toggle

AAPL Stock: 502.21 ( + 4.54 )

MacNN News

Developer demos 'exploit' in Tiger's Dashboard

updated 08:05 am EDT, Mon May 9, 2005

Tiger Dashboard exploit

One developer claims to have found a in Apple's new Tiger operating system. According to his website, Apple's highly touted Dashboard technology, found in the new version of Mac OS X 10.4, has a security vulnerability that could cause malicious third-party sites to auto-install a Widget, a small program designed to display Internet content on the desktop. "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer." The author says it is a demonstration "how easy it is to exploit Dashboard for nefarious purposes." A subsequent discussion by the author outlines other "more evil" exploits of the security hole. Warning: the site will auto-install the 'zaptastic' widget and will require manual removal.

by MacNN Staff

(25)

TAGS :

troubleshooting

Share the Article

Facebook Twitter Delious Slash Dot Digg

toggle

Comments

lysolman
Fresh-Faced Recruit

Joined: May 2005

0

05/09, 08:40am | report spam | close Reply |
Reaaaallly

Hey this sounds awful, except...

1. Turn off automatic open in safari 2. Safari tells you that you're about to open an application, "Do you want to open this?"

Other than that, I can see that it's a problem.

FeralCat
Fresh-Faced Recruit

Joined: Feb 2005

0

05/09, 08:45am | report spam | close Reply |
Re: turning off auto open

"1. Turn off automatic open in safari 2. Safari tells you that you're about to open an application"

Yep, and you'll get the added benefit of not auto-opening PDFs, QuickTime movies and other content that you really _do_ want to auto-open. Apple clearly needs to fix Safari so that it won't auto-launch spyware Dashboard widgets.

ThisGuy
Mac Elite

Joined: Oct 2001

0

05/09, 08:47am | report spam | close Reply |
That's it...

I'm switching to Windows. It is much more secure. Nothing like this ever happens on XP while I'm using Dashboard and IE. Ever.

WyvernSpirit
Fresh-Faced Recruit

Joined: Feb 2001

0

05/09, 09:24am | report spam | close Reply |
re: Re: turning off auto

"Yep, and you'll get the added benefit of not auto-opening PDFs, QuickTime movies and other content that you really _do_ want to auto-open. Apple clearly needs to fix Safari so that it won't auto-launch spyware Dashboard widgets."

Is that new to Safari 2? I haven't turned auto launch off on tiger yet, but I did on panther. I had a plugin for pdfs, which would launch the pdf in the browser window, and quicktime opened in the browser as expected, even with auto launch off. I guess I'll need to check out safari 2 to see if they took that ability away.

ecrelin
Junior Member

Joined: Oct 2000

0

05/09, 09:37am | report spam | close Reply |
Big bug�

I was a little perplexed when I downloaded the TV widget and it auto installed, I thought the download broke because it dutifully warned me that I was downloading and application but it wasn't on my desktop when done. After the second download I checked and sure enought it was already installed. A bad model. Safari shouldn't be able to auto open an application and the system should not allow ANY download to autoinstall. Let's see what they do with this in 10.4.1, hopefully real soon.

budster101
Baninated

Joined: Dec 2004

0

05/09, 09:37am | report spam | close Reply |
His website

actually loads the widget? WTF... Why would he do that?

legacyb4
Mac Elite

Joined: May 2001

0

05/09, 09:49am | report spam | close Reply |
S.O.P

Doesn't Microsoft make a big ballyhoo when developers like this post claims of security holes to the public without giving them sufficient time to "review" these sorts of issues before making public these issues?

Guess standard procedures don't apply to Apple...

Feathers
Grizzled Veteran

Joined: Oct 1999

0

05/09, 09:54am | report spam | close Reply |
Blind Link

Gee, so nice of MacNN to warn us without mentioning the site or developer by name so we can avoid their (unecessary) little demonstration, or perhaps protect the developer from an instant denial of service assault from "grateful" Macusers. C'mon MacNN don't filter the facts, leave that to Condeleeza Rice.

rok
Fresh-Faced Recruit

Joined: Mar 1999

0

05/09, 09:55am | report spam | close Reply |
zaptastic et al.

as much as i want to love dashboard, now that i have finally gotten a chance to work/play with it, the more i realize that it's SO different than anything apple has tried to do before. good different? bad different? just different. and there is no way that a basic user will know to turn off "auto open safe files" in safari, and while i DO like being able to OPEN safe files like pdfs, i do NOT like items auto INSTALLED like this. plus, apple doesn't make it very easy to remove widgets. go ahead, look in apple help. it says you can't remove or reorder widgets. well, that's not true of course (just look inside library/widgets), but don't you think a basic user will trust help to be telling it the truth? i just do not understand why apple has not given any sort of easy gui way of deleting widgets, like an option-drag out of the dashboard dock or something.

like i said, it's different. different enough to confuse long-time users (i have never had anything on a mac auto-INSTALL like widgets do from an internet download... i, too, was look for the download on my desktop), and, in an attempt for transparency, really made it hard for basic users to figure out how to backtrack if they make a mistake.

Feathers
Grizzled Veteran

Joined: Oct 1999

0

05/09, 09:58am | report spam | close Reply |
Not HTF

Okay, so it's not hard to find (or avoid): www.stephan.com/

testudo
Fresh-Faced Recruit

Joined: Aug 2001

0

05/09, 10:05am | report spam | close Reply |
Auto-open

1. Turn off automatic open in safari 2. Safari tells you that you're about to open an application, "Do you want to open this?"

Well, when I turn off "Automatically open safe files", clicking a link just downloads it. I don't get asked questions like "Do you want to open this". That sounds plain stupid (I turned off auto-open the second time I used Safari, the first time I didn't realize it was on until I noticed a DMG had mounted, and I apparently was too stupid to figure out how to turn it off until I asked someone).

I've never liked auto-open, but mainly because I multi-task when browsing. I generally am downloading several things in a session, but don't plan using them/checking them out until later. So I have no desire for 16000 mounted images waiting for me to run some installer.

Other than that, I can see that it's a problem.

Well, other than that, I see that (a) its allowing you to open a file that can do direct damage to your computer, which it won't let you do, say, for an app, or a shell script (it won't for a shell script, right?), and (b) that Apple seems to think that any file should be opened automatically. "Safe" to apple is basically any file that you've already told OS X that you want to open, and with what app. It doesn't matter whether its from the internet or from your hard drive.

BTW, turning off auto-update only stops the malware, but not the trojans (i.e. you double-clicking a widget because you think it'll be good). No way around that.

testudo
Fresh-Faced Recruit

Joined: Aug 2001

0

05/09, 10:17am | report spam | close Reply |
More auto-open

Yep, and you'll get the added benefit of not auto-opening PDFs, QuickTime movies and other content that you really _do_ want to auto-open. Apple clearly needs to fix Safari so that it won't auto-launch spyware Dashboard widgets.

Nope. Most files like PDFs and QT movies are controlled and displayed via plug-ins. If you don't have a PDF plug-in, then, yes, it will prevent them from launching. [However, I'm one of those weird people who hate the PDF plug-ins. I always forget I'm in the browser, and invariably close the window when I'm finished looking at the PDF.]

BTW, does anyone know if the same sort of thing could be done with Word (that is, going to a page auto-downloads a word file, which in turn launches word, which in turn runs some Macro, which in turn wipes your user directory].

Oh, one other huge problem with this. WTF is this whole "downloads the widget when you go to the web page" thing? I thought browsers were supposed to be secure, as in not letting a web-page do things like download files to your computer without you specifically clicking a link or OK'ing the action.

BTW, I consider this a 100% Safari issue. Dashboard theoretically is working in its own local world, there just needs to be safeguards against the outside world accessing it directly. That's where safari comes in.

To me, this is just another example of how Apple is becoming more and more like MS. They spend too much time on whiz-bang, and no time on security (or even thinking about security). In fact, part of the blame probably goes squarely on the fact there's no communication between groups working on different tasks (this also bears in mind because apparently iPhoto moved some of their files around, but Backup doesn't know about it yet). Someone needed to inform the Safari folks about Dashboard, the problems involved, and what needed to be handled for security.

Their argument (while partly correct) will most likely be "We do such and such to give the user the best user experience possible within the bounds of trying to stay secure", for while I agree with some of the complaints, I also think some of the solutions (force users to download then find files, launch them separately) makes the user's experience downright irritating. But it would be nice if Apple showed at least a little sign of looking at software and saying "OK, now that we've got a design, and know how this is going to work, let's spend a week coming up with all the ways this is going to cause vulnberablities.

I also want to know where the h*** were all the beta-testers and 3rd-party developers for the last year. Doesn't anyone think of these things before release?

bfalchuk
Fresh-Faced Recruit

Joined: Jul 2003

0

05/09, 10:17am | report spam | close Reply |
What does it do?

Does anyone know what this stupid thing does? I'm curious, but don't feel like testing it out.

denim
Mac Elite

Joined: Jun 2000

0

05/09, 10:19am | report spam | close Reply |
What's so different?

This is just a new kind of Desk Accessory. Are you people such newbies that you don't remember DAs?

technohedz
Fresh-Faced Recruit

Joined: Jul 2000

0

05/09, 10:35am | report spam | close Reply |
The safari app warning

ever notice that the safari app warning for widgets doesn't occur for all widgets? I don't mind the auto-install so much. Just like Konfabulator, you can run commands etc from the widgets, but you have to launch them. The application warning itself bothers me anyways. It's more of a reason to turn off 'safe' file opening to begin with (where's the 'don't ask me again button'?) The majority of desk accessories were done and pretty much stuck around. Now they're pretty much back with some extras. Apple has their own site for downloading widgets so you hope that's trustsed and reviewed code. If you don't know exactly what it does and/or don't know enough about the author to trust them, then don't run the widget. Learn how to make them yourself.

Automator, Dashboard, Smart Folders, Applescript, and all the other easy languages in 10.4 bring back progamability to the macintosh in a big way.

Sooner or later the average user will figure out that the library in their directory is where stuff gets stored. We're pretty stable on where things are supposed to go and how they should be written w/ 10.4 and it shouldn't change in a major way. It's not like the old 10. beta and up days of Mac OS X being a "Moving Target". Sure there are some inconsistancies, ex: why aren't all backups of mass storage stored in one location?, but those will get filled in and hopefully Apple will stop letting developers scatter things all over so that proper program design gets followed.

Securitywise here is were we are: No good virus scanner, auto-installation of widgets with no firstrun warning (although I'm not about to try the rm -rf * one), trusted sources limited to vendors and user not coder review. Under the hood there are some improvements so we're in a little better place than we were in 10.3 and a h*** of a lot better place than anyone running windows. Just be careful what you do and install. If it asks for your password at least check the file list.

testudo
Fresh-Faced Recruit

Joined: Aug 2001

0

05/09, 10:48am | report spam | close Reply |
Re: what and what

Does anyone know what this stupid thing does? I'm curious, but don't feel like testing it out.

I believe its a proof-of-concept, so I doubt it does much but show how, by going to the site, the widget will auto-download and install. You still have to open it, but being that its in the dashboard dock, you probably will at some point, just to see what it is (people are like that).

This is just a new kind of Desk Accessory. Are you people such newbies that you don't remember DAs?

Sure, I remember DAs. I also remember that you needed to use the Font/DA Mover to install a new DA, it wouldn't install automatically (pre-system 7), or that you had to manually copy the DA to your Apple Menu folder. I don't recall them auto-installing.

But these are NOT just a new kind of DA. The only connection to DAs is that they're supposed to be small apps. But DAs would work within the current programs application/memory space. They could be accessed and dealt with while working. Dashboard widgets work on their own layer, needing to be brought forward to be displayed, then hidden to get back to work. Which means if you're working on a document and need to do some calculations, you can't just move the calculator to the right, start typing in your document, and when you need it, just read-off the calculator's result and type it into the document. You'll need to (a) activate dashboard, (b) read and remember the result, or copy it (assuming you don't mind losing what's in the clipboard), (c) hide dashboard, and (d) paste or type in the calculator value. Yeah, so much like DAs that I can't believe they didn't call it "Assistant DA".

The only thing its good for, to me at least, are programs that you only run occasionally stand-alone (without need to interact with another program), but want it accessible AND out of the way. Which might be weather (to some people), stock quotes (although if you actually care enough what the price of a stock is at any time, you probably want to know it ALL the time, so you're not missing any ups/downs), maybe a dictionary/thesaurus. But stickies need to be visible (in my opinion, you wouldn't right a bunch of regular stickies and shove them into a pile in a drawer, would you?), calculator (at times), activity monitor (I saw a complaint about an activity monitor, person thought it was immensely cool and useful, until he realized that you couldn't see it all the time, so, what, you need to bring up dashboard every five minutes to see if you have a run-away process?), etc.

I see it as nothing more than something for Apple to tout/hype. Its usefulness is probably limited to most users (as is Expose, which most people probably don't use).

mprewitt99
Fresh-Faced Recruit

Joined: May 2005

0

05/09, 11:10am | report spam | close Reply |
Interesting

This is funny in a way, because just this morning I was thinking about the benefits of a .Mac subscription, which got me to thinking about Virex, which got me to thinking about the fact that there are no Mac viruses, which led to think when something would be added to OS X accidentally that would enable virus-like infection ... and I conjectured that the new Dashboard feature would be the first to allow such activity. Not that this particular exploit is a virus. And I'm not saying that a .Mac subscription or Virex would protect anyone from such exploits. Anyway, just an interesting coincidence for me.

beeble
Fresh-Faced Recruit

Joined: Mar 2004

0

05/09, 11:22am | report spam | close Reply |
auto open

I've had auto open off since installing tiger and I can view QT and PDF content just fine. The auto open feature relates to downloaded files. If it's on, basically when the download finishes it, Safari double clicks the file for you. If it's a dmg, it tells you that the dmg has an application in it and asks you if you want to mount it (security against any nasty automount installer scripts). For the most part, it's a good system but something needs to be done about both ends of this problem.

Safari needs to ask you before it moves a widget to the dashboard every time, especially when it's been downloaded via a meta tag rather than clicking on a download link which would cause the download manager window to display and do it's thing. Alternatively, just disable the auto install ability when the widget/any other file is downloaded via a meta tag.

There needs to be an addition to the dashboard pref pane to include a manager capability. A simple list of widgets with a checkbox to turn them on and off would suffice. When the pref pane closes, send a message to dashboard to reload it's little browser with the new set of widgets, or even do it as each checkbox is turned on or off so that when you open dashboard while in the pref pane, you can see you changes have taken immediate effect. Lastly, have the ability to select a widget in this list and click a delete button. Second lastly, have the ability to drag a widget from the finder into this list to have it install in the Library folder. Since most mac users wouldn't know what to do with the Library folder, it seems like common sense to me to keep them out of it if possible.

my 2c.

Cf
Fresh-Faced Recruit

Joined: Jan 2002

0

05/09, 12:33pm | report spam | close Reply |
was bound to happen

it was the second thought after hearing about dashboard. my first thought was about how the konfabulator people would react. makes me wonder if the same thing could be done with konfabulator widgets as well.

Nostromo
Fresh-Faced Recruit

Joined: Oct 2001

0

05/09, 12:55pm | report spam | close Reply |
Dashboard

Oops...looks like I spoke too soon:

http://www.versiontracker.com/dyn/moreinfo/macosx/26627

So there IS a way to have individual DB widgets on screen all the time. How long before Apple incorporates this into DB?

Nostromo
Fresh-Faced Recruit

Joined: Oct 2001

0

05/09, 01:13pm | report spam | close Reply |
DB letdown

[My earlier post of this got eaten up somehow...]

"Dashboard widgets work on their own layer, needing to be brought forward to be displayed, then hidden to get back to work...I can't believe they didn't call it "Assistant DA".

Amen, brother. It was a big letdown when I realized this, as I had thought that DB (along with Spotlight) would be one of the killer features of Tiger. I did find something called Amnesty (link posted above) that lets you have DB widgets on screen all the time. This, coupled with Widget Manager:

http://www.versiontracker.com/dyn/moreinfo/macosx/26692

actually makes DB worth using.

"I see it as nothing more than something for Apple to tout/hype. Its usefulness is probably limited to most users (as is Expose, which most people probably don't use)."

I have to disagree with you, there. On our campus Expose is THE one killer feature in Panther that has people wowed -- esp. faculty, who tend to have 5-6 apps open at once with 3-5 windows open in each. I use it many many many times a day.

But you're absolutely correct about DB being just another bullet point in Apple's Keynote presentations meant to wow people. But hey, DB is only version 1.0 (or whatever...there's no .app icon to Get Info on). Let's see what DB is like come OS X 10.4.5...I'm sure a lot of our gripes will be addressed (and I'm sure they'll give us new reasons to gripe!).

testudo
Fresh-Faced Recruit

Joined: Aug 2001

0

05/09, 01:20pm | report spam | close Reply |
Re: DB letdown

But you're absolutely correct about DB being just another bullet point in Apple's Keynote presentations meant to wow people. But hey, DB is only version 1.0 (or whatever...there's no .app icon to Get Info on). Let's see what DB is like come OS X 10.4.5...I'm sure a lot of our gripes will be addressed (and I'm sure they'll give us new reasons to gripe!).

My only gripe on the v1.0 comment is that Apple has a severe history of including features in OS X, then just ignoring them. Sherlock, for example.

tabarnak
Fresh-Faced Recruit

Joined: Jan 2003

0

05/09, 01:30pm | report spam | close Reply |
oh no!!

how can they do that to apple?? :( :( :(

NormaJeanMonster
Fresh-Faced Recruit

Joined: Mar 2002

0

05/09, 07:00pm | report spam | close Reply |
French Version?

Hope it comes with a bar of soap and directions for its use (in French of course)

resuna
Fresh-Faced Recruit

Joined: Jan 2005

0

05/11, 06:46pm | report spam | close Reply |
Copied from Palm!

Both Dashboard and Konfabulator widgets are basically "canned" web pages. Palm came up with this idea on the Palm VII to deal with the low bandwidth available on palm.net. They had these little canned weblets called "PQAs" that looked more like Palm apps than web pages, that you could bring up and page around in and run queries from without having to download the pages until you actually did the query.

Show More Comments

Login Here

toggle

Network Headlines

02/16	SumOfUs criticizes FLA head, plans...
02/16	Safari 5.2, Xcode 4.4 seeds reach developers...
02/16	Mountain Lion updates to be funneled...
02/16	Apple shifts schedules for OS X updates...
02/16	Cook sees merging of notebooks, tablets...

Show All

02/16	Cook sees merging of notebooks, tablets...
02/16	Apple claims backing for rights to...
02/16	Intel may push Ivy Bridge back to June...
02/16	Ex-Olympus President, other execs,...
02/15	Sony completes Ericsson stake buyout...

Show All

02/16	Cook sees merging of notebooks, tablets...
02/15	Apple upgrades iBookstore with screenshots...
02/15	Congress asks Apple to answer questions...
02/14	Apple attempting to disrupt Siri hacks...
02/14	Readability iOS app delayed, Android...

Show All

02/16	Garmin nuvi 4.3-inch Portable GPS Navigator...
02/15	Monster iCarPlay Wireless FM Transmitter...
02/14	Refurb. 16GB iPhone 4, now only $259...
02/13	Refurb. Flip UltraHD Pocket Digital...
02/10	$380 off refurbished 2.8GHz Mac Pro...

Show All

toggle

Developer demos 'exploit' in Tiger's Dashboard

updated 08:05 am EDT, Mon May 9, 2005

Tiger Dashboard exploit

Reaaaallly

Re: turning off auto open

That's it...

re: Re: turning off auto

Big bug�

His website

S.O.P

Blind Link

zaptastic et al.

Not HTF

Auto-open

More auto-open

What does it do?

What's so different?

The safari app warning

Re: what and what

Interesting

auto open

was bound to happen

Dashboard

DB letdown

Re: DB letdown

oh no!!

French Version?

Copied from Palm!

Login Here

Register for our weekly email newsletter:

Connect tools:

Subscribe

to our RSS

Follow us

on Twitter

10 Most Read

10 Most Discussed

MacNN Marketplace

Developer demos 'exploit' in Tiger's Dashboard

updated 08:05 am EDT, Mon May 9, 2005

Tiger Dashboard exploit

Related Articles

Recent Articles

Reaaaallly

Re: turning off auto open

That's it...

re: Re: turning off auto

Big bug�

His website

S.O.P

Blind Link

zaptastic et al.

Not HTF

Auto-open

More auto-open

What does it do?

What's so different?

The safari app warning

Re: what and what

Interesting

auto open

was bound to happen

Dashboard

DB letdown

Re: DB letdown

oh no!!

French Version?

Copied from Palm!

Login Here

Register for our weekly email newsletter:

Connect tools:

Subscribe

to our RSS

Follow us

on Twitter

10 Most Read

10 Most Discussed

MacNN Marketplace