Quantcast
Home » Blogs » thornysarus's blog

Widgets of Mass Destruction?

thornysarus's picture
Submitted by thornysarus on Tue, 2005-05-10 02:11.

In the haze of post Tiger explosion, Macworld reports a potential vulnerability in Safari.

Macworld reports:
A new Web page documents an issue with Mac OS X v10.4 Tiger’s new Dashboard feature that, left unchecked, could potentially be exploited by malware developers, according to the page’s author. The exploit is described and demonstrated on a page called Zaptastic: Blueprint for a widget of mass destruction. Going by the nom de plume of Stephan.com, the author has described how Safari 2.0’s default preference settings could lead users to unwittingly download and install a Dashboard widget.

Read more...

»
Ivan's picture

I do think this is a threat

Submitted by Ivan on Tue, 2005-05-10 09:47.

I do think this is a threat for novice users but not more than downloading and running an application or script that is intended to run any maliscious code. If you don't know what you're downloading, of course there is a danger that it might not be want you think it is. If we call this a threat and go down this route, we may as well call the human intellect a threat itself, because there might be a site which tells you something like: "To speed up your machine you need to cool the CPU. The best way to do it is by pouring cold soda through the front holes of your G5."
There is not much difference between a widget hack pouring virtual soda and a verbal hack convincing you to pour real soda into your machine. Both build on humans believing false information. The fact that the widget downloads and installs automatically makes no difference from any other downloads. Because if you click on a download button you do that with the intention of actually running it anyway.

»
thornysarus's picture

Good point...

Submitted by thornysarus on Tue, 2005-05-10 13:07.

So where are we supposed to pour the soda again? And is diet cola ok? Will this work with a G4? ;)

Terry Thornhill

e-zign Design Group

»
phatcactus's picture

Somewhat different.

Submitted by phatcactus on Tue, 2005-05-10 14:08.

The point here is that someone can pour that soda into your G5 without even telling you, and you most likely won't even notice until you open the Dashboard (and by then it might be too late).

Self-installing apps are a very, very scary thing (see Windows). Bad move, Apple.

»
pompo's picture

I can't believe Apple is doing this sh%t!

Submitted by pompo on Tue, 2005-05-10 14:19.

Self-installing apps?

Haven't they learned enough watching windoze??

_P_o_m_p_o _M_u_l_t_i_m_e_d_i_a
http://www.pompo.com
=============================================
You will know fear...Then you will know pain.
Then you will use a Mac.

»
Adam Sadaka's picture

Ugh, this is just the

Submitted by Adam Sadaka (not verified) on Tue, 2005-05-10 18:28.

Ugh, this is just the beginning. Whether you believe it or not, nothing is perfect, especially hand-coded operating systems. with the mac mini, many people are making the switch to OSX, a foreign world, making it real easy for hackers to come in and seize the day. There are holes in the OS, just people dont exploit them.

»
Tigerstorm's picture

Friend of mine..

Submitted by Tigerstorm on Tue, 2005-05-10 10:30.

Went to this page, and all the suddenly the widgets were downloaded and went straight into the folder and overwrite the orginal widgets..

Next time he used the calculator in Dashboard he got a message that his Documents folder was erased.. and it was..

Damn ppl..

»
Ian's picture

Ha, I couldn't be gladder

Submitted by Ian (not verified) on Tue, 2005-05-10 12:37.

I've never been a fan of Apple (or Microsoft) making little Music and Documents folders for me, preferring to create my own organizational system. Aside from the fews oversights, my Documents folder remains virtually empty.
Of course this lends nothing to the conversation, so...Sorry to those people who've lost work. Hopefully someone can stop this.

»
ekko's picture

Um....

Submitted by ekko on Tue, 2005-05-10 16:28.

Well on one note you can easily disable the auto install feature in Safari's preferences.

Safari>Preferences>General> Uncheck the box for "Open Safe Files After Downloading".

Widgets however should ask you the first time you run it if you want to do so. This is an interesting dillema and problem for Apple to fix =P. Another issue is that widgets are not confined to js, css, xhtml etc.. you can embed cocoa code in them thus increasing their good and their bad powers. Was/is this an issue with konfabulator as well?

PPS: Widgets are also very easy to disable and remove.

»
JimD's picture

Lets bottom-line this...

Submitted by JimD on Tue, 2005-05-10 16:44.

Mac OSX is the LEAST secure system ever created. That's a FACT.

ANYBODY who has an install CD can change the root password (or create one) and completely hose your system. They have free reign on your entire system. This fact alone makes any discussion about security a moot point.

That being said, most Mac users are a bit more "techie" than your average Windows user. By that I mean, they are more willing to "explore" their computer, and they learn the OS much more so than our Windows-using counterparts.

Your *average* Windows user is content to know how to turn the machine on, launch the web browser and email app and nothing more. They barely know how to change the time setting on the clock, let alone install software.

Given those statements, I don't see this widget security hole as a real threat/problem at all. Especially since the vast majority of Mac users STILL aren't using Safari.

Get your fix of design software tips, tricks & commentary.

»
Anonymous's picture

10 immutable laws of security

Submitted by Anonymous (not verified) on Tue, 2005-05-10 23:48.

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

Did you know with redhat if you reboot the computer and give a simple flag to the loader, you log in as root without a password? Did you know in windows (XP, 2003S, 2000) you can boot and erase the SAM without the OS CD? Did you know you can hit the ESC key in Windows 95-98 and skip a passowrd altogether? Sorry, but the example you give proclaiming OSX as quite factually the least secure system is extremely poor.

The widget issue speaks more to this:
Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

The issue here is that the bad guy can run the program without your permission using default settings. This is bad.

I recommend all either remove this check in Safari or change permissions on your /Library/Widgets and ~/Library/Widgets folders to remove ugo write permissions.

Also, a very great number of Mac users are using Safari as their only browser. Look it up. Web stats don't lie.

FYI http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

»
pompo's picture

that don't matter..install CD??

Submitted by pompo on Tue, 2005-05-10 20:12.

We talking about network security...
Anybody with a key to your safe can rob you jewelers then...

This is new to me OSX the least secure???
So windoze would be more secure??

Can I have some of your good smoking treats? :)

_P_o_m_p_o _M_u_l_t_i_m_e_d_i_a
http://www.pompo.com
=============================================
You will know fear...Then you will know pain.
Then you will use a Mac.

»
lascurettes's picture

But everyone has the key to my safe!

Submitted by lascurettes (not verified) on Tue, 2005-05-10 20:34.

I think that Jim's point was that everyone's "safe" has the same "key" to open it, namely an install CD. Anyone with an install CD can "open" your Mac.

I think the only way around this is to firmware protect your computer, but I'm not sure whether this does or doesn't protect if from the CD Installer. I believe that it _should_ work though.

»
coded's picture

Agreed, least secure if

Submitted by coded on Tue, 2005-05-10 20:35.

Agreed, least secure if you're physically at the computer with an install CD/DVD maybe, but the exact same thing can be done with Windows.

The firewall on OSX is turned on by default whereas on Windows it's turned off by default. OSX's Network security is 1000x better than Windows, especially because root access is turned off by default. If a malicious script wanted to do something horrible to someone's computer it would need to ask for permission and the user would need to enter their password. Social engineering could care of that but savvy users are 99.9% immune.

»
Rev. Mitcz's picture

Solutions on the way..

Submitted by Rev. Mitcz (not verified) on Tue, 2005-05-10 23:23.

The "auto-install" is simply a feature of Safari, a simple click of a checkbox disables that. Hell, it should be disabled anyway, methinks.

As for disabling widgets without a trip to the Terminal, this is a free and easy way to do just that :
Widget Manager

Seems like a lot of hooey over nothing. But then.. I suppose there COULD be more issues arising, in time.

»
pompo's picture

network security

Submitted by pompo on Wed, 2005-05-11 03:26.

so...if the same thing can be done with an install cd on OSX and windoze we covered that aspect of security...when you phisically there ok?

Now what's left is network security...and is OSX still the least secure??
Please!

_P_o_m_p_o _M_u_l_t_i_m_e_d_i_a
http://www.pompo.com
=============================================
You will know fear...Then you will know pain.
Then you will use a Mac.

»
Tigerstorm's picture

Small tip

Submitted by Tigerstorm on Wed, 2005-05-11 09:26.

I've just installed a widget manager =)

Find out more here: http://www.downtownsoftwarehouse.com/WidgetManager/

»

User login

Partner With Us













Latest critique

made suggested changes