Mac OS X 10.4 (Tiger) #13: More on malicious Widget installation; Widget memory usage; CD/DVD burn problems, solutions; more

CNET staff

Sept. 2, 2009 11:23 a.m. PT

7 min read

More on malicious Widget installation Yesterday we reported on an issue originally detailed at Stephan.com with Apple's default set-up of Safari and Dashboard Widget delivery scheme that allows potentially malicious Widgets to be installed without the user's knowledge.

The scenario goes like this:

You click on a seemingly innocuous link, and view the resulting page's content. Meanwhile, a meta tag embedded in the page (META HTTP-EQUIV="Refresh") downloads a Widget in the background, and Safari -- which is, by default, set to automatically open "trusted" files, including Widgets -- quietly places the newly downloaded Widget in the ~/Library/Widgets folder. The next time you access Dashboard, the Widget is loaded in the Dashboard storage bar, and accessed when you click it or drag it out of the bar. The only indication you will receive in Safari indicating that this process is happening is a generally unnoticeable refresh of the URL address bar.

There has been some debate about how much damage Widgets installed in this fashion can actually do to your system. Theoretically, any Widget that request system access will require a user prompt ("Are you sure...") before gaining access -- in itself not a tremendous security measure for average users. However, some reports have suggested that there are Widgets with means to system access that don't require administrator or individual user authentication.

There is also another threat that doesn't involve damage of data, but can result in hogging of system resources. Widgets have been known to be extremely memory intensive in some cases (see section below on Widget memory usage), and the presence of many extra Widgets installed without the user's knowledge can result in an otherwise inexplicable system slow-down.

Until the true threat can be further explored, there are some initial measure you can enact that will seal out this vulnerability for the time being:

Turn off "Open 'safe' files after downloading" First and foremost, turn off the option to "Open 'safe' files after downloading" in Safari's preferences (under the "General" tab).

After unchecking this option (which is turned on by default, a potential security lapse on Apple's part), Widgets adhering to the aforementioned "exploit" will simply be downloaded to the location designated in Safari's preferences, requiring the user to double click them or drag them to the ~/Library/Widgets folder for installation.

It goes without saying that you should not manually install any Widget that is not from a trusted source.

Use Little Snitch In order to check for potentially malicious activity from Widgets that have already been installed, use a utility like Little Snitch. After installing this utility, when a Widget tries to establish a network connection, Little Snitch intercepts the attempt and brings up an alert panel giving you all the connection details including the name of the application, which initiated the connection. You either choose to allow the connection, to deny it or to add a permanent rule for similar future connections.

Use Folder Spy A small utility called Folder Spy can alert you when changes are made to a specific folder in Mac OS X. Set this utility to monitor your ~/Library/Widgets folder. Then, when an alert appears, check the folder and remove the added Widget(s) if necessary before launching Dashboard again. Remember, for a Widget to take any malicious action, you must access Dashboard after it is placed in the ~/Library/Widgets folder (the root /Library/Widgets folder is for Apple-installed Widgets only).

Delete Widgets from the ~/Library/Widgets folder As noted above, any user-installed Widgets should be located in the ~/Library/Widgets folder. Therefore, any files in this location can be deleted without affecting any default Apple Widgets, which are located in the /Library/Widgets folder at the root level of your Mac OS X startup volume.

Alternatively, you can use the freeware utility Widget Manager to inspect, remove, and disable Dashboard Widgets.

Widget memory usage Widgets, though generally limited in functionality and presented as periphery applications, can use surprisingly high amounts of RAM.

For instance, a recent check of Activity Monitor on an in-house test Mac OS X 10.4 system with 640 MB of RAM installed revealed the following real memory usage for some of Apple's default Widgets:

Stocks DashboardClient: 19.23 MB
Weather DashboardClient: 18.55 MB
Calendar DashboardClient: 13.11 MB

These figures do not change significantly when the Widgets are in active use (fluctuating by 2-3 MB), indicating that the drain on system resources takes place consistently, as long as Dashboard is an active item in the Dock.

At least initially, this should not be a cause for major concern. Mac OS X has advanced methods of dealing with memory usage from such applications, and the figure reported by Activity Monitor merely represents the requested memory for a specific process, which can be lessened when other process request memory.

If, however, you are experiencing significant system slow-down that can be realistically attributed to Widgets, you can end all Widget processes by temporarily killing the Dock. This can be accomplished by opening Activity Monitor (located in Applications/Utilities) and looking for the "Dock" process, then clicking the "Quit Process" button.

This will end all currently running Widget processes, which will not be re-activated until you again click the Dashboard icon and re-display active Widgets.

This process can also be accomplished with the Widget Manager freeware utility.

CD/DVD burning issues, solutions We continue to cover issues with burning CDs and DVDs in Mac OS X 10.4 (Tiger).

The first issue, as previously noted, is that Mac OS X 10.4 no longer creates temporary backups of the data that is being burned to media. This saves time, but also results in more failed burns and other problems.

This can be worked around by holding down the "Option" key while you are dragging files to the media for burning. This will create an on-the-fly copy, eliminating some of the aforementioned burn-error problems.

The second issue is that, for many users, Tiger will provide the error message "The disc cannot be used because the disc drive is not supported. (Error Code 0x80020025)" when a blank disc is inserted.

Some users have reported that they can work around this issue by inserting the CD, allowing the error message to pop up, then force quitting the Finder (either via the Apple menu "Force Quit" option, or by holding down the "option" and "control" keys in tandem, clicking on the Finder icon in the Dock and selecting "Relaunch"). After relaunching the Finder, some users report that the media shows up appropriately and can be successfully recorded.

More on SCSI fix -- restart required Last week we also noted that removing the following files from the /System/Library/Extensions folder will resolve most Adaptec SCSI-related issues, but also break functionality of the installed card:

Adaptec290X-2930.kext
Adaptec29160x.kext
Adaptec39160.kext
Adaptec78XXSCSI.kext

We then reported that replacing just one of these files (78XXXSCSI.kext) back into the /System/Library/Extensions folder allows proper SCSI operation while potentially eliminating other conflicts.

However, as noted by several readers, a restart may be required after performing this process.

MacFixIt reader Milo writes:

"After putting back Adaptec 78XXSCSI.Kext to system, Extension folder, after taking out, restarted, still didn't work until I run Disk Utility, Restarted, and my epson scanner worked again, with Tiger."

Sound Effect inconsistencies MacFixIt reader Drew Saur reports some inconsistencies in Mac OS X 10.4's alert sound functionality for which we are seeking confirmation:

"I have been having lots of inconsistencies when it comes to sound effects in Tiger; this seems to have to do with fast user switching. After the machine has been up and running, sound effects on each account play sporadically (whether from the Finder, Mail, iChat, etc). Apple's own forums have discussions going about this issue already.

"However, I have also found something that does not appear to have been reported elsewhere: in my 'Sound' preference pane, the 'Play alerts and sound effects through' popup is disabled, and I can't do anything about it, even if I am using my administrative account."

We have noticed similar behavior in-house: an inability to select any options from the "Play alerts and sound effects through" menu selection.

Previous Mac OS X 10.4 (Tiger) Coverage: