AAPL Stock: 121.3 ( -1.07 )

Printed from

Security risk remains, Apple takes \"Microsoft stance\"

updated 08:45 am EDT, Mon May 23, 2005

Dashboard security

Despite a recent patch to address a security exploit involving Dashboard widgets, with the Mac OS X feature, software engineer Jonathan Zdziarski says. By allowing widgets to run with "sudo privileges," Apple has taken a "Microsoft stance" to security. "Those widgets should never be allowed to get administrative access on the system," Zdziarski said in an interview. "It is one of the few tools that is completely built into the operating system." A malicious widget, after it is installed, can run in the background and wait until a time when the user logs in as administrator. It can then hijack those credentials to deliver its payload, Zdziarski said. The Mac OS X 10.4.1 update adds a confirmation message for widget downloads, but does not change the potential for a malicious widget if downloaded, Zdziarski says.

by MacNN Staff





  1. macimmortal

    Joined: Dec 1969


    I agree

    Apple needs to figure this out and fast.

  1. resuna

    Joined: Dec 1969


    Not even the big problem

    Everyone has overhyped the whole "sudo" thing beyond belief. It is neither the overwhelming protection against malware that some Apple fans claim it is, nor is it a huge security hole like some traditional UNIX people have been arguing.

    Meanwhile the REAL problem, that (a) Safari considers the Dashboard "safe" when it's no such thing, and (b) Apple still has Safari set to default to "open safe files after download". A browser should never automatically open an untrusted document except using an application that has at least as tight a sandbox as Safari itself, which means pretty much any normal desktop app is out of the question... let alone things like installers!

    And popping up a dialog box is not a solution. Microsoft's proven that.

  1. macFanDave

    Joined: Dec 1969



    It's funny how theoretical risks for Mac somehow rise to the level of journalistic alarm that widely-expolited Windows holes do. I've seen more hysterical screed over possible widget problems than over the Sober.Q worm which has already sent my PC at work 3 or 4 German hate mail spams.

    I guess bias doesn't just come in only liberal/conservative flavors anymore!

    If anyone practiced minimally safe computing, the widget problem would be moot. I have an Administrator account for my Mac (and any Mac should have one and only one) and a User account for each member of my family that uses it, including me. A User account is one that is set up with the "Allow user to administer this computer" option TURNED OFF.

    I work in the User account 99% of the time and usually my Admin account isn't even logged in. Sure, it is a bit of a hassle to log in to Admin when I need to do some system-level tasks, but the peace of mind is a good trade-off.

    I put my Widgets in my ~/Library/Widgets folder, not the system-wide /Library/Widgets one (my wife wouldn't be interested in my widgets, and if she is, she can have her own copy.) The cool thing about this plan is that A USER ACCOUNT CAN"T ACCESS SUDO, so even if you stupidly download and install a malicious widget, it gets "permission denied" on its first move to destroy your system.

    I've been trying to get people to have separate Admin and User accounts since OS X arrived in 2001. This might help some people finally take the leap into Unix-style security.

  1. resuna

    Joined: Dec 1969


    But they don't...

    "If anyone practiced minimally safe computing, the widget problem would be moot."

    No, that's not true. What's true is:

    "If EVERYONE practiced minimally safe computing, the widget problem would be moot."

    Now how likely do you think that is? You might as well say:

    "If I WAS KING OF THE WORLD, the widget problem would be moot."

    And on top of that, even if you never log in to an admin account (which isn't like a UNIX root account, it's like a normal UNIX user account that's in the sudoers file... which is considered a reasonable thing for UNIX admins to do), a rogue widget can still s**** you over in so many ways that the slight protection from making it a little harder for it to get root access is pretty much irrelevant.

    The real problem is that people are being told that Dashboard has a sandbox. Dashboard doesn't have a sandbox, any mor ethan Internet Explorer does, because a sandbox with a hole in it isn't a sandbox at all. A dashboard widget is no different than an Applescript plug in for iTunes. It should simple be treated like ANY OTHER APPLICATION by the browser, rather than some kind of "safe" file.

  1. piracy

    Joined: Dec 1969



    The widget problem ALREADY IS MOOT.

    Are you people dense?

    The ONLY ISSUE before was that a widget could be surreptitiously downloaded AND "installed" without a user's express and explicit knowledge, and because of the order that widgets are loaded and presented (e.g., ~/Library/Widgets before /Library/Widgets) it would be possible to, for example, make the malicious widget appear to "masquerade" as one of Apple's pre-installed widgets.

    THAT was the danger.

    Now that when "Open 'safe' files after downloading" is checked (the default) the user is prompted, the issue is COMPLETELY MOOT. HTTP META REFRESH (allowing something like an auto-download) is supported on all browsers on all platforms, so that isn't a risk. The only "risk" came from the fact that the widget was AUTOMATICALLY MOVED to ~/Library/Widgets, as I noted above. Now, that behavior is prevented.

    As of 10.4.1, a malicious widget is NO DIFFERENT from a malicious application: it has to be downloaded AND explicitly, deliberately run. And it IS being treated the same as any other application: you are warned, as you now are for ANY OTHER APPLICATION.

  1. jhorvatic

    Joined: Dec 1969


    RIsk is Moot

    I agree with the last post. You now must give it permission to install the Widget before anything malicious can be done. Know what you are downloading and where you are downloading from before you install a widget. It can't be done automatically so Apple did address the security risk with 10.4.1.

  1. chas_m



    The basic problem ...

    ... is that PC security dolts think that Mac users are as dumb as PC users.

  1. JeffHarris

    Joined: Dec 1969


    Apple = Microsoft?

    Talk about a FUD-fest!

    I see little resemblance between the two.

    Apple actually responds to user and industry security warnings and REPAIRS whatever security holes are discovered in Mac OS X.

    On the other hand, the industry, users and Microsoft KNOW that every flavor of Windows is riddled with bugs and security holes. And what does Microsoft do? They release their Legion of Shills to badmouth Apple.

    Good try MS, we won't buy it! Either Windows OR your bullshit!

  1. Drakino

    Joined: Dec 1969


    Really no more risk

    From the article "For protection, users should download widgets only from trusted Web sites, Zdziarski suggests"

    You know, kinda like saying you should only download software from trusted web sites. Widgets are fine the way they are. I see the same risk in widgets I see in any other software. And the only way to secure software 100% is to not allow it to run at all. Who here wants to be stuck only with the applications Apple releases?

    Simple truth. Don't run things you don't trust. Someone wanting to do harm to a system can just as easially use XCode to make a real app instead of a widget.

  1. testudo

    Joined: Dec 1969



    The guy says Those widgets should never be allowed to get administrative access on the system

    But why should these be treated differently than any other program on your computer? I mean, if I download an app, why should that be allowed to get admin access, but that a widget, "OMG, no, not a widget! Aiiiieeeee! Security risk!!!!!!!!!!!!!"

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

HP 14-x030nr 14-inch Chromebook

If you're like us, chances are you've come to realize that you need the ability to access the Internet on the go. Also, you've prob ...

15-inch MacBook Pro with Force Touch

Apple's 15-inch Retina MacBook Pro continues to be a popular notebook with professional users and prosumers looking for the ultimate ...

Typo keyboard for iPad

Following numerous legal shenanigans between Typo -- a company founded in part by Ryan Seacrest -- and the clear object of his physica ...


Most Commented