actually understand this "exploit," you'd know that a whole chain of events would be required in order to download the "malware" (which wouldn't be "malware" at all in the trash-your-Windows-computer sense).

Couple that with the fact that Apple historically fixes these problems about 10 times faster than Microsoft, and it's a non-issue for Apple users themselves.

Makes for a lot of fodder for haters, though. ;-)
Posted by M C (598 comments )
Reply Link Flag
And to clarify...
This story was not broken by "Zaptastic." He just loves the press attention.
Posted by M C (598 comments )
Link Flag
Another non-story, hyped by security firm PR & taken at face value by CNet
If you actually understand this "exploit," you'd know that a whole chain of events would be required in order to download the "malware" (which wouldn't be "malware" at all in the trash-your-Windows-computer sense).

Couple that with the fact that Apple historically fixes these problems about 10 times faster than Microsoft, and it's a non-issue for Apple users themselves.

Makes for a lot of fodder for haters, though. ;-)
Posted by M C (598 comments )
Reply Link Flag
And to clarify...
This story was not broken by "Zaptastic." He just loves the press attention.
Posted by M C (598 comments )
Link Flag
How many Apple users even know chmod?
You get the ******* post of the day award.

The VAST MAJORITY of Apple users have no idea what chmod even is, let alone how to use it.

If this same situation were to arise on Windows, everyone would be all over MS for this "security hole", yet when it happens to beloved Apple it's a "chicken little" story.

Hypocrites.
Posted by (127 comments )
Reply Link Flag
...or use Finder
Use "get info" in Finder to change file permissions... Anyone can do
that.
Posted by (2 comments )
Link Flag
CHMOD
As in my earlier post, there really is no issue. But I know how to
use chmod, I have a few times...
Posted by (22 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.