toggle

AAPL Stock: 431.77 ( -0.23 )

http://www.macnn.com/articles/05/05/23/dashboard.security/

Security risk remains, Apple takes "Microsoft stance"

updated 08:45 am EDT, Mon May 23, 2005

 

Dashboard security


Despite a recent patch to address a security exploit involving Dashboard widgets, with the Mac OS X feature, software engineer Jonathan Zdziarski says. By allowing widgets to run with "sudo privileges," Apple has taken a "Microsoft stance" to security. "Those widgets should never be allowed to get administrative access on the system," Zdziarski said in an interview. "It is one of the few tools that is completely built into the operating system." A malicious widget, after it is installed, can run in the background and wait until a time when the user logs in as administrator. It can then hijack those credentials to deliver its payload, Zdziarski said. The Mac OS X 10.4.1 update adds a confirmation message for widget downloads, but does not change the potential for a malicious widget if downloaded, Zdziarski says.


by MacNN Staff

Post tools:

TAGS :

 industry

Related Articles

Recent Articles

toggle

Comments

  1. macimmortal

    Fresh-Faced Recruit

    Joined: Aug 2001

    0
    05/23, 09:13am | report spam | Reply |

    I agree

    Apple needs to figure this out and fast.

  1. resuna

    Fresh-Faced Recruit

    Joined: Jan 2005

    0
    05/23, 09:28am | report spam | Reply |

    Not even the big problem

    Everyone has overhyped the whole "sudo" thing beyond belief. It is neither the overwhelming protection against malware that some Apple fans claim it is, nor is it a huge security hole like some traditional UNIX people have been arguing.

    Meanwhile the REAL problem, that (a) Safari considers the Dashboard "safe" when it's no such thing, and (b) Apple still has Safari set to default to "open safe files after download". A browser should never automatically open an untrusted document except using an application that has at least as tight a sandbox as Safari itself, which means pretty much any normal desktop app is out of the question... let alone things like installers!

    And popping up a dialog box is not a solution. Microsoft's proven that.

  1. macFanDave

    Fresh-Faced Recruit

    Joined: Nov 2000

    0
    05/23, 09:34am | report spam | Reply |

    Risks=Holes?!

    It's funny how theoretical risks for Mac somehow rise to the level of journalistic alarm that widely-expolited Windows holes do. I've seen more hysterical screed over possible widget problems than over the Sober.Q worm which has already sent my PC at work 3 or 4 German hate mail spams.

    I guess bias doesn't just come in only liberal/conservative flavors anymore!

    If anyone practiced minimally safe computing, the widget problem would be moot. I have an Administrator account for my Mac (and any Mac should have one and only one) and a User account for each member of my family that uses it, including me. A User account is one that is set up with the "Allow user to administer this computer" option TURNED OFF.

    I work in the User account 99% of the time and usually my Admin account isn't even logged in. Sure, it is a bit of a hassle to log in to Admin when I need to do some system-level tasks, but the peace of mind is a good trade-off.

    I put my Widgets in my ~/Library/Widgets folder, not the system-wide /Library/Widgets one (my wife wouldn't be interested in my widgets, and if she is, she can have her own copy.) The cool thing about this plan is that A USER ACCOUNT CAN"T ACCESS SUDO, so even if you stupidly download and install a malicious widget, it gets "permission denied" on its first move to destroy your system.

    I've been trying to get people to have separate Admin and User accounts since OS X arrived in 2001. This might help some people finally take the leap into Unix-style security.

  1. resuna

    Fresh-Faced Recruit

    Joined: Jan 2005

    0
    05/23, 09:58am | report spam | Reply |

    But they don't...

    "If anyone practiced minimally safe computing, the widget problem would be moot."

    No, that's not true. What's true is:

    "If EVERYONE practiced minimally safe computing, the widget problem would be moot."

    Now how likely do you think that is? You might as well say:

    "If I WAS KING OF THE WORLD, the widget problem would be moot."

    And on top of that, even if you never log in to an admin account (which isn't like a UNIX root account, it's like a normal UNIX user account that's in the sudoers file... which is considered a reasonable thing for UNIX admins to do), a rogue widget can still s**** you over in so many ways that the slight protection from making it a little harder for it to get root access is pretty much irrelevant.

    The real problem is that people are being told that Dashboard has a sandbox. Dashboard doesn't have a sandbox, any mor ethan Internet Explorer does, because a sandbox with a hole in it isn't a sandbox at all. A dashboard widget is no different than an Applescript plug in for iTunes. It should simple be treated like ANY OTHER APPLICATION by the browser, rather than some kind of "safe" file.

  1. piracy

    Mac Elite

    Joined: Mar 2001

    0
    05/23, 10:11am | report spam | Reply |

    Argh

    The widget problem ALREADY IS MOOT.

    Are you people dense?

    The ONLY ISSUE before was that a widget could be surreptitiously downloaded AND "installed" without a user's express and explicit knowledge, and because of the order that widgets are loaded and presented (e.g., ~/Library/Widgets before /Library/Widgets) it would be possible to, for example, make the malicious widget appear to "masquerade" as one of Apple's pre-installed widgets.

    THAT was the danger.

    Now that when "Open 'safe' files after downloading" is checked (the default) the user is prompted, the issue is COMPLETELY MOOT. HTTP META REFRESH (allowing something like an auto-download) is supported on all browsers on all platforms, so that isn't a risk. The only "risk" came from the fact that the widget was AUTOMATICALLY MOVED to ~/Library/Widgets, as I noted above. Now, that behavior is prevented.

    As of 10.4.1, a malicious widget is NO DIFFERENT from a malicious application: it has to be downloaded AND explicitly, deliberately run. And it IS being treated the same as any other application: you are warned, as you now are for ANY OTHER APPLICATION.

  1. jhorvatic

    Fresh-Faced Recruit

    Joined: Apr 2005

    0
    05/23, 11:20am | report spam | Reply |

    RIsk is Moot

    I agree with the last post. You now must give it permission to install the Widget before anything malicious can be done. Know what you are downloading and where you are downloading from before you install a widget. It can't be done automatically so Apple did address the security risk with 10.4.1.

  1. chas_m

    Moderator

    Joined: Aug 2001

    0
    05/23, 11:22am | report spam | Reply |

    The basic problem ...

    ... is that PC security dolts think that Mac users are as dumb as PC users.

  1. JeffHarris

    Fresh-Faced Recruit

    Joined: Oct 1999

    0
    05/23, 11:49am | report spam | Reply |

    Apple = Microsoft?

    Talk about a FUD-fest!

    I see little resemblance between the two.

    Apple actually responds to user and industry security warnings and REPAIRS whatever security holes are discovered in Mac OS X.

    On the other hand, the industry, users and Microsoft KNOW that every flavor of Windows is riddled with bugs and security holes. And what does Microsoft do? They release their Legion of Shills to badmouth Apple.

    Good try MS, we won't buy it! Either Windows OR your bullshit!

  1. Drakino

    Grizzled Veteran

    Joined: Apr 2001

    0
    05/23, 02:50pm | report spam | Reply |

    Really no more risk

    From the article "For protection, users should download widgets only from trusted Web sites, Zdziarski suggests"

    You know, kinda like saying you should only download software from trusted web sites. Widgets are fine the way they are. I see the same risk in widgets I see in any other software. And the only way to secure software 100% is to not allow it to run at all. Who here wants to be stuck only with the applications Apple releases?

    Simple truth. Don't run things you don't trust. Someone wanting to do harm to a system can just as easially use XCode to make a real app instead of a widget.

  1. testudo

    Forum Regular

    Joined: Aug 2001

    0
    05/23, 04:14pm | report spam | Reply |

    sudo

    The guy says Those widgets should never be allowed to get administrative access on the system

    But why should these be treated differently than any other program on your computer? I mean, if I download an app, why should that be allowed to get admin access, but that a widget, "OMG, no, not a widget! Aiiiieeeee! Security risk!!!!!!!!!!!!!"

Show More Comments

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Logitech FabricSkin Keyboard Folio for iPad

Since the fourth-generation iPad didn't evolve much over its predecessor, the market for iPad accessories has remained somewhat static ...

Huawei Ascend Mate

The Huawei Ascend Mate is a phone that fits the screen-size gap between the 4 to 5-inch smartphone and the seven-inch or more tablet, ...

MaxUpgrades MaxConnect for 2006-2008 Mac Pro

Nobody outside of Cupertino's privileged bunch knows the future of the Mac Pro line for sure. Despite Apple's reluctance to tell us wh ...

toggle

Most Commented

 

Popular News