Welcome to the MacNN Forums.

TETENAL · May 8, 2005, 02:26 PM

Originally Posted by wtmcgee

Thanks for the info... I was curious as to what else they could do other than being a 'mere' web page.

Widgets can have native code plug-ins which can do everything (that you as the user could do too). Widgets aren't 'mere weg pages'. In principle widgets are applications. That means they have the same possibilities to be a trojan and therefore must be handled by the user with the same care.

Do not download and run programs from sources you do not trust!

If you do not follow this general rule, then you have noone else to blame. I hate to put the blame on the user, but unfortunately with trojans there is no technical way to absolutely protect the user. The intentions of a program simply can not be determined automatically. That's why the user must take over responsibility here. Not because the system vendor is lazy or something, but because it's technically not possible different.

- So, that's the facts.

Now to Dashboard. Dashboard never automatically runs a widget. Not double-clicked widgets (here it asks before the widget is run) and not installed widgets (here the user has to click the widget in the Dashbaord-dock before it's run). Technically there is no 'hole'. A widget can not run without user intercation.
However, the auto-install can easily stay unnoticed (for months even) and this makes it easier to lure the user into launching the widget once it's in the Dashboard-dock. That is something I agree that should be changed.

alphasubzero949 · May 8, 2005, 02:39 PM

Here's another scenario:

Say you're downloading a movie file of a favorite clip and you hide the download window knowing that you'll be done in a few minutes. Meanwhile you visit a site that auto-downloads and installs a widget. Let's also assume that you selected "remove download list items UPON SUCCESSFUL DOWNLOAD" under the General tab in Safari Prefs. How exactly will you know that you just downloaded something? Too late; it's already installed.

Remember, not all Mac users are as "advanced" as we are.

CharlesS · 02:59 PM

Originally Posted by alphasubzero949

Here's another scenario:

Say you're downloading a movie file of a favorite clip and you hide the download window knowing that you'll be done in a few minutes. Meanwhile you visit a site that auto-downloads and installs a widget. Let's also assume that you selected "remove download list items UPON SUCCESSFUL DOWNLOAD" under the General tab in Safari Prefs. How exactly will you know that you just downloaded something? Too late; it's already installed.

Remember, not all Mac users are as "advanced" as we are.

Exactly. There is no way to tell that the widget sitting in the Dashboard dock didn't come from Apple, and thus no reason for the user to be concerned about running it. The only thing the novice user knows is that he didn't download it.

I'd just like to take a moment to encourage everyone who reads this thread to file a bug report with Apple. If they get enough of our bug reports, they may get annoyed enough to fix this, just to make us shut up.

glyph · May 8, 2005, 04:25 PM

Thanks to all for the info on this app. Couldn't you just drag and drop the dashboard app to the trash bin? I've never been too impressed with widgets although they seemed pretty neato at first.

Is there someway you could disable dashboard from starting up?

TETENAL · May 8, 2005, 04:29 PM

Originally Posted by glyph

Is there someway you could disable dashboard from starting up?

Remove it from the Dock and change its keyboard shortcut in System Preferences to nothing. It won't run if it's not invoked.

glyph · May 8, 2005, 04:45 PM

Thanks

That was painless.
So, am I still suceptible to having widgets being downloaded into my widgets folder? - If I haven't the Safari prefs set to "Open safe files after downloading"?

CharlesS · May 8, 2005, 04:47 PM

Nah, if you've turned off the oxymoronic "safe" files feature, they'll just download to the Desktop.

glyph · May 8, 2005, 05:43 PM

Thanks

I seen that Safari preference option when I first began exploring Tiger and thought that it meant mpgs, mp3s, movs, pdfs - stuff like that - not apps. So I left it alone until reading these posts. I hope when they fix this, they'll let the user decide what is 'safe' by expanding on this option.

wtmcgee · May 8, 2005, 09:24 PM

I think we'll see Apple remove dashboard apps as "safe" in the next release. It's even on slashdot now!

http://it.slashdot.org/article.pl?si...&tid=179&tid=3

walkerjs · May 9, 2005, 12:24 AM

Originally Posted by Mithras

I thought so, but people are reporting that my evil `Calculator' widget has access to the command-line without the `are you sure'. I'd like reliable confirmation of this, though.

Go to
http://aaron.harnly.net/files/widgets/

and let the widgets load. Then drag up the look-alike `Calculator' widget, and check whether it asks permission before using the `say' command to speak some text.

Okay I'm not running Tiger yet, still on Panther and running Firefox rather than Safari. Clicking on the exploit link on your page does not result in anything being installed as such, but it does result in a bunch of "you have chosen to open" whatever.wdgt.zip files which I would consider to be bad, bad, bad. Especially if you are saying that under Safari on Tiger that these would just be installed without user interaction and then possibly execute whatever code these widgets have. Slashdot has covered this now. Hopefully Apple will see this and get an update out that prevents this from happening because as I see it, this is Not A Good Thing. Having recently switched to Mac OS X I would be pissed that Apple allows this.

alphasubzero949 · May 9, 2005, 03:27 AM

Originally Posted by walkerjs

Having recently switched to Mac OS X I would be pissed that Apple allows this.

We can thank Uncle Steve's secrecy policy for this. How this managed to get past beta testers and Apple's QA is beyond me...

JLL · May 9, 2005, 04:21 AM

Originally Posted by alphasubzero949

We can thank Uncle Steve's secrecy policy for this.

You make it sound like Tiger hasn't been outside of Apple, but all ADC members have had access to Tiger since last June - I don't know if Tiger builds have been seeded through AppleSeed though.

Gee4orce · May 9, 2005, 04:25 AM

Dragging a widget onto the screen is exactly the same as double-clicking an application. IF you clicked on a link and downloaded an application (which you had to then to something to - ie. double click - before anything else happened) would there be any fuss ? Of course not, because that's exactly what should, and does, happen. The only difference here is that you have to drag the widget onto the screen, rather than double-click an application.

This is a total non-issue.

alphasubzero949 · May 9, 2005, 04:30 AM

Originally Posted by JLL

You make it sound like Tiger hasn't been outside of Apple, but all ADC members have had access to Tiger since last June - I don't know if Tiger builds have been seeded through AppleSeed though.

Even if this exploit was found sooner, no one could really say anything due to NDAs. Even some developers on here have admitted that communication among themselves about Tiger was fairly restrictive.

Also consider that not all developers can front the amount of money needed to join ADC and obtain Tiger pre-release builds. Hell, 8A428 wasn't seeded to these members until it officially went public.

The sad truth is that we're paying to be beta testers for the 10.x.0 releases.

CharlesS · May 9, 2005, 04:30 AM

Originally Posted by Gee4orce

Dragging a widget onto the screen is exactly the same as double-clicking an application. IF you clicked on a link and downloaded an application (which you had to then to something to - ie. double click - before anything else happened) would there be any fuss ? Of course not, because that's exactly what should, and does, happen. The only difference here is that you have to drag the widget onto the screen, rather than double-click an application.

This is a total non-issue.

No, the difference is that it actually installed the thing for you. It's as if it were to automatically drag an application into the /Applications folder. If Apple were to do that, you bet your ass there'd be a fuss.

Mithras' site clearly shows how this can be used to make a bunch of evil widgets look almost exactly like the real ones. It's not hard to see how anyone, especially a novice user, could be easily fooled into opening an evil widget this way.

Plus, it just plain should not be installing things without the user's permission. Period.

Simon · May 9, 2005, 04:45 AM

So, I guess we expect Apple to do the following:

� remove widgets from the 'safe' list
� possibly even remove the 'open safe stuff' option altogether since it invites novice users to chose comfortable rather than safe
� do better beta testing as well as more stringent qa

And to those who are pissed about being 'beta testers' of the 10.4.0 release, I have this to say: Yes, it sucks and yes, it shouldn't be that way but it's nothing new and any experienced user could tell you this can happen, it has happened and it will happen. If you blindly install 10.4.0 on a production machine, you're being somewhat careless. Either try it out first on a dev system before you move it to production or wait till the 10.4.1 update gets released. Of course you paid for Tiger, but you could have just as well waited for the 10.4.1 update and then paid. Nobody has to get screwed. It's not as if anybody needed Tiger to be able to work at all. For 99.99% of the people, I'm pretty sure 10.3.9 did the job just fine.

alphasubzero949 · May 9, 2005, 04:52 AM

Originally Posted by Simon

If you blindly install 10.4.0 on a production machine, you're being somewhat careless.

Just like how 10.2.8 screwed us?

Simon · May 9, 2005, 04:58 AM

Originally Posted by alphasubzero949

Just like how 10.2.8 screwed us?

Well, actually, yes.

Of course Apple shouldn't release buggy systems or updates, but, as we all know, unfortunately they sometimes do. What can we do? Either switch the platform (which on average probably won't be any better) or be careful. And being careful means: never install system updates on a prod machine first. If the machine is mission critical, it gets the update last. Test first on a non-critical dev machine.

That said, Mac OS X is a consumer OS too, and a simple home user should be able to install Apple's updates with no worry. But heck, in a perfect world, a lot should be different. I'm not trying to excuse Apple's blunders here, all I'm suggesting is that with a little bit of common sense effort, we can get around a lot of trouble quite easily.

JLL · May 9, 2005, 06:32 AM

Originally Posted by alphasubzero949

Even if this exploit was found sooner, no one could really say anything due to NDAs.

No, they couldn't say anything to you, but it could have been reported to Apple.

Originally Posted by alphasubzero949

The sad truth is that we're paying to be beta testers for the 10.x.0 releases.

And the truth is that nomatter how extensive your beta test is there will be bugs found in the first couple of days after release.

10.3.9 went through a lot of testing both on ADC and AppleSeed, and it didn't even take an hour after release before someone found the Java bug.

chris v · May 9, 2005, 09:36 AM

From another list I frequent, where I picked this up initially:

"I will not release the code, nor post a demo which is too easy to modify, but I created a widget that created a folder in my System/Library folder then added a file to it (think system startup), without being given my password (watched for sudo event, then piggybacked on open access)."

That sounds not good.

theolein · 10:10 AM

You shouldn't frequent those lists. They're obviously deviant and subversive.

Edit:

Superchicken · May 9, 2005, 10:17 AM

I find it weird that your guys widgets are auto installing themselves... I'm having to drag mine into the library... and to get rid of em I have to delete em from the library and log out... Apple really should have thought Dashboard out better... you should be able to command drag em out and delete em or something...

workerbee · May 9, 2005, 10:42 AM

Originally Posted by Superchicken

I find it weird that your guys widgets are auto installing themselves... I'm having to drag mine into the library...

Even when you're using Safari and have "Open �safe� files after downloading" turned on (checked) in its prefs?

jeff25624 · May 9, 2005, 10:51 AM

Now, after reading through this thread, I have one simple question: Is this solely a Safari problem? It would seem so judging by the responses, but does this problem affect other browsers as well, suchy as Firefox, Camino, etc etc?

theolein · May 9, 2005, 11:00 AM

No, the problem is basically that widgets themselves can get installed without requiring the user to authorise that installation. All applications on OSX require a password to get installed. Widgets should do so too. There should also be a much easier way to manage widgets. Who ever came out with the idea that one can't normally delete widgets, other than by searching through a bloody Library folder made a big mistake.

piracy · May 9, 2005, 11:18 AM

1. This issue is completely solved by unchecking "Open 'safe' files after downloading", which is a good practice anyway.

2. Even when "Open 'safe' files after downloading" checked, the only unique thing that happens is that the widget is moved to ~/Library/Widgets (admittedly, this could be a "malicious" widget - but it still hasn't been run at this point).

3. The widget will be visible on the Dashboard shelf the next time Dashboard is invoked, it still must be manually and deliberately run when Dashboard is invoked. It can be removed by dragging it from ~/Library/Widgets to the Trash.

As we all know, if someone tricks you into running software on your computer, the game is over. This is not nearly as automated as is implied. This is almost exclusively a social engineering exploit, but I agree there should be a prompt or notification to auto-install the Dashboard widget.

workerbee · May 9, 2005, 11:19 AM

Originally Posted by theolein

No, the problem is basically that widgets themselves can get installed without requiring the user to authorise that installation. All applications on OSX require a password to get installed. Widgets should do so too. There should also be a much easier way to manage widgets. Who ever came out with the idea that one can't normally delete widgets, other than by searching through a bloody Library folder made a big mistake.

Well, I'd say that in fact it is a Safari problem, up to a certain extent. No other browser (I hope) will download and install Widgets without the user doing anything at all, simply because Apple included Widgets in their definition of "safe" files (it's only xhtml, css, some png, and full system shell access, so what can possibly happen, right?).

If the user runs his/her Mac with admin rights, as probably most do, there's no need for any password to install apps. But at least one has to open the .dmg file and drag-and-drop the app to /Applications or ~/Applications. Also, I'm pretty sure that my mom for example would not think of a widget as an application -- it doesn't look like one (no menues or palettes) and it doesn't act like one (no double-clicking). She and most other "home" users wouldn't probably even think of using anything but Safari to access the web, so no amount of "everyone should use FireFox/Mozilla/Opera/whatever in the first place" is really helpful, IMHO.

chris v · May 9, 2005, 11:43 AM

Originally Posted by theolein

You shouldn't frequent those lists. They're obviously deviant and subversive.

Edit:

Speaking as a deviant subversive, I beg to differ.

biscuit · 02:35 PM

As suggested earlier in this thread, I sent a very brief description of this issue to [email protected] with links to this thread and the Ars thread. I have now received a response stating that Apple engineers are looking into it. Oh, and I'm not supposed to tell anyone about this issue...

biscuit

alphasubzero949 · May 9, 2005, 03:52 PM

Funny, I sent off an e-mail to the same address Saturday night discussing the issue and never received a response. They just don't like me.

biscuit · May 10, 2005, 04:01 AM

Well, in addition to being splashed all over the MacWeb, this is now on CNet:

http://news.com.com/Mac+malware+door...0982&subj=news

There goes the Mac's malware-free reputation

biscuit

alphasubzero949 · May 10, 2005, 04:22 AM

Heh...didn't take long for Apple to lockinate my thread over there.

workerbee · May 10, 2005, 04:37 AM

Originally Posted by alphasubzero949

Heh...didn't take long for Apple to lockinate my thread over there.

I'm actually amazed your thread made it to 70 posts there.

As to the malware-free reputation: it's a shame, of course, as this could undermine OS X' / Tigers momentum (I fully agree with Giles Turnbull). It's even more of a shame to think that this had to happen over a bunch of overhyped overdesigned RAM-gobbling eye-candy fluff.

asdasd · May 10, 2005, 05:14 AM

Ye Gods. What nonsense. On OS 9 I could download an application and it could "look like an Apple application" and delete the Finder or system folder. On OS X that is called excalating system privs. 10.4 is the first system which forces me to launch from the desktop an application which I have downloaded.

Anything can look like anything. Yo are exposing, and causing FUD, about something which has been a part of computer usage for ever - if you download a local application and launch it - it can do malicious things to you. Widgets are applications. Deal with it.

And widgets are not being "installed " by going to the widgets folder, nor would applications be "installed" by going into the applications folder. You can launch an application from anywhere. They are "installed" anywhere.

I could be a "genius" like Mithras and prove a security hole by ponying up an objective C app which looks like iTunes and does something with user privs like launch an url, or speak - which proves that it COULD BE DANGEROUS ( cue to run around the run in a panic). Horsepoo.

Apple did not notice this issue, because it is not an issue. Applications have user privs. Widgets are applications. Download from safe places.

By the way, the addition of a warning - this is the first time you have run this widget are you sure you want to continue? - will stop no stupid user from running an application, but will annoy the rest of us. It is like those stupid warnings on most products these days, it provides no real security but gets the companies off the hook.

theolein · May 10, 2005, 05:42 AM

The point, originally, is that widgets can get installed without you noticing. Yes, it can easily be hindered, but open safe files is the default in Safari. I would explain it once again, but frankly I'm tired of explaining the issue to people who will defend everything Apple does blindly, even when it affects them as well.

theolein · May 10, 2005, 05:55 AM

Originally Posted by alphasubzero949

Heh...didn't take long for Apple to lockinate my thread over there.

If there is one thing that pisses me off more about the Mac platform than anything else, it is Apple's way of reacting when anything mildly negative gets published about them. Their habit of secrecy with respect towards security is even worse than Microsoft's, and that is saying something.

The second thing that pisses me off about the Mac platform is the way the more rabid fans will defend the platform no matter what happens. They give the Mac user base a reputation of being stupid.

moki · May 10, 2005, 06:11 AM

As far as security holes go, this isn't exactly the apocalypse. But it certainly is a security hole, and Apple should plug it ASAP.

chris v · 09:43 AM

Originally Posted by asdasd

Ye Gods. What nonsense. On OS 9 I could download an application and it could "look like an Apple application" and delete the Finder or system folder. On OS X that is called excalating system privs. 10.4 is the first system which forces me to launch from the desktop an application which I have downloaded.

Anything can look like anything. Yo are exposing, and causing FUD, about something which has been a part of computer usage for ever - if you download a local application and launch it - it can do malicious things to you. Widgets are applications. Deal with it.

And widgets are not being "installed " by going to the widgets folder, nor would applications be "installed" by going into the applications folder. You can launch an application from anywhere. They are "installed" anywhere.

I could be a "genius" like Mithras and prove a security hole by ponying up an objective C app which looks like iTunes and does something with user privs like launch an url, or speak - which proves that it COULD BE DANGEROUS ( cue to run around the run in a panic). Horsepoo.

Apple did not notice this issue, because it is not an issue. Applications have user privs. Widgets are applications. Download from safe places.

By the way, the addition of a warning - this is the first time you have run this widget are you sure you want to continue? - will stop no stupid user from running an application, but will annoy the rest of us. It is like those stupid warnings on most products these days, it provides no real security but gets the companies off the hook.

Your statement assumes the user intends to download the application in the first place, which makes your point utterly moot under the circumstances. Do keep up!

I have a friend who wrote a folder action that throws up a warning dialog whenever anything is moved into ~/Library/Widgets. Seems like a good short-term solution that allows me to turn "safe" files back on.

kman42 · May 10, 2005, 08:45 AM

Simple solution. Remove widgets from the Safari safe list and ask the user if they want to run them the first time. Then they act exactly like the applications they are. Problem solved.

asdasd · May 10, 2005, 11:59 AM

"Your statement assumes the user intends to download the application in the first place, which makes your point utterly moot under the circumstances. Do keep up!"

i think that should be caught at the downloading stage and not the opening a disk image stage, and power users should be able to turn it off. To be clear:

1) Any download gets an ok before it begins. The source of the download is made clear. You can run a whois in this screen and forward results somewhere
- like Apple security - if the download started surreptitiously.
2) the Download screen remains visible for the duration of the download. At the moment it can open up behind the main safari window. Make it prettier and transparent for all I care,

Both of these features could be turned off, of course.

Why do I get the impression that people worried about this potential exploit are getting applications from anywhere and everywhere without using safari, P2P anyone?

I am not an Apple zealot, btw, I think that all OS's are very secure these days if used with the stanard internet access tools, most expolits are "potential" only, and I dont want to see computers lose boatloads of usability for the sake of "potential" issues which never really materialise.

barney ntd · May 10, 2005, 12:08 PM

Originally Posted by asdasd

I think that all OS's are very secure these days if used with the stanard internet access tools, most expolits are "potential" only, and I dont want to see computers lose boatloads of usability for the sake of "potential" issues which never really materialise.

Wow. I think the complete opposite of every part of this statement! This calls for a poll!

Barney.

asdasd · May 10, 2005, 12:16 PM

I also suspect Barney, that the people bleating the loudest about security are quite happy with P2P networking - which I dont include as standard internet access tools, and dont personally use - from totally untrusted sources, but are scared shitless about downloading widgets from Apple's site or Apple's recommended sites which have been verified by Apple Engineers, testers, and general users. All because of FUD about applications having power to do application level things. Panic. Run around the room hands in the air!

So secure is OS X that I doubt that anyone has ever downloaded anything that has harmed the system irrevociably - unless it was iTunes and came from Apple. On the other hand third party System Extensions in OS 9 were frying systems left right and centre.

barney ntd · May 10, 2005, 12:31 PM

Well, I don't use P2P, but I do sometimes click on web links to see where they go. When one of them downloads a file to my desktop, I just bin it. If one of them downloaded a file to my Widgets folder (or my Applications folder) I would be extremely annoyed. It's clear that Widgets should not be treated as "safe" files.

CharlesS · May 10, 2005, 12:31 PM

Originally Posted by asdasd

Ye Gods. What nonsense. On OS 9 I could download an application and it could "look like an Apple application" and delete the Finder or system folder.

For the 3,247,958,459th time:

Could you download an application on OS 9 and have it automatically get moved to the Applications folder without your knowing it? No, you couldn't! You'd have to run it or drag it from the Desktop, where it was patently obvious that this was something you downloaded, since legitimate Apple applications aren't installed by default to the Desktop.

This isn't really that difficult of a concept for anyone above a fifth-grade reading level to understand.

And no, I don't use P2P. Thanks for the completely unfounded accusation.

chris v · May 10, 2005, 01:04 PM

Originally Posted by asdasd

I also suspect Barney, that the people bleating the loudest about security are quite happy with P2P networking - which I dont include as standard internet access tools, and dont personally use - from totally untrusted sources, but are scared shitless about downloading widgets from Apple's site or Apple's recommended sites which have been verified by Apple Engineers, testers, and general users. All because of FUD about applications having power to do application level things. Panic. Run around the room hands in the air!

So secure is OS X that I doubt that anyone has ever downloaded anything that has harmed the system irrevociably - unless it was iTunes and came from Apple. On the other hand third party System Extensions in OS 9 were frying systems left right and centre.

1. Thanks for accusing us of being software pirates because we think this is an issue.

2. You really, really don't seem to understand fully what the problem here is. Please read carfully.

As configured at default, Safari can be used by a website to download and install a malicious widget with no user interaction whatsoever. The user does not have to be aware of the fact that the link included a downloadable file. It can read in a browser as just a normal link, with no intention or even idea of something being downloaded on the user's part.

Yes, this IS just a concept. By making noise about it NOW, we intend to KEEP it from BECOMING an actual vector for actual exploits. Because we love out Macs, and our operating system.

Thanks for playing.

alphasubzero949 · May 10, 2005, 02:08 PM

I guess I must have been seeing things when I tried it out for myself.

The way some people will defend Apple to the end just astonishes me.

CharlesS and chris v, you both summed it up quite nicely.

workerbee · May 10, 2005, 02:25 PM

Originally Posted by CharlesS

This isn't really that difficult of a concept for anyone above a fifth-grade reading level to understand.

The problem probably is not the fifth grade, but rather RDF (over)exposure.

theolein · May 10, 2005, 04:03 PM

People like asdasd make it difficult to keep a straight face. If they are incapable of understanding that a browser can download a file without them knowing it, and then go on to make some strange statements about P2P users (You do realise that a browser can download software just as well as a P2P app can, don't you?) and Apple approved sites (wow, now we should only surf the web to those sites that Apple approves? Microsoft's PR department will love this) then I can only shake my head in wonder at such amazing logic.

mdc · May 10, 2005, 10:00 PM

widget, the world watcher.
i came across this tonight. it monitors for new widgets being installed (with safari auto open on) and pops up a dialog box asking you if you want to install it or not. if you don't install it, it puts the widget on your desktop.

Mithras · May 10, 2005, 11:37 PM

I just discovered (don't know why it took this long to notice) that when two widgets use the same bundle identifier, the Dashboard Bar only shows the widget that loads second. And -- you guessed it -- widgets in ~/Library/Widgets load after widgets in /Library/Widgets/.

Check out the new, simpler, deadlier example exploit at
http://www1.cs.columbia.edu/~aaron/files/widgets/

(of course, you'll need `open safe file' turned back on for the exploit to work, and I'm sure you've all turned it off by now, right? Unless you installed that Folder Action, which I think is great.)