Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > Widget auto-install = huge security hole?

Widget auto-install = huge security hole?
Thread Tools
chris v
Addicted to MacNN
Join Date: Jan 2001
Location: The Sar Chasm
Status: Offline
Reply With Quote
May 7, 2005, 08:00 PM
 
Warning: the following link will auto-download a widget that will then auto install:

http://stephan.com/widgets/zaptastic/

It kills all the widgets in ~/Library until you trash it. Just from clicking a URL.

Discuss.

When a true genius appears in the world you may know him by this sign, that the dunces are all in confederacy against him. -- Jonathan Swift.
     
TETENAL
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status: Offline
Reply With Quote
May 7, 2005, 08:21 PM
 
First, nothing happend automatically, probably because I have opening of "safe" files turned off in Safari.

Second, when one first starts a widget (including this one) Dashboard asks whether you want to allow this. This can be declined.

It you unpack, double-click and allow to run a widget when asked, then there's nothing the system can do any more. It would be like any other trojan application (the OS doesn't even ask for applications in fact).

So don't download and run anything from a source you don't trust.
     
chris v  (op)
Addicted to MacNN
Join Date: Jan 2001
Location: The Sar Chasm
Status: Offline
Reply With Quote
May 7, 2005, 08:38 PM
 
Lotsa default installs out there, and lotsa users that don't know to change the prefs. Did you read the whole page?

I've got a default install of 10.4 going here, and I didn't get asked about allowing the widget to start on any of the extras I've downloaded. This needs to be turned off by default at least. Think about it: a default install will auto-download in the background, then auto-install an app that can run command-line stuff. I don't see how a widget might be written that would do sudo-type damage, but his points about pron pop-up type things, and maybe trashing home folders seems possible. It can certainly be used to take control of a browser.

When a true genius appears in the world you may know him by this sign, that the dunces are all in confederacy against him. -- Jonathan Swift.
     
tkmd
Grizzled Veteran
Join Date: Oct 2001
Location: Michigan
Status: Offline
Reply With Quote
May 7, 2005, 08:39 PM
 
there a thread about this same issue going on at Ars. Interesting. Could the honeymoon be over?

http://episteme.arstechnica.com/eve/...m/200006323731
Pismo 400 | Powerbook 1.5 GHz | MacPro 2.66/6GB/7300GT
     
chris v  (op)
Addicted to MacNN
Join Date: Jan 2001
Location: The Sar Chasm
Status: Offline
Reply With Quote
May 7, 2005, 08:41 PM
 
Originally Posted by TETENAL
So don't download and run anything from a source you don't trust.
Also note that the download was initiated by merely clicking a link that didn't present itself as being linked to a file.

When a true genius appears in the world you may know him by this sign, that the dunces are all in confederacy against him. -- Jonathan Swift.
     
Millennium
Clinically Insane
Join Date: Nov 1999
Status: Offline
Reply With Quote
May 7, 2005, 08:57 PM
 
Dear God; it's ActiveX all over again.

No, I'm serious. The whole reason ActiveX is so insecure is that Microsoft insists on auto-opening executable code in the name of convenience. If Apple has made that same mistake, then we are well and truly screwed. The only way to close this hole is to remove the feature. Not just "make it an option"; completely remove it.

This is what I was worried about when I first heard about Dashboard using WebCore. I really hoped that Apple would have learned from the ActiveX debacle, but it seems I was wrong to assume that. Well, that settles it; I can no longer recommend Safari to anyone.
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
     
Millennium
Clinically Insane
Join Date: Nov 1999
Status: Offline
Reply With Quote
May 7, 2005, 09:00 PM
 
Originally Posted by chris v
Warning: the following link will auto-download a widget that will then auto install:

http://stephan.com/widgets/zaptastic/

It kills all the widgets in ~/Library until you trash it. Just from clicking a URL.

Discuss.
Spread this far and wide, Chris. Tiger hasn't been out for long, so there's still a chance we can get Apple to remove the auto-install feature before too many users clamor for its inclusion due to 'usability' 'advantages'. In fact, I think I'm going to post this link to a few places, if you don't mind.
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
     
TETENAL
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status: Offline
Reply With Quote
May 7, 2005, 09:06 PM
 
Originally Posted by Millennium
The only way to close this hole is to remove the feature. Not just "make it an option"; completely remove it.
Disable "Open 'safe' files" in Safari and the widgets are not installed automatically. Before a widget is run the first time Dashboard asks. No widget is run automatically without user interaction.

Of course widgets may be trojans. Just like any other application may be. That's hardly a surprise.
     
mitchell_pgh
Posting Junkie
Join Date: Feb 2000
Location: Washington, DC
Status: Offline
Reply With Quote
May 7, 2005, 09:06 PM
 
Why would they do that! It's just silly. There should be:
1) A scary warning.
2) You should physically have to move the widget to the widget library (or have a big scary screen saying "You have downloaded a widget that could contain malicious code. etc. etc."

Just silly IMHO.
     
Kristoff
Mac Elite
Join Date: Sep 2000
Location: in front of the keyboard
Status: Offline
Reply With Quote
May 7, 2005, 09:15 PM
 
You guys didn't hear?

They're moving to signed widgets, and you have to buy a Widget Developer's License from Apple get a widget signing key.


signatures are a waste of bandwidth
especially ones with political tripe in them.
     
Millennium
Clinically Insane
Join Date: Nov 1999
Status: Offline
Reply With Quote
May 7, 2005, 09:15 PM
 
Originally Posted by TETENAL
Disable "Open 'safe' files" in Safari and the widgets are not installed automatically. Before a widget is run the first time Dashboard asks. No widget is run automatically without user interaction.
Not good enough, because people can leave that feature on.
Of course widgets may be trojans. Just like any other application may be. That's hardly a surprise.
You don't understand; the point is that this misfeature gives widgets a mean to self-spread. What could have been a simple Trojan can become a true worm if this feature is allowed to remain in place.
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
     
TETENAL
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status: Offline
Reply With Quote
May 7, 2005, 09:19 PM
 
Originally Posted by Millennium
You don't understand; the point is that this misfeature gives widgets a mean to self-spread. What could have been a simple Trojan can become a true worm if this feature is allowed to remain in place.
Widgets can not "self spread" because Dashbaord asks the user whether they are allowed to run when they are run the first time. They can only spread with the explicit allowance of the user.
     
chris v  (op)
Addicted to MacNN
Join Date: Jan 2001
Location: The Sar Chasm
Status: Offline
Reply With Quote
May 7, 2005, 09:39 PM
 
Originally Posted by TETENAL
Widgets can not "self spread" because Dashbaord asks the user whether they are allowed to run when they are run the first time. They can only spread with the explicit allowance of the user.
I repeat: I have never yet had Dashboard ask me about letting any widget do anything. If I put them on the dashboard, they run. Maybe my install is weird? Here's what I did when I saw that link:

1. I clicked on the link. period.
2. When I hit F12, I had me a new widget. Yes, I then had to drag it out of the widget dock, but then I got no further warnings.

This was on a DEFAULT os 10.4 UPGRADE. from 10.3.8.

I can see having Safari allow an unstuff or disk-image mount, but apparently, with this widget business, there's more than that going on, if by merely clicking a link, the thing gets installed with no further interaction. It's getting unzipped, and placed in a directory from which it can do its business.

YES, I KNOW ABOUT THE PREF TO TURN OFF "OPEN SAFE FILES AFTER DOWNLOADING." THAT IS NOT THE POINT. IT IS NOT ONLY ON BY DEFAULT, BUT SOMETHING MORE IS HAPPENING HERE WITH THE WIDGET BESIDES SIMPLY UNZIPPING. Sorry for yelling, but I don't seem to have gotten that through yet.

And also, yes, there is not an obvious way for these things to vector from machine to machine that I can see. It's still a security hole, whether or not it's a virus.

Here's the possible scenario:

1. A user clicks an apparently innocuous link that unbeknownst to them installs a widget that looks exactly like the weather widget.
2. User launches Dashboard and drags the wrong Weather widget onto the desktop.
3. Bad things happen.

This is a security hole, as far as I'm concerned.
( Last edited by chris v; May 7, 2005 at 09:44 PM. Reason: I still can't type.)

When a true genius appears in the world you may know him by this sign, that the dunces are all in confederacy against him. -- Jonathan Swift.
     
CharlesS
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
May 7, 2005, 10:05 PM
 
I've got the same experience as chris v; most widgets that I've downloaded haven't asked me anything. The exceptions have been when the app contained a binary code, shell script, or the like inside the widget bundle. Then, I get that standard "This archive contains an application" warning. So I guess the question is, is a Dashboard widget able to run any utility like rm -rf without the aid of a bundled app? From a cursory glance at the documentation, it looks as if it is. That's bad.

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
theolein
Addicted to MacNN
Join Date: Feb 2001
Location: zurich, switzerland
Status: Offline
Reply With Quote
May 7, 2005, 10:05 PM
 
Originally Posted by TETENAL
Widgets can not "self spread" because Dashbaord asks the user whether they are allowed to run when they are run the first time. They can only spread with the explicit allowance of the user.
This is exactly the same way that Internet Explorer is abused to download viruses, spyware and other malicious stuff onto a user's Windows system, and a good 90% of users just click yes when asked about whether they want to run the executable or not BECAUSE THEY DON'T KNOW BETTER, just like the majority of Mac users. This is a major vulnerability and I encourage everybody to post feedback to [email protected] about this.

It really pisses me off sometimes that Apple releases major OS versions with bad bugs in them. The firewire bug in 10.3.0 was the same thing: lack of sufficient beta testing and quality control.
weird wabbit
     
Mithras
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status: Offline
Reply With Quote
May 7, 2005, 10:06 PM
 
Originally Posted by TETENAL
Widgets can not "self spread" because Dashbaord asks the user whether they are allowed to run when they are run the first time. They can only spread with the explicit allowance of the user.
Dashboard only asks `are you sure?' for widgets that request system access -- the ones that could potentially delete your home folder. Ordinary widgets that just display stuff don't get the confirmation dialog. However, that page demonstrates a `safe' widget that renders Dashboard useless. Oops.
     
TETENAL
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status: Offline
Reply With Quote
May 7, 2005, 10:11 PM
 
Listen, chris, there is absolutely no need of shouting. This was just lack of extensive testing on my side before composing my replies.

Of course I have set the "Open 'safe' files after downloads" turned off. When downloading the widget like this it simply downloads the ZIP-archive which expands the widget to the desktop when double-clicked. If you then launch the widget on the desktop by double-clicking, Dashboard asks you whether you would like to allow this widget to be run.

So now I turned "Open 'safe' files" on temporarily and downloaded the widget again. This time the widget was automatically installed, appears in the Dashboard-dock and when clicked Dashboard does not ask whether this wiget may be run or not.

This is indeed a bad thing.

The widget still can not run without user interaction (the user has to click it in the Dock first). However with the automatic installing, the user might not notice that a widget had been installed by a dubious web site, and the widget might stay installed for a long time. After a long time the user might not be suspicious of an additional icon in the Dashboard-dock esspecially if it has the same icon as one of the built in widgets.

I therefore form the opinion that Apple should get rid of the automatic installation by Safari. Instead Dashboard should offer a comfortable way for the user to add and remove widgets from the Dashbaord-dock by hand.
     
TETENAL
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status: Offline
Reply With Quote
May 7, 2005, 10:17 PM
 
Originally Posted by theolein
This is exactly the same way that Internet Explorer is abused to download viruses, spyware and other malicious stuff onto a user's Windows system, and a good 90% of users just click yes when asked about whether they want to run the executable or not BECAUSE THEY DON'T KNOW BETTER, just like the majority of Mac users.
Well, eventually you have to allow the user to run applications. What more can you do than ask whether the user wants to allow this? It's not like you can guess the good intentions of an application.

There is no technical mean to protect a user from a trojan. Therefore every user must understand and learn only to download programs from trusted surces. The people who click "Yes, please run the stuff that just downloaded from this porn site I'm surfing" are simply too stupid to consume porn. That's the bitter truth.
     
TETENAL
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status: Offline
Reply With Quote
May 7, 2005, 10:21 PM
 
Originally Posted by Mithras
Dashboard only asks `are you sure?' for widgets that request system access -- the ones that could potentially delete your home folder. Ordinary widgets that just display stuff don't get the confirmation dialog. However, that page demonstrates a `safe' widget that renders Dashboard useless. Oops.
Not true. Dashboard asks for every widget that is run from outside (~)/Library/Widgets. That's the normal place of widgets to be (outside!) when they have been downloaded and unpacked.
     
theolein
Addicted to MacNN
Join Date: Feb 2001
Location: zurich, switzerland
Status: Offline
Reply With Quote
May 7, 2005, 10:24 PM
 
Originally Posted by TETENAL
Well, eventually you have to allow the user to run applications. What more can you do than ask whether the user wants to allow this? It's not like you can guess the good intentions of an application.

There is no technical mean to protect a user from a trojan. Therefore every user must understand and learn only to download programs from trusted surces. The people who click "Yes, please run the stuff that just downloaded from this porn site I'm surfing" are simply too stupid to consume porn. That's the bitter truth.
The problem is, and this is true on Windows as well, that most users might not run some dubious pice of thing that they download from the net if they know that they are downloading it, but with Internet Explorer and this Dashboard hole, they very often won't know. If you read the article you'll see that quite innocuous sites can download malware widgets, and when the user looks at dashboard and sees a pretty icon there saying:"SPORTS SCORES", "SPOTLIGHT WIDGET", "NETWORK CONNECTIONS" or "HUGE TITS" the chances are pretty high that they will start it up sooner or later, and the chances are also big that they will inanely click "yes" to allow it to access the system, because they simply don't know what it is, how it got there (since they didn't consciously download it) or that it doesn't belong to the system.
weird wabbit
     
Mithras
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status: Offline
Reply With Quote
May 7, 2005, 10:47 PM
 
Reposted from ars:
I made a web page that silently downloads a slate full of widgets that looked just like the Apple widgets, and appeared to have the same names, but could have had malicious content:


Though again, apart from the auto-refresh "DoS" problem, you'd need the user to click `yes, okay' in order to do something like delete their home folder. On the other hand, if they think they're trying out one of the Apple widgets that they haven't used yet...
( Last edited by Mithras; May 7, 2005 at 11:47 PM. )
     
alphasubzero949
Mac Elite
Join Date: Jan 2003
Location: 127.0.0.1
Status: Offline
Reply With Quote
May 7, 2005, 11:02 PM
 
Evil tracker.
     
alphasubzero949
Mac Elite
Join Date: Jan 2003
Location: 127.0.0.1
Status: Offline
Reply With Quote
May 7, 2005, 11:42 PM
 
Originally Posted by Millennium
Spread this far and wide, Chris. Tiger hasn't been out for long, so there's still a chance we can get Apple to remove the auto-install feature before too many users clamor for its inclusion due to 'usability' 'advantages'. In fact, I think I'm going to post this link to a few places, if you don't mind.
Go check the thread in the Dashboard section on Apple's support forums.
     
Mithras
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status: Offline
Reply With Quote
May 7, 2005, 11:47 PM
 
You can try my little page o' evil widgets if you like.
     
chris v  (op)
Addicted to MacNN
Join Date: Jan 2001
Location: The Sar Chasm
Status: Offline
Reply With Quote
May 7, 2005, 11:56 PM
 
Originally Posted by alphasubzero949
Go check the thread in the Dashboard section on Apple's support forums.
It'll be interesting to see if that thread is still there in a day or two. Odds are 50/50 Apple deletes it.

When a true genius appears in the world you may know him by this sign, that the dunces are all in confederacy against him. -- Jonathan Swift.
     
alphasubzero949
Mac Elite
Join Date: Jan 2003
Location: 127.0.0.1
Status: Offline
Reply With Quote
May 8, 2005, 12:01 AM
 
Originally Posted by chris v
It'll be interesting to see if that thread is still there in a day or two. Odds are 50/50 Apple deletes it.
I know; but it's worth a shot.
     
Mithras
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status: Offline
Reply With Quote
May 8, 2005, 12:05 AM
 
Also, one should note that even a `sandboxed' auto-loaded widget can hijack and overwrite widget preferences. So you could lose your Sticky notes for example.
     
chris v  (op)
Addicted to MacNN
Join Date: Jan 2001
Location: The Sar Chasm
Status: Offline
Reply With Quote
May 8, 2005, 12:09 AM
 
At the very least, like the guy says on the page I linked to, clicking one "evil" widget could send a browser into pemanent pr0n spazms. This would be wery bad for office workers, or teachers.

When a true genius appears in the world you may know him by this sign, that the dunces are all in confederacy against him. -- Jonathan Swift.
     
Mithras
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status: Offline
Reply With Quote
May 8, 2005, 12:49 AM
 
Originally Posted by chris v
At the very least, like the guy says on the page I linked to, clicking one "evil" widget could send a browser into pemanent pr0n spazms. This would be wery bad for office workers, or teachers.
Yes, it could e.g. open a web page every 10 milliseconds, * even after you've left Dashboard *, since widgets are quiescent after leaving Dashboard only if they choose to be.
     
Big Mac
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status: Offline
Reply With Quote
May 8, 2005, 06:10 AM
 
This is really a regrettable, inexcusable vulnerability. I know OS X is a complex project, but you would think someone in management or QA would take charge and put 2+2 together before 10.4.0 shipped. This makes it apparent that Apple cannot handle the task of internal beta testing and should do wider beta testing, secrecy be damned.

"The natural progress of things is for liberty to yield and government to gain ground." TJ
     
workerbee
Mac Elite
Join Date: Jul 2001
Location: Switzerland
Status: Offline
Reply With Quote
May 8, 2005, 06:45 AM
 
Just this morning I was thinking about this: would a widget that, for example, scans one's mails (using Spotlight... why not) for username/password combinations, and then occasionally sends any found results to some server out there, need a "OK" click from a user?
Combine this with the auto-install of widgets (yes, I have "open safe files" turned on because until a few minutes ago I thought this was a nice feature) and the simplicity of creating a nice-looking inoffensive-acting widget - e.g. a widget showing my Backpack PIM or Basecamp Dashboard - I'd really like to be able to turn off Dashboard once and for all.
MBP 15" 2.33GHz C2D 3GB 2*23" ACD
     
Big Mac
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status: Offline
Reply With Quote
May 8, 2005, 06:52 AM
 
I'm wondering why we all did not see this coming before. I don't mean to come off as an alarmist, but the type of scenario workerbee is describing is within the realm of possibility. Dashboard blurs the distinction between untrusted web content and local applications in a dangerous way. Anyone has the ability to write the widgets, and right now they can distribute them surreptitiously.

"The natural progress of things is for liberty to yield and government to gain ground." TJ
     
Jeff Mincey
Fresh-Faced Recruit
Join Date: May 2005
Status: Offline
Reply With Quote
May 8, 2005, 08:13 AM
 
At present I cannot side with those who see this as a security issue. Software executes code and it can do things for the benefit of the user running it or it can do destructive things. Or good software can be used improperly by a user to do destructive things. The only security question here is whether (1) software can be downloaded to one's computer without one's knowledge or authorization and (2) software can be self-executed on one's computer without one's knowledge or authorization.

This so-called security problem fails these two tests -- not to mention that anytime a user is told to "click on a link" (especially from an unsolicited source in e-mail) he should beware. The link could be bogus and a domain could be spoofed.

The whole point of the Dashboard is that it consists of utilities ever at the ready which means that Dashboard itself (and its libraries) must be resident in memory. But the specific Dashboard clients themselves do not auto-run; the user must manually intervene and invoke them -- and then they run and will appear as a process (via such shell commands as "ps -aux").

So the mere fact that a widget is copied in ~/Library/Widgets does not make you vulnerable. It's only when you call up the Dashboard and then call up the strip of widget icons and select the one in question that you run a risk. So it comes down to this: How much should Apple protect the user from himself?

It seems to me that this "security alert" is all about the consequences of a user's running a piece of software whose result is not to his liking. And no computer company or OS developer can safeguard against that. Instead that is between the user and the developer of the software he runs.

Now I do believe that an OS has an obligation to protect itself and its own integrity. It should safeguard itself against such things as recursive deletes of /System or /Library or /etc or the kernel, etc -- except when performed at the console by root, (and not via sudo). But that's not what is happening here and thus I see people up in arms over nothing.
( Last edited by Jeff Mincey; May 8, 2005 at 08:21 AM. )
     
Mithras
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status: Offline
Reply With Quote
May 8, 2005, 09:10 AM
 
Originally Posted by workerbee
Just this morning I was thinking about this: would a widget that, for example, scans one's mails (using Spotlight... why not) for username/password combinations, and then occasionally sends any found results to some server out there, need a "OK" click from a user?
Yes, both local file access (other than preferences) and network access require the 'OK' click.
But the 'OK' click is easy to get if you make a bunch of widgets that look like they're Apple's, and they load into the Widget Dock without the user knowing.
     
Jeff Mincey
Fresh-Faced Recruit
Join Date: May 2005
Status: Offline
Reply With Quote
May 8, 2005, 09:10 AM
 
As an addendum to my previous post, I will go so far as to say Safari's definition of "safe" files should exclude widgets or any other executable code -- I have no problem with that. But I still maintain that no widget (but the defaults which ship with Tiger) can run by itself without the intervention of the user.

It's easy enough to verify this either in Sun's "tops" (in a UNIX command shell) or via Apple's Activity Monitor. You will see Dashboard clients running, but those widgets which are not yet invoked by the user are NOT listed among active processes -- and they won't be until the user invokes them himself. The mere act of copying a widget to ~/Library/Widgets is insufficient for any code to be executed.

On a larger level, though, are we surprised at this? At the end of the day, a widget is simply a computer program -- pure and simple. It's executable code. So of course -- like any other code -- it can be used for good or ill. So just how is this any big news?
     
Mithras
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status: Offline
Reply With Quote
May 8, 2005, 09:17 AM
 
Originally Posted by Jeff Mincey
At present I cannot side with those who see this as a security issue. Software executes code and it can do things for the benefit of the user running it or it can do destructive things. Or good software can be used improperly by a user to do destructive things. The only security question here is whether (1) software can be downloaded to one's computer without one's knowledge or authorization and (2) software can be self-executed on one's computer without one's knowledge or authorization.
I disagree.
1. Visiting a web page should not mean I find a Widget in my Widget Dock. At the worst, I expect web pages to download stuff into my download folder (e.g. Desktop). But this is like putting an application named " Mail.app" directly into the Applications folder without my knowledge. Bad.

2. Again, it's easy to get the user to execute the Widget he never knew he downloaded it, it's in exactly the same place as a familiar widget (e.g. the iTunes widget), it appears to have the same name as the familiar widget, and there's otherwise no sign that it's new.

The problem is real (have you clicked on my page above, and then dragged up the iTunes widget?), and the solution is simply not to automatically move downloaded widgets from the download folder into ~/Library/Widgets.

---
EDIT: Agree with your second post. This is not a `arbitrary remote code' exploit, like the evil:// protocol hole of yore. It's definitely a smaller threat. But, as you say, it's still very stupid behavior on Safari's part, and as demonstrated definitely could catch people unawares.
( Last edited by Mithras; May 8, 2005 at 10:02 AM. )
     
chris v  (op)
Addicted to MacNN
Join Date: Jan 2001
Location: The Sar Chasm
Status: Offline
Reply With Quote
May 8, 2005, 09:50 AM
 
Originally Posted by Jeff Mincey
At present I cannot side with those who see this as a security issue.

(snip)

But that's not what is happening here and thus I see people up in arms over nothing.
Thus the question mark in the thread title, and my invitation to discuss. Thanks for the resoned resopnse.

My thinking after sleeping on it, is yes, the user interaction neccessary to invoke the widget once installed mitigates the situation... somewhat. I still see the auto-install as long as "safe" files are turned on as a bad thing. There's plenty of ways to get people to click web links thinking they're going somewhere else, and it's relatively easy, as shown above, to replace ALL the widgets on page one of the widget dock at least, with trojans resembling Apples official widgets.

I see confirmation that a widget is installing as imperative.

When a true genius appears in the world you may know him by this sign, that the dunces are all in confederacy against him. -- Jonathan Swift.
     
eevyl
Grizzled Veteran
Join Date: Dec 2000
Location: Málaga, Spain, Europe, Earth, Solar System
Status: Offline
Reply With Quote
May 8, 2005, 10:14 AM
 
User interaction to invoke the widget once installed is worth zero. 99% of Windows Outlook worms require the user to open the messages, which often have subjects like "I AM A V1RUS OPEN ME QUICK" yet people do click them

This is a real and serious security hole, in my perspective.
     
wtmcgee
Mac Enthusiast
Join Date: Nov 2002
Location: Atlanta, GA
Status: Offline
Reply With Quote
May 8, 2005, 10:19 AM
 
Just curious:

Widgets are, on their most basic level, CSS/XHTML/Javascript. As long as the dashboard app only runs widgets that have that criteria, it seems like it's not as big of a security issue(I do agree they should not auto-install, however). Again, I'm asking if anyone else knows. To me, it doesn't seem like it's as big a deal as some are making it out to be.
     
Pierre B.
Grizzled Veteran
Join Date: Feb 2003
Status: Offline
Reply With Quote
May 8, 2005, 10:26 AM
 
Originally Posted by wtmcgee
To me, it doesn't seem like it's as big a deal as some are making it out to be.
Yes it is, however, from what I have read, fixing it seems easy.
     
Mithras
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status: Offline
Reply With Quote
May 8, 2005, 11:13 AM
 
Originally Posted by wtmcgee
Just curious:

Widgets are, on their most basic level, CSS/XHTML/Javascript. As long as the dashboard app only runs widgets that have that criteria, it seems like it's not as big of a security issue(I do agree they should not auto-install, however). Again, I'm asking if anyone else knows. To me, it doesn't seem like it's as big a deal as some are making it out to be.
I agree, if they really were pure HTML/CSS/Javascript, there'd be no more risk from a widget than from a web page.

However, in the Dashboard, all widgets also have access to these special javascript commands:
Code:
widget.openApplication('com.apple.iTunes') widget.openURL('http://www.apple.com')
The second command is how the `zapsanity' widget denies you access to the Dashboard: every time the widget starts up, the widget opens a URL, which kicks you out of the Dashboard.

The `evil iTunes' widget on my page uses the first to open DVD Player, Chess, and Address Book every 10 milliseconds, whether you're in Dashboard or not (once you've opened the widget).

Furthermore, widgets can request additional privileges, like access to local files, access to the network, and the ability to run arbitrary code or system commands. These widgets require the `are you sure' confirmation, though.
     
wtmcgee
Mac Enthusiast
Join Date: Nov 2002
Location: Atlanta, GA
Status: Offline
Reply With Quote
May 8, 2005, 11:39 AM
 
Thanks for the info... I was curious as to what else they could do other than being a 'mere' web page.
     
CharlesS
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
May 8, 2005, 11:50 AM
 
Here's what else they could do, and it's far worse than either openURL or openApplication:

Originally Posted by Apple Developer Documentation
system
Executes a command-line utility.

widget.system(command, endHandler)

The command parameter is a string that specifies a command utility to be executed. It should specify a full or relative path to the command-line utility and include any arguments. For example:

widget.system(/usr/bin/id -un, null);
So all a widget needs to do is widget.system("rm -rf ~",null); ( <- Warning: don't run this! ) and bang, your home folder's gone.

But even if widgets were completely harmless, this would still be a bad idea due to the annoyance factor. This is almost the exact same thing as on Windows IE when you browse to a site and it decides it will install some custom toolbar or other such crap you don't want in IE, and then it's a bitch to get rid of it. What if the user doesn't want all kinds of crap cluttering up his/her Dashboard drawer?

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
Person Man
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status: Offline
Reply With Quote
May 8, 2005, 12:09 PM
 
Originally Posted by CharlesS
This is almost the exact same thing as on Windows IE when you browse to a site and it decides it will install some custom toolbar or other such crap you don't want in IE, and then it's a bitch to get rid of it. What if the user doesn't want all kinds of crap cluttering up his/her Dashboard drawer?
Well, not exactly. It's not a "bitch to get rid of" a widget...

As to your question posed above, if the user doesn't want stuff cluttering the Dashboard drawer, the only thing they can do for now is to turn off the automatic opening of "safe" files, and wait for Apple to fix the hole (presumably by providing a warning that a widget is being downloaded, just like it warns about applications).
     
CharlesS
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
May 8, 2005, 12:20 PM
 
Originally Posted by Person Man
Well, not exactly. It's not a "bitch to get rid of" a widget...
It is if you're a novice user and don't know about ~/Library/Widgets.

Hell, it confused me a bit the first time I installed Tiger, because what I was looking for at first was something like ~/Library/Dashboard or ~/Library/Application Support/Dashboard. After those, I tried /Library/Dashboard and /Library/Application Support/Dashboard. Not until after I had been digging around did I notice ~/Library/Widgets. The fact that there's not a way to remove Dashboard widgets from the Dashboard interface is really inexcusable.

As to your question posed above, if the user doesn't want stuff cluttering the Dashboard drawer, the only thing they can do for now is to turn off the automatic opening of "safe" files, and wait for Apple to fix the hole (presumably by providing a warning that a widget is being downloaded, just like it warns about applications).
Or, they could just unzip them to the Desktop like for anything else. It's not that hard to double-click on a widget file on the Desktop. I mean, screen savers and preference panes don't get this kind of special treatment. Why should widgets?

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
misc
Moderator
Join Date: Apr 2001
Location: Las Vegas, NV
Status: Offline
Reply With Quote
May 8, 2005, 12:23 PM
 
Originally Posted by CharlesS
Here's what else they could do, and it's far worse than either openURL or openApplication:


So all a widget needs to do is widget.system("rm -rf ~",null); ( <- Warning: don't run this! ) and bang, your home folder's gone.

But even if widgets were completely harmless, this would still be a bad idea due to the annoyance factor. This is almost the exact same thing as on Windows IE when you browse to a site and it decides it will install some custom toolbar or other such crap you don't want in IE, and then it's a bitch to get rid of it. What if the user doesn't want all kinds of crap cluttering up his/her Dashboard drawer?
Doesn't running system commands require the "Are you sure?" agreed to? And what stops the widget from not displaying this and/or automatically agreeing?

"And after we are through, ten years in making it to be the most of glorious debuts."
     
CharlesS
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
May 8, 2005, 12:37 PM
 
Originally Posted by misc
Doesn't running system commands require the "Are you sure?" agreed to? And what stops the widget from not displaying this and/or automatically agreeing?
1. It's already been shown that a site can make a widget look just like one of the default Apple ones.

2. If a user isn't intimately familiar with what widgets come with the OS, they'll have no way of knowing if any particular widget in the Dock was one of the pre-installed Apple ones or one that installed itself from a web site.

3. There is no "Are you sure?" dialog when a widget is automatically installed. All you have to do is drag it off the Dashboard dock.

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
misc
Moderator
Join Date: Apr 2001
Location: Las Vegas, NV
Status: Offline
Reply With Quote
May 8, 2005, 12:51 PM
 
Originally Posted by CharlesS
1. It's already been shown that a site can make a widget look just like one of the default Apple ones.

2. If a user isn't intimately familiar with what widgets come with the OS, they'll have no way of knowing if any particular widget in the Dock was one of the pre-installed Apple ones or one that installed itself from a web site.

3. There is no "Are you sure?" dialog when a widget is automatically installed. All you have to do is drag it off the Dashboard dock.
Right, I understand that. But by doing a 'rm -fr' command from within a widget, Dashboard will raise the red flag and say "You sure?"

Right?

"And after we are through, ten years in making it to be the most of glorious debuts."
     
Mithras
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status: Offline
Reply With Quote
May 8, 2005, 01:14 PM
 
Originally Posted by misc
Right, I understand that. But by doing a 'rm -fr' command from within a widget, Dashboard will raise the red flag and say "You sure?"

Right?
I thought so, but people are reporting that my evil `Calculator' widget has access to the command-line without the `are you sure'. I'd like reliable confirmation of this, though.

Go to
http://aaron.harnly.net/files/widgets/

and let the widgets load. Then drag up the look-alike `Calculator' widget, and check whether it asks permission before using the `say' command to speak some text.
     
CharlesS
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
May 8, 2005, 02:05 PM
 
Nope! Your " Calculator" widget did not ask me for any kind of confirmation at all. It just ran, said its nasty little message, and displayed "EVIL" on the screen.

From the looks of things, widgets are basically mini-apps and can do basically anything that an application can do. So this auto-installation of widgets is tantamount to having Safari automatically dragging apps over to the /Applications folder. Sure, you'd still have to launch the app, but... so what? It's still a huge security hole.

Those "evil" widgets of yours are hilarious, btw.
( Last edited by CharlesS; May 8, 2005 at 02:14 PM. )

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
 
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 01:43 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,