|
|
Widget auto-install = huge security hole?
|
|
|
|
Addicted to MacNN
Join Date: Jan 2001
Location: The Sar Chasm
Status:
Offline
|
|
Warning: the following link will auto-download a widget that will then auto install:
http://stephan.com/widgets/zaptastic/
It kills all the widgets in ~/Library until you trash it. Just from clicking a URL.
Discuss.
|
When a true genius appears in the world you may know him by this sign, that the dunces are all in confederacy against him. -- Jonathan Swift.
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status:
Offline
|
|
First, nothing happend automatically, probably because I have opening of "safe" files turned off in Safari.
Second, when one first starts a widget (including this one) Dashboard asks whether you want to allow this. This can be declined.
It you unpack, double-click and allow to run a widget when asked, then there's nothing the system can do any more. It would be like any other trojan application (the OS doesn't even ask for applications in fact).
So don't download and run anything from a source you don't trust.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jan 2001
Location: The Sar Chasm
Status:
Offline
|
|
Lotsa default installs out there, and lotsa users that don't know to change the prefs. Did you read the whole page?
I've got a default install of 10.4 going here, and I didn't get asked about allowing the widget to start on any of the extras I've downloaded. This needs to be turned off by default at least. Think about it: a default install will auto-download in the background, then auto-install an app that can run command-line stuff. I don't see how a widget might be written that would do sudo-type damage, but his points about pron pop-up type things, and maybe trashing home folders seems possible. It can certainly be used to take control of a browser.
|
When a true genius appears in the world you may know him by this sign, that the dunces are all in confederacy against him. -- Jonathan Swift.
|
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Oct 2001
Location: Michigan
Status:
Offline
|
|
|
Pismo 400 | Powerbook 1.5 GHz | MacPro 2.66/6GB/7300GT
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jan 2001
Location: The Sar Chasm
Status:
Offline
|
|
Originally Posted by TETENAL
So don't download and run anything from a source you don't trust.
Also note that the download was initiated by merely clicking a link that didn't present itself as being linked to a file.
|
When a true genius appears in the world you may know him by this sign, that the dunces are all in confederacy against him. -- Jonathan Swift.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Status:
Offline
|
|
Dear God; it's ActiveX all over again.
No, I'm serious. The whole reason ActiveX is so insecure is that Microsoft insists on auto-opening executable code in the name of convenience. If Apple has made that same mistake, then we are well and truly screwed. The only way to close this hole is to remove the feature. Not just "make it an option"; completely remove it.
This is what I was worried about when I first heard about Dashboard using WebCore. I really hoped that Apple would have learned from the ActiveX debacle, but it seems I was wrong to assume that. Well, that settles it; I can no longer recommend Safari to anyone.
|
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Status:
Offline
|
|
Originally Posted by chris v
Warning: the following link will auto-download a widget that will then auto install:
http://stephan.com/widgets/zaptastic/
It kills all the widgets in ~/Library until you trash it. Just from clicking a URL.
Discuss.
Spread this far and wide, Chris. Tiger hasn't been out for long, so there's still a chance we can get Apple to remove the auto-install feature before too many users clamor for its inclusion due to 'usability' 'advantages'. In fact, I think I'm going to post this link to a few places, if you don't mind.
|
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status:
Offline
|
|
Originally Posted by Millennium
The only way to close this hole is to remove the feature. Not just "make it an option"; completely remove it.
Disable "Open 'safe' files" in Safari and the widgets are not installed automatically. Before a widget is run the first time Dashboard asks. No widget is run automatically without user interaction.
Of course widgets may be trojans. Just like any other application may be. That's hardly a surprise.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Feb 2000
Location: Washington, DC
Status:
Offline
|
|
Why would they do that! It's just silly. There should be:
1) A scary warning.
2) You should physically have to move the widget to the widget library (or have a big scary screen saying "You have downloaded a widget that could contain malicious code. etc. etc."
Just silly IMHO.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2000
Location: in front of the keyboard
Status:
Offline
|
|
You guys didn't hear?
They're moving to signed widgets, and you have to buy a Widget Developer's License from Apple get a widget signing key.
|
signatures are a waste of bandwidth
especially ones with political tripe in them.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Status:
Offline
|
|
Originally Posted by TETENAL
Disable "Open 'safe' files" in Safari and the widgets are not installed automatically. Before a widget is run the first time Dashboard asks. No widget is run automatically without user interaction.
Not good enough, because people can leave that feature on.
Of course widgets may be trojans. Just like any other application may be. That's hardly a surprise.
You don't understand; the point is that this misfeature gives widgets a mean to self-spread. What could have been a simple Trojan can become a true worm if this feature is allowed to remain in place.
|
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status:
Offline
|
|
Originally Posted by Millennium
You don't understand; the point is that this misfeature gives widgets a mean to self-spread. What could have been a simple Trojan can become a true worm if this feature is allowed to remain in place.
Widgets can not "self spread" because Dashbaord asks the user whether they are allowed to run when they are run the first time. They can only spread with the explicit allowance of the user.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jan 2001
Location: The Sar Chasm
Status:
Offline
|
|
Originally Posted by TETENAL
Widgets can not "self spread" because Dashbaord asks the user whether they are allowed to run when they are run the first time. They can only spread with the explicit allowance of the user.
I repeat: I have never yet had Dashboard ask me about letting any widget do anything. If I put them on the dashboard, they run. Maybe my install is weird? Here's what I did when I saw that link:
1. I clicked on the link. period.
2. When I hit F12, I had me a new widget. Yes, I then had to drag it out of the widget dock, but then I got no further warnings.
This was on a DEFAULT os 10.4 UPGRADE. from 10.3.8.
I can see having Safari allow an unstuff or disk-image mount, but apparently, with this widget business, there's more than that going on, if by merely clicking a link, the thing gets installed with no further interaction. It's getting unzipped, and placed in a directory from which it can do its business.
YES, I KNOW ABOUT THE PREF TO TURN OFF "OPEN SAFE FILES AFTER DOWNLOADING." THAT IS NOT THE POINT. IT IS NOT ONLY ON BY DEFAULT, BUT SOMETHING MORE IS HAPPENING HERE WITH THE WIDGET BESIDES SIMPLY UNZIPPING. Sorry for yelling, but I don't seem to have gotten that through yet.
And also, yes, there is not an obvious way for these things to vector from machine to machine that I can see. It's still a security hole, whether or not it's a virus.
Here's the possible scenario:
1. A user clicks an apparently innocuous link that unbeknownst to them installs a widget that looks exactly like the weather widget.
2. User launches Dashboard and drags the wrong Weather widget onto the desktop.
3. Bad things happen.
This is a security hole, as far as I'm concerned.
(
Last edited by chris v; May 7, 2005 at 09:44 PM.
Reason: I still can't type.)
|
When a true genius appears in the world you may know him by this sign, that the dunces are all in confederacy against him. -- Jonathan Swift.
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
I've got the same experience as chris v; most widgets that I've downloaded haven't asked me anything. The exceptions have been when the app contained a binary code, shell script, or the like inside the widget bundle. Then, I get that standard "This archive contains an application" warning. So I guess the question is, is a Dashboard widget able to run any utility like rm -rf without the aid of a bundled app? From a cursory glance at the documentation, it looks as if it is. That's bad.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Feb 2001
Location: zurich, switzerland
Status:
Offline
|
|
Originally Posted by TETENAL
Widgets can not "self spread" because Dashbaord asks the user whether they are allowed to run when they are run the first time. They can only spread with the explicit allowance of the user.
This is exactly the same way that Internet Explorer is abused to download viruses, spyware and other malicious stuff onto a user's Windows system, and a good 90% of users just click yes when asked about whether they want to run the executable or not BECAUSE THEY DON'T KNOW BETTER, just like the majority of Mac users. This is a major vulnerability and I encourage everybody to post feedback to [email protected] about this.
It really pisses me off sometimes that Apple releases major OS versions with bad bugs in them. The firewire bug in 10.3.0 was the same thing: lack of sufficient beta testing and quality control.
|
weird wabbit
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status:
Offline
|
|
Originally Posted by TETENAL
Widgets can not "self spread" because Dashbaord asks the user whether they are allowed to run when they are run the first time. They can only spread with the explicit allowance of the user.
Dashboard only asks `are you sure?' for widgets that request system access -- the ones that could potentially delete your home folder. Ordinary widgets that just display stuff don't get the confirmation dialog. However, that page demonstrates a `safe' widget that renders Dashboard useless. Oops.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status:
Offline
|
|
Listen, chris, there is absolutely no need of shouting. This was just lack of extensive testing on my side before composing my replies.
Of course I have set the "Open 'safe' files after downloads" turned off. When downloading the widget like this it simply downloads the ZIP-archive which expands the widget to the desktop when double-clicked. If you then launch the widget on the desktop by double-clicking, Dashboard asks you whether you would like to allow this widget to be run.
So now I turned "Open 'safe' files" on temporarily and downloaded the widget again. This time the widget was automatically installed, appears in the Dashboard-dock and when clicked Dashboard does not ask whether this wiget may be run or not.
This is indeed a bad thing.
The widget still can not run without user interaction (the user has to click it in the Dock first). However with the automatic installing, the user might not notice that a widget had been installed by a dubious web site, and the widget might stay installed for a long time. After a long time the user might not be suspicious of an additional icon in the Dashboard-dock esspecially if it has the same icon as one of the built in widgets.
I therefore form the opinion that Apple should get rid of the automatic installation by Safari. Instead Dashboard should offer a comfortable way for the user to add and remove widgets from the Dashbaord-dock by hand.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status:
Offline
|
|
Originally Posted by theolein
This is exactly the same way that Internet Explorer is abused to download viruses, spyware and other malicious stuff onto a user's Windows system, and a good 90% of users just click yes when asked about whether they want to run the executable or not BECAUSE THEY DON'T KNOW BETTER, just like the majority of Mac users.
Well, eventually you have to allow the user to run applications. What more can you do than ask whether the user wants to allow this? It's not like you can guess the good intentions of an application.
There is no technical mean to protect a user from a trojan. Therefore every user must understand and learn only to download programs from trusted surces. The people who click "Yes, please run the stuff that just downloaded from this porn site I'm surfing" are simply too stupid to consume porn. That's the bitter truth.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status:
Offline
|
|
Originally Posted by Mithras
Dashboard only asks `are you sure?' for widgets that request system access -- the ones that could potentially delete your home folder. Ordinary widgets that just display stuff don't get the confirmation dialog. However, that page demonstrates a `safe' widget that renders Dashboard useless. Oops.
Not true. Dashboard asks for every widget that is run from outside (~)/Library/Widgets. That's the normal place of widgets to be (outside!) when they have been downloaded and unpacked.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Feb 2001
Location: zurich, switzerland
Status:
Offline
|
|
Originally Posted by TETENAL
Well, eventually you have to allow the user to run applications. What more can you do than ask whether the user wants to allow this? It's not like you can guess the good intentions of an application.
There is no technical mean to protect a user from a trojan. Therefore every user must understand and learn only to download programs from trusted surces. The people who click "Yes, please run the stuff that just downloaded from this porn site I'm surfing" are simply too stupid to consume porn. That's the bitter truth.
The problem is, and this is true on Windows as well, that most users might not run some dubious pice of thing that they download from the net if they know that they are downloading it, but with Internet Explorer and this Dashboard hole, they very often won't know. If you read the article you'll see that quite innocuous sites can download malware widgets, and when the user looks at dashboard and sees a pretty icon there saying:"SPORTS SCORES", "SPOTLIGHT WIDGET", "NETWORK CONNECTIONS" or "HUGE TITS" the chances are pretty high that they will start it up sooner or later, and the chances are also big that they will inanely click "yes" to allow it to access the system, because they simply don't know what it is, how it got there (since they didn't consciously download it) or that it doesn't belong to the system.
|
weird wabbit
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status:
Offline
|
|
Reposted from ars:
I made a web page that silently downloads a slate full of widgets that looked just like the Apple widgets, and appeared to have the same names, but could have had malicious content:
Though again, apart from the auto-refresh "DoS" problem, you'd need the user to click `yes, okay' in order to do something like delete their home folder. On the other hand, if they think they're trying out one of the Apple widgets that they haven't used yet...
(
Last edited by Mithras; May 7, 2005 at 11:47 PM.
)
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2003
Location: 127.0.0.1
Status:
Offline
|
|
Evil tracker.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2003
Location: 127.0.0.1
Status:
Offline
|
|
Originally Posted by Millennium
Spread this far and wide, Chris. Tiger hasn't been out for long, so there's still a chance we can get Apple to remove the auto-install feature before too many users clamor for its inclusion due to 'usability' 'advantages'. In fact, I think I'm going to post this link to a few places, if you don't mind.
Go check the thread in the Dashboard section on Apple's support forums.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jan 2001
Location: The Sar Chasm
Status:
Offline
|
|
Originally Posted by alphasubzero949
Go check the thread in the Dashboard section on Apple's support forums.
It'll be interesting to see if that thread is still there in a day or two. Odds are 50/50 Apple deletes it.
|
When a true genius appears in the world you may know him by this sign, that the dunces are all in confederacy against him. -- Jonathan Swift.
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2003
Location: 127.0.0.1
Status:
Offline
|
|
Originally Posted by chris v
It'll be interesting to see if that thread is still there in a day or two. Odds are 50/50 Apple deletes it.
I know; but it's worth a shot.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status:
Offline
|
|
Also, one should note that even a `sandboxed' auto-loaded widget can hijack and overwrite widget preferences. So you could lose your Sticky notes for example.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jan 2001
Location: The Sar Chasm
Status:
Offline
|
|
At the very least, like the guy says on the page I linked to, clicking one "evil" widget could send a browser into pemanent pr0n spazms. This would be wery bad for office workers, or teachers.
|
When a true genius appears in the world you may know him by this sign, that the dunces are all in confederacy against him. -- Jonathan Swift.
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status:
Offline
|
|
Originally Posted by chris v
At the very least, like the guy says on the page I linked to, clicking one "evil" widget could send a browser into pemanent pr0n spazms. This would be wery bad for office workers, or teachers.
Yes, it could e.g. open a web page every 10 milliseconds, * even after you've left Dashboard *, since widgets are quiescent after leaving Dashboard only if they choose to be.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
This is really a regrettable, inexcusable vulnerability. I know OS X is a complex project, but you would think someone in management or QA would take charge and put 2+2 together before 10.4.0 shipped. This makes it apparent that Apple cannot handle the task of internal beta testing and should do wider beta testing, secrecy be damned.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jul 2001
Location: Switzerland
Status:
Offline
|
|
Just this morning I was thinking about this: would a widget that, for example, scans one's mails (using Spotlight... why not) for username/password combinations, and then occasionally sends any found results to some server out there, need a "OK" click from a user?
Combine this with the auto-install of widgets (yes, I have "open safe files" turned on because until a few minutes ago I thought this was a nice feature) and the simplicity of creating a nice-looking inoffensive-acting widget - e.g. a widget showing my Backpack PIM or Basecamp Dashboard - I'd really like to be able to turn off Dashboard once and for all.
|
MBP 15" 2.33GHz C2D 3GB 2*23" ACD
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
I'm wondering why we all did not see this coming before. I don't mean to come off as an alarmist, but the type of scenario workerbee is describing is within the realm of possibility. Dashboard blurs the distinction between untrusted web content and local applications in a dangerous way. Anyone has the ability to write the widgets, and right now they can distribute them surreptitiously.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: May 2005
Status:
Offline
|
|
At present I cannot side with those who see this as a security issue. Software executes code and it can do things for the benefit of the user running it or it can do destructive things. Or good software can be used improperly by a user to do destructive things. The only security question here is whether (1) software can be downloaded to one's computer without one's knowledge or authorization and (2) software can be self-executed on one's computer without one's knowledge or authorization.
This so-called security problem fails these two tests -- not to mention that anytime a user is told to "click on a link" (especially from an unsolicited source in e-mail) he should beware. The link could be bogus and a domain could be spoofed.
The whole point of the Dashboard is that it consists of utilities ever at the ready which means that Dashboard itself (and its libraries) must be resident in memory. But the specific Dashboard clients themselves do not auto-run; the user must manually intervene and invoke them -- and then they run and will appear as a process (via such shell commands as "ps -aux").
So the mere fact that a widget is copied in ~/Library/Widgets does not make you vulnerable. It's only when you call up the Dashboard and then call up the strip of widget icons and select the one in question that you run a risk. So it comes down to this: How much should Apple protect the user from himself?
It seems to me that this "security alert" is all about the consequences of a user's running a piece of software whose result is not to his liking. And no computer company or OS developer can safeguard against that. Instead that is between the user and the developer of the software he runs.
Now I do believe that an OS has an obligation to protect itself and its own integrity. It should safeguard itself against such things as recursive deletes of /System or /Library or /etc or the kernel, etc -- except when performed at the console by root, (and not via sudo). But that's not what is happening here and thus I see people up in arms over nothing.
(
Last edited by Jeff Mincey; May 8, 2005 at 08:21 AM.
)
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status:
Offline
|
|
Originally Posted by workerbee
Just this morning I was thinking about this: would a widget that, for example, scans one's mails (using Spotlight... why not) for username/password combinations, and then occasionally sends any found results to some server out there, need a "OK" click from a user?
Yes, both local file access (other than preferences) and network access require the 'OK' click.
But the 'OK' click is easy to get if you make a bunch of widgets that look like they're Apple's, and they load into the Widget Dock without the user knowing.
|
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: May 2005
Status:
Offline
|
|
As an addendum to my previous post, I will go so far as to say Safari's definition of "safe" files should exclude widgets or any other executable code -- I have no problem with that. But I still maintain that no widget (but the defaults which ship with Tiger) can run by itself without the intervention of the user.
It's easy enough to verify this either in Sun's "tops" (in a UNIX command shell) or via Apple's Activity Monitor. You will see Dashboard clients running, but those widgets which are not yet invoked by the user are NOT listed among active processes -- and they won't be until the user invokes them himself. The mere act of copying a widget to ~/Library/Widgets is insufficient for any code to be executed.
On a larger level, though, are we surprised at this? At the end of the day, a widget is simply a computer program -- pure and simple. It's executable code. So of course -- like any other code -- it can be used for good or ill. So just how is this any big news?
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status:
Offline
|
|
Originally Posted by Jeff Mincey
At present I cannot side with those who see this as a security issue. Software executes code and it can do things for the benefit of the user running it or it can do destructive things. Or good software can be used improperly by a user to do destructive things. The only security question here is whether (1) software can be downloaded to one's computer without one's knowledge or authorization and (2) software can be self-executed on one's computer without one's knowledge or authorization.
I disagree.
1. Visiting a web page should not mean I find a Widget in my Widget Dock. At the worst, I expect web pages to download stuff into my download folder (e.g. Desktop). But this is like putting an application named " Mail.app" directly into the Applications folder without my knowledge. Bad.
2. Again, it's easy to get the user to execute the Widget he never knew he downloaded it, it's in exactly the same place as a familiar widget (e.g. the iTunes widget), it appears to have the same name as the familiar widget, and there's otherwise no sign that it's new.
The problem is real (have you clicked on my page above, and then dragged up the iTunes widget?), and the solution is simply not to automatically move downloaded widgets from the download folder into ~/Library/Widgets.
---
EDIT: Agree with your second post. This is not a `arbitrary remote code' exploit, like the evil:// protocol hole of yore. It's definitely a smaller threat. But, as you say, it's still very stupid behavior on Safari's part, and as demonstrated definitely could catch people unawares.
(
Last edited by Mithras; May 8, 2005 at 10:02 AM.
)
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jan 2001
Location: The Sar Chasm
Status:
Offline
|
|
Originally Posted by Jeff Mincey
At present I cannot side with those who see this as a security issue.
(snip)
But that's not what is happening here and thus I see people up in arms over nothing.
Thus the question mark in the thread title, and my invitation to discuss�. Thanks for the resoned resopnse.
My thinking after sleeping on it, is yes, the user interaction neccessary to invoke the widget once installed mitigates the situation... somewhat. I still see the auto-install as long as "safe" files are turned on as a bad thing. There's plenty of ways to get people to click web links thinking they're going somewhere else, and it's relatively easy, as shown above, to replace ALL the widgets on page one of the widget dock at least, with trojans resembling Apples official widgets.
I see confirmation that a widget is installing as imperative.
|
When a true genius appears in the world you may know him by this sign, that the dunces are all in confederacy against him. -- Jonathan Swift.
|
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Dec 2000
Location: Málaga, Spain, Europe, Earth, Solar System
Status:
Offline
|
|
User interaction to invoke the widget once installed is worth zero. 99% of Windows Outlook worms require the user to open the messages, which often have subjects like "I AM A V1RUS OPEN ME QUICK" yet people do click them
This is a real and serious security hole, in my perspective.
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Nov 2002
Location: Atlanta, GA
Status:
Offline
|
|
Just curious:
Widgets are, on their most basic level, CSS/XHTML/Javascript. As long as the dashboard app only runs widgets that have that criteria, it seems like it's not as big of a security issue(I do agree they should not auto-install, however). Again, I'm asking if anyone else knows. To me, it doesn't seem like it's as big a deal as some are making it out to be.
|
|
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Feb 2003
Status:
Offline
|
|
Originally Posted by wtmcgee
To me, it doesn't seem like it's as big a deal as some are making it out to be.
Yes it is, however, from what I have read, fixing it seems easy.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status:
Offline
|
|
Originally Posted by wtmcgee
Just curious:
Widgets are, on their most basic level, CSS/XHTML/Javascript. As long as the dashboard app only runs widgets that have that criteria, it seems like it's not as big of a security issue(I do agree they should not auto-install, however). Again, I'm asking if anyone else knows. To me, it doesn't seem like it's as big a deal as some are making it out to be.
I agree, if they really were pure HTML/CSS/Javascript, there'd be no more risk from a widget than from a web page.
However, in the Dashboard, all widgets also have access to these special javascript commands:
Code:
widget.openApplication('com.apple.iTunes')
widget.openURL('http://www.apple.com')
The second command is how the `zapsanity' widget denies you access to the Dashboard: every time the widget starts up, the widget opens a URL, which kicks you out of the Dashboard.
The `evil iTunes' widget on my page uses the first to open DVD Player, Chess, and Address Book every 10 milliseconds, whether you're in Dashboard or not (once you've opened the widget).
Furthermore, widgets can request additional privileges, like access to local files, access to the network, and the ability to run arbitrary code or system commands. These widgets require the `are you sure' confirmation, though.
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Nov 2002
Location: Atlanta, GA
Status:
Offline
|
|
Thanks for the info... I was curious as to what else they could do other than being a 'mere' web page.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Here's what else they could do, and it's far worse than either openURL or openApplication:
Originally Posted by Apple Developer Documentation
system
Executes a command-line utility.
widget.system(command, endHandler)
The command parameter is a string that specifies a command utility to be executed. It should specify a full or relative path to the command-line utility and include any arguments. For example:
widget.system(�/usr/bin/id -un�, null);
So all a widget needs to do is widget.system("rm -rf ~",null); ( <- Warning: don't run this! ) and bang, your home folder's gone.
But even if widgets were completely harmless, this would still be a bad idea due to the annoyance factor. This is almost the exact same thing as on Windows IE when you browse to a site and it decides it will install some custom toolbar or other such crap you don't want in IE, and then it's a bitch to get rid of it. What if the user doesn't want all kinds of crap cluttering up his/her Dashboard drawer?
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status:
Offline
|
|
Originally Posted by CharlesS
This is almost the exact same thing as on Windows IE when you browse to a site and it decides it will install some custom toolbar or other such crap you don't want in IE, and then it's a bitch to get rid of it. What if the user doesn't want all kinds of crap cluttering up his/her Dashboard drawer?
Well, not exactly. It's not a "bitch to get rid of" a widget...
As to your question posed above, if the user doesn't want stuff cluttering the Dashboard drawer, the only thing they can do for now is to turn off the automatic opening of "safe" files, and wait for Apple to fix the hole (presumably by providing a warning that a widget is being downloaded, just like it warns about applications).
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Originally Posted by Person Man
Well, not exactly. It's not a "bitch to get rid of" a widget...
It is if you're a novice user and don't know about ~/Library/Widgets.
Hell, it confused me a bit the first time I installed Tiger, because what I was looking for at first was something like ~/Library/Dashboard or ~/Library/Application Support/Dashboard. After those, I tried /Library/Dashboard and /Library/Application Support/Dashboard. Not until after I had been digging around did I notice ~/Library/Widgets. The fact that there's not a way to remove Dashboard widgets from the Dashboard interface is really inexcusable.
As to your question posed above, if the user doesn't want stuff cluttering the Dashboard drawer, the only thing they can do for now is to turn off the automatic opening of "safe" files, and wait for Apple to fix the hole (presumably by providing a warning that a widget is being downloaded, just like it warns about applications).
Or, they could just unzip them to the Desktop like for anything else. It's not that hard to double-click on a widget file on the Desktop. I mean, screen savers and preference panes don't get this kind of special treatment. Why should widgets?
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Apr 2001
Location: Las Vegas, NV
Status:
Offline
|
|
Originally Posted by CharlesS
Here's what else they could do, and it's far worse than either openURL or openApplication:
So all a widget needs to do is widget.system("rm -rf ~",null); ( <- Warning: don't run this! ) and bang, your home folder's gone.
But even if widgets were completely harmless, this would still be a bad idea due to the annoyance factor. This is almost the exact same thing as on Windows IE when you browse to a site and it decides it will install some custom toolbar or other such crap you don't want in IE, and then it's a bitch to get rid of it. What if the user doesn't want all kinds of crap cluttering up his/her Dashboard drawer?
Doesn't running system commands require the "Are you sure?" agreed to? And what stops the widget from not displaying this and/or automatically agreeing?
|
"And after we are through, ten years in making it to be the most of glorious debuts."
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Originally Posted by misc
Doesn't running system commands require the "Are you sure?" agreed to? And what stops the widget from not displaying this and/or automatically agreeing?
1. It's already been shown that a site can make a widget look just like one of the default Apple ones.
2. If a user isn't intimately familiar with what widgets come with the OS, they'll have no way of knowing if any particular widget in the Dock was one of the pre-installed Apple ones or one that installed itself from a web site.
3. There is no "Are you sure?" dialog when a widget is automatically installed. All you have to do is drag it off the Dashboard dock.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Apr 2001
Location: Las Vegas, NV
Status:
Offline
|
|
Originally Posted by CharlesS
1. It's already been shown that a site can make a widget look just like one of the default Apple ones.
2. If a user isn't intimately familiar with what widgets come with the OS, they'll have no way of knowing if any particular widget in the Dock was one of the pre-installed Apple ones or one that installed itself from a web site.
3. There is no "Are you sure?" dialog when a widget is automatically installed. All you have to do is drag it off the Dashboard dock.
Right, I understand that. But by doing a 'rm -fr' command from within a widget, Dashboard will raise the red flag and say "You sure?"
Right?
|
"And after we are through, ten years in making it to be the most of glorious debuts."
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status:
Offline
|
|
Originally Posted by misc
Right, I understand that. But by doing a 'rm -fr' command from within a widget, Dashboard will raise the red flag and say "You sure?"
Right?
I thought so, but people are reporting that my evil `Calculator' widget has access to the command-line without the `are you sure'. I'd like reliable confirmation of this, though.
Go to
http://aaron.harnly.net/files/widgets/
and let the widgets load. Then drag up the look-alike `Calculator' widget, and check whether it asks permission before using the `say' command to speak some text.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Nope! Your " Calculator" widget did not ask me for any kind of confirmation at all. It just ran, said its nasty little message, and displayed "EVIL" on the screen.
From the looks of things, widgets are basically mini-apps and can do basically anything that an application can do. So this auto-installation of widgets is tantamount to having Safari automatically dragging apps over to the /Applications folder. Sure, you'd still have to launch the app, but... so what? It's still a huge security hole.
Those "evil" widgets of yours are hilarious, btw.
(
Last edited by CharlesS; May 8, 2005 at 02:14 PM.
)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|