Widget security worries dog Apple

Though Apple Computer updated its latest OS this week to solve a security problem with widgets, worries persist that the small applications still pose a potentially serious risk.

Widgets, or small programs that automatically install after downloading, were introduced in Tiger for the Dashboard, which overlays the desktop. An attacker could write a malicious widget for Mac OS X 1.4 Tiger that would run invisibly in the background and hijack a user's "sudo," or administrative, privileges on a system, according to an alert distributed on the Full Disclosure mailing lists late Wednesday. With administrative privileges, the attacker would have full control over the targeted Mac.

On Monday, Apple published the Mac OS X 10.4.1 update to fix an earlier security issue related to the widgets. Before the patch, widgets would download and install without warning. Patched machines display a box that asks the PC user to confirm a download but don't tell the user that the confirmation also triggers installation of the widget.

While the patch mitigates the risk, security issues remain with widgets, according to Jonathan Zdziarski, a software engineer and author of Wednesday's Full Disclosure posting.

"Those widgets should never be allowed to get administrative access on the system," Zdziarski said in an interview. "Apple has taken sort of the Microsoft stance with widgets, in that it is one of the few tools that is completely built into the operating system."

Zdziarski is also unhappy with how the Mac maker addressed the previous widget problem. It should be clear to users that a widget is not only being downloaded, but also installed, he said. "They terribly misworded that button. When I click 'download,' I expect to just download it. In fact, the widget is installed."

A malicious widget, after it is installed, can run in the background and wait until a time when the user logs in as administrator. It can then hijack those credentials to deliver its payload, Zdziarski said. The action could be anything from wiping a hard drive to sending the attacker the victim's list of usernames and passwords on Apple's Keychain tool, he said.

For a user to fall victim to a malicious widget, the application first needs to be installed on a Mac. That required user interaction disqualifies it as a security vulnerability, according to several responses to Zdziarski's posting on Full Disclosure.

Apple is encouraging developers to create new widgets and its Web site already lists 209 of them. Widgets are also available elsewhere on the Web.

For protection, users should download widgets only from trusted Web sites, Zdziarski suggests.

Apple declined to comment for this story.

[HawaiiBob]

Widget Security

There was a solution to the security issue that was posted at
macfixit.com. You simply set up a folder action that alerts the user
when a widget is placed in the widget folder. If you check this
widget before opening dashboard and remove it if it something you
don't want. There should be no problem. All it takes is setting it
up. A couple of software downloads were mentioned to deal with
the problem. Thanks and much aloha.

[HawaiiBob]

Widget Security

There was a solution to the security issue that was posted at
macfixit.com. You simply set up a folder action that alerts the user
when a widget is placed in the widget folder. If you check this
widget before opening dashboard and remove it if it something you
don't want. There should be no problem. All it takes is setting it
up. A couple of software downloads were mentioned to deal with
the problem. Thanks and much aloha.

Ok, this guy

This guy wants the OS to prompt the person when the download
starts and when the installation happens. Doesn't he know that
these prompts will be within seconds of eachother, which makes
the second one pointless. Because the security issue was that a
widget would download and install without a prompt as soon as
a person went to a website. I hope the user is smart enough
that when they visit a site, and it just all of a sudden prompts to
download something, that they question it and say no.

[Andrew J Glina]

Actually

I think he wants the notification to say "Download and Install" or just "install". Even so, I think that this whole issue, like many security issues, are overratted. Unless a computer can be compromised by the user doing nothing at all, then often is is just common sense.

Ok, this guy

This guy wants the OS to prompt the person when the download
starts and when the installation happens. Doesn't he know that
these prompts will be within seconds of eachother, which makes
the second one pointless. Because the security issue was that a
widget would download and install without a prompt as soon as
a person went to a website. I hope the user is smart enough
that when they visit a site, and it just all of a sudden prompts to
download something, that they question it and say no.

[Andrew J Glina]

Actually

I think he wants the notification to say "Download and Install" or just "install". Even so, I think that this whole issue, like many security issues, are overratted. Unless a computer can be compromised by the user doing nothing at all, then often is is just common sense.

Many elements in this article are simply not true.

First, Widgets don't get administrative permissions by
themselves. WIDGETS ARE JUST LIKE ANY OTHER APPLICATIONS
the sudo exploit has nothing to do with widgets. Unlike many
Windows boxes that constantly run in admin mode, OS X will
only get admin for a few seconds when the sudo command is
used. Casual users don't use sudo anyway.

Second, while widgets are moved to the Widget folder if
someone has the default "open safe files", and that after a
warning, NO CODE WILL RUN UNTIL THE USER CLICKS OR DRAG
THE WIDGET OUT OF THE WIDGET BAR. This is not much
different than any application downloading itself to the desktop.
Installing does not equal running, and the article is really not
confusing about that.

Third, widgets are running in a "built-in" way, just like
applications run in a built-in way in any OS. This is nothing
extraordinary. The only difference is that with the "open safe
files" options, the Widgets are being moved to the widget bar
while Applications are moved to the desktop. Just to be sure you
understand: Neither can run code until the user clicks on the
Widget/Application Icon.

As for the recommendation: "users should download widgets
only from trusted Web sites". The same should apply to
applications, it has nothing to do with widgets being moved to
the widget folder in some cases.

[bbatsell]

I find it hilarious

...that this "security researcher" got featured in yet another bogus
CNET article without even knowing how the operating system he's
complaining about works. But so be it - FUD is what CNET thrives
on and always has. I would say that their editors are simply
clueless, but I know that this is untrue. They're smarter than most
and know that this type of journalism gets them the most
advertising revenue. They see no need for journalistic integrity
anymore.

[Steve Bryan]

Perfect security?

Something that I don't think I've ever read in a security related article is a critique of a "higher level of security". For example, it could be argued that only allowing cryptographically signed code run would largely eliminate most exploits. But it can also be argued that this "solution" would be worse than the problem.

So when articles, like this one, implicitly suggest a higher level of security should be provided they are making the unfounded claim that any method for obtaining this higher level is justified.

It was a mistake for Apple to allow widgets to download unnoticed from web sites and they have corrected that error. Unless someone can demonstrate how this code mysteriously obtains root access invisibly I have to consider this article yet another example of Cnet FUD. The editors would do well to review the story of "The Boy Who Cried Wolf".

Many elements in this article are simply not true.

First, Widgets don't get administrative permissions by
themselves. WIDGETS ARE JUST LIKE ANY OTHER APPLICATIONS
the sudo exploit has nothing to do with widgets. Unlike many
Windows boxes that constantly run in admin mode, OS X will
only get admin for a few seconds when the sudo command is
used. Casual users don't use sudo anyway.

Second, while widgets are moved to the Widget folder if
someone has the default "open safe files", and that after a
warning, NO CODE WILL RUN UNTIL THE USER CLICKS OR DRAG
THE WIDGET OUT OF THE WIDGET BAR. This is not much
different than any application downloading itself to the desktop.
Installing does not equal running, and the article is really not
confusing about that.

Third, widgets are running in a "built-in" way, just like
applications run in a built-in way in any OS. This is nothing
extraordinary. The only difference is that with the "open safe
files" options, the Widgets are being moved to the widget bar
while Applications are moved to the desktop. Just to be sure you
understand: Neither can run code until the user clicks on the
Widget/Application Icon.

As for the recommendation: "users should download widgets
only from trusted Web sites". The same should apply to
applications, it has nothing to do with widgets being moved to
the widget folder in some cases.

[bbatsell]

I find it hilarious

...that this "security researcher" got featured in yet another bogus
CNET article without even knowing how the operating system he's
complaining about works. But so be it - FUD is what CNET thrives
on and always has. I would say that their editors are simply
clueless, but I know that this is untrue. They're smarter than most
and know that this type of journalism gets them the most
advertising revenue. They see no need for journalistic integrity
anymore.

[Steve Bryan]

Perfect security?

Something that I don't think I've ever read in a security related article is a critique of a "higher level of security". For example, it could be argued that only allowing cryptographically signed code run would largely eliminate most exploits. But it can also be argued that this "solution" would be worse than the problem.

So when articles, like this one, implicitly suggest a higher level of security should be provided they are making the unfounded claim that any method for obtaining this higher level is justified.

It was a mistake for Apple to allow widgets to download unnoticed from web sites and they have corrected that error. Unless someone can demonstrate how this code mysteriously obtains root access invisibly I have to consider this article yet another example of Cnet FUD. The editors would do well to review the story of "The Boy Who Cried Wolf".

[SNGecko]

Ha, ha, ha!

From the title, I thought this article was a satire. I usually
reserve my infantile outbursts within the walls of my garage, but
this time the scribbler (I was going to say, writer; but that
seemed too strong) of this so-called article could use a simple
guffah!

Obviously, never install an application (yes, this is what a widget
is) unless you know exactly who authored it and whether or not
you trust them. I still use MS Office products, so my security
standards must be pretty low.

[SNGecko]

Ha, ha, ha!

From the title, I thought this article was a satire. I usually
reserve my infantile outbursts within the walls of my garage, but
this time the scribbler (I was going to say, writer; but that
seemed too strong) of this so-called article could use a simple
guffah!

Obviously, never install an application (yes, this is what a widget
is) unless you know exactly who authored it and whether or not
you trust them. I still use MS Office products, so my security
standards must be pretty low.

[Earl Benser]

Another solution....

I disabled Dashboard and eliminated Apple's versionof Widgets.
Dashboard is nothing more than a rip-off of Konfabulator, so why
bother with Dashboard when Konfabulator has more and better
Widgets????

Ol' Bill can get away with 'innovation', Apple should be a more
honest company.

[bbatsell]

How about

you only post when you know what you're talking about.

Does that sound like a plan?

Hint: Look up "Desk Accessories".

[Earl Benser]

Another solution....

I disabled Dashboard and eliminated Apple's versionof Widgets.
Dashboard is nothing more than a rip-off of Konfabulator, so why
bother with Dashboard when Konfabulator has more and better
Widgets????

Ol' Bill can get away with 'innovation', Apple should be a more
honest company.

[bbatsell]

How about

you only post when you know what you're talking about.

Does that sound like a plan?

Hint: Look up "Desk Accessories".

[mortis9]

internet explorer

internet explorer, and firefox for that matter, prompts the user both to download and again to install. It defaults to not install. Just another useful tool from the chaps in redmond. Perhaps apple could learn a thing or two.

Perhaps they should warn users 5 times to be sure?

What's the use of warning users 2 times about the same action?

Safari warns you that you are downloading an application, with
an option to cancel... isn't that enough?

You shouldn't download apps from untrusted sources, period. If
you accept to download a widget, it's because you want to use
it...Why should there be another prompt?

One last time (read slowly)... Widgets are moved to the ~/
Library/Widgets/ folder, and they -cannot- run any code until
the user decides to click on them or drag them out the widget
bar. Simply activating Dashboard -doesn't- make it run newly
added Widgets, and that until the user decides to makes them
active.

The second prompt you are referring exists in Windows because
if you click yes, --code in the downloaded programs could be
executed--, and that's not the case with widgets in OS X as I just
explained.

On Mac OS X, (in Safari, FireFox and even Internet Explorer)
there is no way to make code in a downloaded file to execute or
install in a way it could execute without user intervention just by
clicking a button in a prompt (and neither by any other means
from inside the browser). Perhaps it's MS that should learn a few
things from Apple...

[mortis9]

internet explorer

internet explorer, and firefox for that matter, prompts the user both to download and again to install. It defaults to not install. Just another useful tool from the chaps in redmond. Perhaps apple could learn a thing or two.

Perhaps they should warn users 5 times to be sure?

What's the use of warning users 2 times about the same action?

Safari warns you that you are downloading an application, with
an option to cancel... isn't that enough?

You shouldn't download apps from untrusted sources, period. If
you accept to download a widget, it's because you want to use
it...Why should there be another prompt?

One last time (read slowly)... Widgets are moved to the ~/
Library/Widgets/ folder, and they -cannot- run any code until
the user decides to click on them or drag them out the widget
bar. Simply activating Dashboard -doesn't- make it run newly
added Widgets, and that until the user decides to makes them
active.

The second prompt you are referring exists in Windows because
if you click yes, --code in the downloaded programs could be
executed--, and that's not the case with widgets in OS X as I just
explained.

On Mac OS X, (in Safari, FireFox and even Internet Explorer)
there is no way to make code in a downloaded file to execute or
install in a way it could execute without user intervention just by
clicking a button in a prompt (and neither by any other means
from inside the browser). Perhaps it's MS that should learn a few
things from Apple...