Mac malware door creaks open

Dashboard, one of the much-publicized features of Apple Computer's latest OS, Tiger, could be ripe for exploitation by porn scammers.

Apple has been encouraging developers to create new widgets for Tiger's Dashboard--a semi-transparent layer of everyday, often-used applications such as a calculator or currency converter that appears over the user's desktop--but within days of its public release, one developer claims to have already found a way to turn widgets into potential malicious software.

Developer Stephan, who has posted the widgets to his blog, has created two mini-apps which he describes as "slightly evil." One widget, he says, will automatically install itself on users' desktops when his "Zaptastic" Web site is visited using Apple's Safari browser.

This, according to Stephan, is a golden opportunity for porn scammers, enabling them to auto-install widgets that can hijack browsers.

According to Stephan's blog: "I happen to like (auto-install). I think it's a great thing. But, as I have demonstrated here, it has the side effect of setting up a situation where a user can be given an application without their knowledge.

"That's not such a big deal; by default, widgets can't do much damage, and they can't run unless you drop them into your dashboard. The funny thing is that once that widget is there, according to Apple, you CANNOT remove it."

Widgets cannot be removed directly from the toolbar, but they can however be deleted from the Library folder.

"The average user, who can't find their Library folder with two mice and a spotlight, is stuck. It would take all of 30 seconds for me to pick out a nice porn image, make it the icon of a widget, drop it in your dashboard and you're stuck with it. It doesn't even need any Javascript," Stephan added.

Stephan has also created the zaptastic_evil widget, which redirects the user's browser to a Web site every time the widget Dashboard is launched--and drops the user out of Dashboard, preventing the widget from being closed.

A fellow blogger, going by the name of Aaron, has created a series of widgets that closely resemble Apple's own set of widgets and can be used to displace the genuine ones. One of these fake widgets can run with full system access without the user's express permission.

Apple declined to comment for this report.

Despite the potential for mayhem, Mac users can simply kill the widgets by deleting them from their Library folder, and using Activity Monitor to kill any instance of the widget already running.

Jo Best of Silicon.com reported from London.

[Thomas, David]

Really Now?

""That's not such a big deal; by default, widgets can't do much
damage, and they can't run unless you drop them into your
dashboard. The funny thing is that once that widget is there,
according to Apple, you CANNOT remove it."

Widgets cannot be removed directly from the toolbar, but they
can however be deleted from the Library folder.

"The average user, who can't find their Library folder with two
mice and a spotlight, is stuck. It would take all of 30 seconds for
me to pick out a nice porn image, make it the icon of a widget,
drop it in your dashboard and you're stuck with it. It doesn't
even need any Javascript," Stephan added.

Stephan has also created the zaptastic_evil widget, which
redirects the user's browser to a Web site every time the widget
Dashboard is launched-and drops the user out of Dashboard,
preventing the widget from being closed."

---- OK ... nice, but there IS a "spotlight", so users CAN easily
find them. In order for them to run, they have to be in the
library folder where Dashboard can find them. Again, no prob.
Hmmm have to try and get "infected", but I bet a simple app in
automater, can easily clean them out.

Oh yeah, if anyone has a problem, give me a call and I will post a
simple automater script. Peace Out.

nuff said.

[198775425444042216790779840523]

easy to fix

Just turn off "open 'safe' file after downloading" in Safari
preferences.
This is not a big deal.

No issue

There is no issue IMO. All widgets submitted for review would be
inspected by Apple of course. That's the end of it right there.

[Thomas, David]

Really Now?

""That's not such a big deal; by default, widgets can't do much
damage, and they can't run unless you drop them into your
dashboard. The funny thing is that once that widget is there,
according to Apple, you CANNOT remove it."

Widgets cannot be removed directly from the toolbar, but they
can however be deleted from the Library folder.

"The average user, who can't find their Library folder with two
mice and a spotlight, is stuck. It would take all of 30 seconds for
me to pick out a nice porn image, make it the icon of a widget,
drop it in your dashboard and you're stuck with it. It doesn't
even need any Javascript," Stephan added.

Stephan has also created the zaptastic_evil widget, which
redirects the user's browser to a Web site every time the widget
Dashboard is launched-and drops the user out of Dashboard,
preventing the widget from being closed."

---- OK ... nice, but there IS a "spotlight", so users CAN easily
find them. In order for them to run, they have to be in the
library folder where Dashboard can find them. Again, no prob.
Hmmm have to try and get "infected", but I bet a simple app in
automater, can easily clean them out.

Oh yeah, if anyone has a problem, give me a call and I will post a
simple automater script. Peace Out.

nuff said.

[198775425444042216790779840523]

easy to fix

Just turn off "open 'safe' file after downloading" in Safari
preferences.
This is not a big deal.

No issue

There is no issue IMO. All widgets submitted for review would be
inspected by Apple of course. That's the end of it right there.

[Andrew J Glina]

Sounds like a cat-flap to me

This is hardly serious. The article itself says that dashboard apps cannot do much damage. (Anyone know what they can do?)

[198775425444042216790779840523]

really a non issure

They can't do anything without your password.

[mahuti]

Major Damage

I'm an apple lover.... unfortunately, the widgets can do MAJOR
damage... they can execute shell scripts & unix commands, as well
as applescript... meaning they can delete your hard drive, etc.

Bad news.

[Andrew J Glina]

Sounds like a cat-flap to me

This is hardly serious. The article itself says that dashboard apps cannot do much damage. (Anyone know what they can do?)

[198775425444042216790779840523]

really a non issure

They can't do anything without your password.

[mahuti]

Major Damage

I'm an apple lover.... unfortunately, the widgets can do MAJOR
damage... they can execute shell scripts & unix commands, as well
as applescript... meaning they can delete your hard drive, etc.

Bad news.

[Dibbs]

apple update coming?

i think apple does a pretty good job fixing bugs. maybe this one will be taken care of in the usual manner. i'm not that concerned about it.

[Dibbs]

apple update coming?

i think apple does a pretty good job fixing bugs. maybe this one will be taken care of in the usual manner. i'm not that concerned about it.

[lepton68]

Tempest in a Teapot

The "malware" Widget is installed but doesn't open. You have to
find it in Dashboard and open it yourself.

Widgets run in a sandbox. If it has any sophistication, it has an
application in it, and the system ASKS you if you want to run it. If
it does anything with the system, the system REQUIRES an
administrator password. Any bad widget has to be social
engineering based - the user needs to be tricked into running it.

Widgets can be easily closed, you don't need Activity Viewer or
any such thing. Click the big "X" in the corner of the screen and
all widgets get close buttons. Or, simply hold down Option and
mouse over a widget, and a close button will appear - no matter
if it was programmed to show one or not.

No system can protect a user from a Trojan Horse where they
are tricked into authorizing something bad to happen. You can't
blame the system software authors. The system does all it can -
makes you open it, asks if you really wanted to run an app,
requires admin authorization to do system stuff, even lets you
turn off automatically making the widget available at all.

This is another tempest in a teapot.

Indoctrination

I think the Apple crew have been listening to too many M$ bulletins.

[Sboston]

Yeah?

"No system can protect a user from a Trojan Horse where they
are tricked into authorizing something bad to happen. You can't
blame the system software authors. "

Seems everyone blames MS when that happens.

[lepton68]

Tempest in a Teapot

The "malware" Widget is installed but doesn't open. You have to
find it in Dashboard and open it yourself.

Widgets run in a sandbox. If it has any sophistication, it has an
application in it, and the system ASKS you if you want to run it. If
it does anything with the system, the system REQUIRES an
administrator password. Any bad widget has to be social
engineering based - the user needs to be tricked into running it.

Widgets can be easily closed, you don't need Activity Viewer or
any such thing. Click the big "X" in the corner of the screen and
all widgets get close buttons. Or, simply hold down Option and
mouse over a widget, and a close button will appear - no matter
if it was programmed to show one or not.

No system can protect a user from a Trojan Horse where they
are tricked into authorizing something bad to happen. You can't
blame the system software authors. The system does all it can -
makes you open it, asks if you really wanted to run an app,
requires admin authorization to do system stuff, even lets you
turn off automatically making the widget available at all.

This is another tempest in a teapot.

Indoctrination

I think the Apple crew have been listening to too many M$ bulletins.

[Sboston]

Yeah?

"No system can protect a user from a Trojan Horse where they
are tricked into authorizing something bad to happen. You can't
blame the system software authors. "

Seems everyone blames MS when that happens.

2 mice & a spotlight

A spotlight might not be of much help, but Spotlight (the updated
find feature of Tiger), that is another matter. Using Spotlight, a user
can find their widgets. In the Search box, if you type in "widget"
you'll quickly find the pesky widget to delete.

2 mice & a spotlight

A spotlight might not be of much help, but Spotlight (the updated
find feature of Tiger), that is another matter. Using Spotlight, a user
can find their widgets. In the Search box, if you type in "widget"
you'll quickly find the pesky widget to delete.

Widget Manager

There is a program called Widget Manager that installs into the
preference panes and allows you to turn off widgets you don't want
to have loaded or remove them (moves the widget to the trash).
Pretty handy.

Widget Manager

There is a program called Widget Manager that installs into the
preference panes and allows you to turn off widgets you don't want
to have loaded or remove them (moves the widget to the trash).
Pretty handy.

[Below Meigh]

This is news?

chmod 755

That is all it takes. Do that to the widget directory and there is no way to get mal-widge installed without admin ok.

Next chicken little story!

um, chmod??? Are you serious???

You get the ******* post of the day award.

The VAST MAJORITY of Apple users have no idea what chmod even is, let alone how to use it.

If this same situation were to arise on Windows, everyone would be all over MS for this "security hole", yet when it happens to beloved Apple it's a "chicken little" story.

Hypocrites.

[Below Meigh]

This is news?

chmod 755

That is all it takes. Do that to the widget directory and there is no way to get mal-widge installed without admin ok.

Next chicken little story!

um, chmod??? Are you serious???

You get the ******* post of the day award.

The VAST MAJORITY of Apple users have no idea what chmod even is, let alone how to use it.

If this same situation were to arise on Windows, everyone would be all over MS for this "security hole", yet when it happens to beloved Apple it's a "chicken little" story.

Hypocrites.

[aabcdefghij987654321]

This is bad, very bad

Drive-by installs are bad, always bad. If the default is that just visiting a site can leave with additional software on your machine then you've got a situation that's ripe for exploitation. That the demonstration example is so innocuous shouldn't leave you feeling this is not a problem and years of similar problems with Windows boxes should make you aware of how well social engineering works in getting users to perform actions they shouldn't.

[aabcdefghij987654321]

This is bad, very bad

Drive-by installs are bad, always bad. If the default is that just visiting a site can leave with additional software on your machine then you've got a situation that's ripe for exploitation. That the demonstration example is so innocuous shouldn't leave you feeling this is not a problem and years of similar problems with Windows boxes should make you aware of how well social engineering works in getting users to perform actions they shouldn't.

What damage can it do

Someone posited earlier that a widget can do all kinds of nasty
stuff. I haven't gotten around to writing my own yet but I do
understand the architecture and I HIGHLY doubt his assertion.
Widgets are basically web pages. I believe the perferred
language is javascript. The underlying architecture is Apple's
webcore.
So, unless you can craft a web page that can run arbitrary code
on your Mac, you shouldn't be able to create a widget that runs
arbitrary code on your mac. The dashboard vulnerability
REQUIRES another vulnerability to take advantage of. This is, as
yet, a 'sky is falling' story.

[bbatsell]

Actually

Actually, widgets can issue terminal commands from JavaScript
with the widget. architecture Apple built for them. In addition,
widgets can also make use of Cocoa for even more extensive
functionality. While this makes them as dangerous as applications,
it also makes them as powerful as applications. As I've commented
above, this has been blown completely out of proportion.

What damage can it do

Someone posited earlier that a widget can do all kinds of nasty
stuff. I haven't gotten around to writing my own yet but I do
understand the architecture and I HIGHLY doubt his assertion.
Widgets are basically web pages. I believe the perferred
language is javascript. The underlying architecture is Apple's
webcore.
So, unless you can craft a web page that can run arbitrary code
on your Mac, you shouldn't be able to create a widget that runs
arbitrary code on your mac. The dashboard vulnerability
REQUIRES another vulnerability to take advantage of. This is, as
yet, a 'sky is falling' story.

[bbatsell]

Actually

Actually, widgets can issue terminal commands from JavaScript
with the widget. architecture Apple built for them. In addition,
widgets can also make use of Cocoa for even more extensive
functionality. While this makes them as dangerous as applications,
it also makes them as powerful as applications. As I've commented
above, this has been blown completely out of proportion.

[Thomas, David]

NOT A BIG DEAL

Look the article contradicts itself ... see my previous post.

First of all, you HAVE to intentionally drag the darn things into
your Dashboard. Second, you have to authorize it. Third even
if you do ALL of that, then any devious actions are
compartmentalized. DOH ... windows can't even do that!

The part of the story that kind of REALLY pissed me off were the
blatantly false and misleading statements. Coloring a statement
by leaving out its original context is flat out lying. I don't play
that stupid child games. News stories are supposed to be about
facts, not twists on words. #1 -- You cannot remove a widget
from the Dashboard. Of course the next statement they tell you
where it is located. ??? *** ???

[Thomas, David]

WHY?!

Because the article is pure sensationalism

[Thomas, David]

NOT A BIG DEAL

Look the article contradicts itself ... see my previous post.

First of all, you HAVE to intentionally drag the darn things into
your Dashboard. Second, you have to authorize it. Third even
if you do ALL of that, then any devious actions are
compartmentalized. DOH ... windows can't even do that!

The part of the story that kind of REALLY pissed me off were the
blatantly false and misleading statements. Coloring a statement
by leaving out its original context is flat out lying. I don't play
that stupid child games. News stories are supposed to be about
facts, not twists on words. #1 -- You cannot remove a widget
from the Dashboard. Of course the next statement they tell you
where it is located. ??? *** ???

[Thomas, David]

WHY?!

Because the article is pure sensationalism

What's next?

two button mice, expensive software, increased vulnerabilities, security patches being released, viruses, malware, etc...

the merging of mac and peecees begins, and my mac weeps.

there has never been, nor will there ever be a totally secure, virus/malware/spyware/adware free OS...period. Just keep patching the holes that were overlooked at release and update the OS as bad guys attack.

bravo!

"there has never been, nor will there ever be a totally secure, virus/malware/spyware/adware free OS...period"

That's the single most enlightened post I've seen on news.com related to security... ever.

What's next?

two button mice, expensive software, increased vulnerabilities, security patches being released, viruses, malware, etc...

the merging of mac and peecees begins, and my mac weeps.

there has never been, nor will there ever be a totally secure, virus/malware/spyware/adware free OS...period. Just keep patching the holes that were overlooked at release and update the OS as bad guys attack.

bravo!

"there has never been, nor will there ever be a totally secure, virus/malware/spyware/adware free OS...period"

That's the single most enlightened post I've seen on news.com related to security... ever.

[M C]

Another non-story, hyped by security firm PR & taken at face value by CNet

If you actually understand this "exploit," you'd know that a whole chain of events would be required in order to download the "malware" (which wouldn't be "malware" at all in the trash-your-Windows-computer sense).

Couple that with the fact that Apple historically fixes these problems about 10 times faster than Microsoft, and it's a non-issue for Apple users themselves.

Makes for a lot of fodder for haters, though. ;-)

[M C]

And to clarify...

This story was not broken by "Zaptastic." He just loves the press attention.

[M C]

Another non-story, hyped by security firm PR & taken at face value by CNet

If you actually understand this "exploit," you'd know that a whole chain of events would be required in order to download the "malware" (which wouldn't be "malware" at all in the trash-your-Windows-computer sense).

Couple that with the fact that Apple historically fixes these problems about 10 times faster than Microsoft, and it's a non-issue for Apple users themselves.

Makes for a lot of fodder for haters, though. ;-)

[M C]

And to clarify...

This story was not broken by "Zaptastic." He just loves the press attention.

How many Apple users even know chmod?

You get the ******* post of the day award.

The VAST MAJORITY of Apple users have no idea what chmod even is, let alone how to use it.

If this same situation were to arise on Windows, everyone would be all over MS for this "security hole", yet when it happens to beloved Apple it's a "chicken little" story.

Hypocrites.

...or use Finder

Use "get info" in Finder to change file permissions... Anyone can do
that.

CHMOD

As in my earlier post, there really is no issue. But I know how to
use chmod, I have a few times...