Posted on 05/21/2005 9:59:37 PM PDT by Swordmaker
Though Apple Computer updated its latest OS this week to solve a security problem with widgets, worries persist that the small applications still pose a potentially serious risk.
Widgets, or small programs that automatically install after downloading, were introduced in Tiger for the Dashboard, which overlays the desktop. An attacker could write a malicious widget for Mac OS X 1.4 Tiger that would run invisibly in the background and hijack a user's "sudo," or administrative, privileges on a system, according to an alert distributed on the Full Disclosure mailing lists late Wednesday. With administrative privileges, the attacker would have full control over the targeted Mac.
On Monday, Apple published the Mac OS X 10.4.1 update to fix an earlier security issue related to the widgets. Before the patch, widgets would download and install without warning. Patched machines display a box that asks the PC user to confirm a download but don't tell the user that the confirmation also triggers installation of the widget.
While the patch mitigates the risk, security issues remain with widgets, according to Jonathan Zdziarski, a software engineer and author of Wednesday's Full Disclosure posting.
"Those widgets should never be allowed to get administrative access on the system," Zdziarski said in an interview. "Apple has taken sort of the Microsoft stance with widgets, in that it is one of the few tools that is completely built into the operating system."
Zdziarski is also unhappy with how the Mac maker addressed the previous widget problem. It should be clear to users that a widget is not only being downloaded, but also installed, he said. "They terribly misworded that button. When I click 'download,' I expect to just download it. In fact, the widget is installed."
A malicious widget, after it is installed, can run in the background and wait until a time when the user logs in as administrator. It can then hijack those credentials to deliver its payload, Zdziarski said. The action could be anything from wiping a hard drive to sending the attacker the victim's list of usernames and passwords on Apple's Keychain tool, he said.
For a user to fall victim to a malicious widget, the application first needs to be installed on a Mac. That required user interaction disqualifies it as a security vulnerability, according to several responses to Zdziarski's posting on Full Disclosure.
Apple is encouraging developers to create new widgets and its Web site already lists 209 of them. Widgets are also available elsewhere on the Web.
For protection, users should download widgets only from trusted Web sites, Zdziarski suggests.
Apple declined to comment for this story.
If you want on or off the Mac Ping List, Freepmail me.
If you want on or off the Mac Ping List, Freepmail me.
Is this for real? The link didn't work for me.
I thought Mac's and their OS was immune to this sort of thing. I thought Mac's were perfect. Well at least according to my Macaholic friends.
Dashboard widgets are toys - unnecessary for system operation.
Go to http://www.konfabulator.com and you can download a windoze version. They _are_ fun to play with...
The link works for me... what happens when you try it?
I thought Mac's and their OS was immune to this sort of thing. I thought Mac's were perfect. Well at least according to my Macaholic friends.
It was... but the OS10.4.1 has added a requester to approve the download/installation of Widgets. The one thing this article does not make clear is that while Widgets may be installed in the ~/Library/Widgets folder, such installation does not run them... that requires the user to start Dashboard, click on the Widget Dock expose button, and then drag the newly installed Widget onto the Dashboard to invoke it.
A malicious Widget can be easily uninstalled by removing it from the ~/Library/Widgets folder.
Macs aren't perfect... just better... ;^)>
Link? What link? Are we talking about the link to the CtNet article?
Anyway, I think this story is extremely misleading, so much so I wonder if it is intentional. Widgets do not download, install themselves and run without the intervention of the user.
It's that simple. Nobody is all of a sudden going to find that a widget has been surreptitiously slipped into their system by a malicious website and invoked all without the awareness of the user. I'd call it a crock. In fact I think I will.
A few years back Microsoft paid 'researchers' for white papers claiming open-source was a bad idea. Wonder if the so-called expert referenced in the article is being paid by Microsoft.
Perfect, no.
Far better than the alternatives, yes.
I just installed Tiger, and so far I really like Dashboard. The key to me is that it's an application you can keep on the dock and activate whenever you want it. I like that far better than having my widgets on the desktop, Konfabulator's approach.
When I download a Widget, it does not automatically get added to the list of widgets that are active on the dashboard. So no, you cannot download and install a widget by accident.
I would agree that you should not download widgets from an untrusted source, but that's true of any program.
D
So far I like them. The Hula Girl is eye-candy... but I found the translator to be useful. I received an e-mail in Cyrilic Russian... pasted the message into the translator and got back an instant English translation. Now that's neat.
The Doppler Radar Widget is neat on rainy days... instant dopler radar images from the closest Weather Station... cool.
Naa the only people who ever seem to hear anyone say Mac's are perfect are widnows uses with OS envy... Every mac user I know does not think the OS is perfect, just better than windows..
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.