Apple's Dashboard Hacked

Top Tech News ^ | May 9, 2005

[Stoat]

Apple's Dashboard Hacked

May 9, 2005 1:50PM

What makes the issue particularly difficult to deal with, according to Stephan.com, is Apple's decision not to provide a documented way to remove Widgets once installed. In fact, Apple's Mac OS X Help files state specifically that "You cannot remove widgets from the Widget Bar or change their order."
 

A developer has demonstrated a Dashboard exploit in Mac

OS X 10.4 "Tiger" that a malicious Web site owner could use to install Widgets you might not want on your Mac.

Writing under the name of Stephan.com, the developer said that a combination of Apple's lack of documentation for removing Widgets, Safari's download controls, and a Widget feature all make it possible for the bad guys to use Dashboard to take you to any Web site of their choosing, hijacking Dashboard for their nefarious purposes.

At issue is a feature in Safari called "Open safe files" that is turned on by default.

This feature allows your Mac to automatically open image files, PDFs, movies, disk images and other files considered safe when downloaded. Unfortunately, this also includes Widget files downloaded, which are installed when opened.

When combined with the ability to automatically download a file when visiting a Web page (an HTML feature not limited to Safari), Stephan.com demonstrated how easy it is for a Web site operator to autoinstall a Dashboard Widget without the consent of the user.

 

Where this really becomes a problem, however, is what the designer of the Widget does. According to Stephan.com, a Widget can be made to do such things as automatically send the user to a given Web page whenever the Widget is clicked on, and even when a user simply switches to Dashboard.

"This could be taken further, of course," wrote Stephan.com, "using all the nasty tricks developed by the [porn] industry over the last few years -- opening hundreds of different pages in a few seconds, or moving the close box around quickly. I haven't tried this, but it looks like you can trivially make a Dashboard widget continue to execute even when Dashboard isn't open."

What makes the issue particularly difficult to deal with, according to Stephan.com, is Apple's decision not to provide a documented way to remove Widgets once installed. In fact, Apple's Mac OS X Help files state specifically that "You cannot remove widgets from the Widget Bar or change their order."

The work around for this is to manually remove any particular Widget from your ~Library/Widget directory, and rebooting your Mac, but this is something that many, if not most, users won't know. That means that for many people, once a malicious Widget is installed, it's going to stay installed.

He details further examples of areas of potential problem at his Web site. Please note that visiting the demonstration page with Safari in Tiger with the "Open safe files" option turned on will install his demonstration Widget, called Zaptastic, into your Dashboard panel.

Warning: In his discussion of the issue, Stephan.com links to (but does not display) a porn image that many will find offensive and/or disturbing.

[Stoat]

“crash different Apple Switch ad spoof” in Linkmonger

[zarf]

I won't even think of installing Tiger until it runs with my audio software.

These hackers are quite clever. Apple's in for alot of headaches.

[Petronski]

Well, I guess OS 10.4.1 is coming very soon. LOL

[Petronski]

Uh....ping.

[Spktyr]

Duplicate post.

[BJungNan]

A couple of questions on Mac.

From a user interface standpoint, what are the major differences between a Mac and a PC?

What was the last version before the major upgrade to the Mac operating system (old Mac OS to New Mac OS)?

[BJungNan]

[Stoat]

Duplicate post.

Well, gee I'm sorry, especially after doing a search prior to posting (as I always do).  Nothing even vaguely suggesting a similar article came up in the search when I used this article's title as the search string.

Care to supply the FR link?

[Petronski]

What was the last version before the major upgrade to the Mac operating system (old Mac OS to New Mac OS)?

9.x was the old Mac OS.

10.x is a whole new flavor, based on Unix.

Beyond that, you will find others here soon who will tell you a great deal more than you expected.

I'm still on WinXP and Win2000

[John Valentine]

I believe that this article contains inaccuracies.

For example, none of the "safe files" mentioned are executable. That's precisely why they are safe. An executable widget is not "safe", and I do not believe they can be auto installed in the Dashboard, regardless of this persons assertion that they can be.

I have not yet installed OS 10.4, so I haven't had a direct chance to check this out, but others have, and it has been reported that the files on this website DO NOT autoinstall.

Running a widget the first time still requires a password protected administrative action. That's not to say that this is positive protection. A malicious widget can be disguised as a benign one. Nevertheless, it's not as easy as described in this article.

Reasonable precautions should protect against malicious programs.

[KneelBeforeZod]

when will you people realize that "left on by default" exploits are only problems when it is in windows, NOT when it is on a mac?

jeez.

[John Valentine]

Here you go:

http://www.freerepublic.com/focus/f-news/1394390/posts

Note the fully developed comment threads..

[John Valentine]

Pinging all Tiger users to be aware of a potential Trojan problem with possible malicious Widgets for the Dashboard.
Trojan Horse programs have already made their appearance in the Mac OSX world. Trojans are applications that claim to be one thing and are actually something more malign. Trojan's use psychology to attract users into installing and running them. The new Dashboard Widgets can be a prime candidates to be Trojans.

The article at the website claims the widget can be auto-installed from a malicious website. He links to a website with a couple of demonstration widgets that he claims Safari will auto-install. I deliberately went to the website (linked from the article) where the demonstration widgets are located but I could not get them to auto-install as was claimed, but that might just be my system. I forced the download of the demo malicious widgets and installed them to see what they would do.

Whether auto-installed or manually installed, widgets, malicious or not, must be invoked by dragging them onto the Dashboard before they can be run. In other words, YOU must put the malicious widgets on the Dashboard for them to be dangerous. The system will also ask if you are sure you want to run them for the first time. IF you don't know where a widget came from, don't give it permission.

Because Apple has yet to provide a slick Widget management interface, deleting Widgets requires a willingness to go into the Mac OSX main Library.

To delete a widget, malicious or not:

(1) Press F12 to bring up the Dashboard.

(2) Click on the circled + in the lower left corner which brings up the Widget Dock AND adds an OFF "X" to each invoked widget.

(3) Shut off the offending widget by clicking on the "X".

(4) Press F12 again (or click on any non-widget area of the screen) to close the Dashboard.

(5) Open your hard drive by double clicking the HD icon and then click on "Library" and then on "Widgets".

(6) Find the widget you wish to delete and drag it to the trash can on your Dock.

(7)Empty Trash.

Done. Restarting your computer is not required.

If, by any chance, you have a widget that refuses to quit, start Activity Monitor (HD/Applications/Utilities/Activity Monitor) and open the Activity Monitor window. All widgets will be included on the list of running processes. Highlight the offending process and force it to quit by clicking the stop sign icon. Then do instructions (5) through (7) to get rid of it permanently.

The important thing to know is that widgets are neat toys that attract people into downloading them for the neat toy... but they may be something with an ulterior action that you really don't want. They could be a venue for mal-ware to invade your Macintosh. The good news is that YOU have to do it... it doesn't happen automatically.

KNOW YOUR VENDOR! If you don't trust them, don't fall for the attractive toy!

---

[Stoat]

Is this supposed to be the "duplicate" thread? The article doesn't even mention the Dashboard hack that this article focuses on.

[CurlyDave]

Why not use this much simpler procedure.

1, Search for "widgets" using spotlight.

2. This returns a list of stuff. Open the folder "widgets".

3. Move the offending widgets to the trash, empty trash & restart.

[John Valentine]

The article doesn't even mention the Dashboard hack that this article focuses on.

Au contraire. That's ALL the thread deals with. You aren't reading very closely or checking out the links.

[John Valentine]

Let me apologize.... It isn't All the thread talks about. In fact, you are absolutely right about the original post - it is on an entirely different subject.

The discussion about the Dashboard Trojan starts a ways down.

In my own defense, I wes pinged on one of the posts dealing with the Dashboard issue, and the link took me well down into the thread. I didn't realize that it had started out on Mac and Unix exploits generally.

My fault. Hopefully next time I'll be a bit more careful.

Still, if you scroll down, you'll find that the discussion becomes 100% relevant to your thread. Hopefully there will be some useful information in there.

[Choose Ye This Day]

Funny cartoon.

Of course, this isn't a duplicate thread at all. Two completely different articles, from completely different sources.

I wonder if some of the ABP were whining when there were almost a dozen "Here Comes Apple's Tiger" threads.

Heaven forbid there's more than one single thread on Terri Schiavo, Laura Bush's jokes, or the filibuster.

[Stoat]

Au contraire. That's ALL the thread deals with. You aren't reading very closely or checking out the links.

Okay, just so I'm sure that I have this straight, let me make sure that I'm understanding this.

You are faulting me, and claiming that I have submitted a DUPLICATE article, because a posting that features a completely different article   discusses a similar, related topic?

And you are similarly faulting me for not checking all links within this completely different article and all posts on the thread, and all links in all posts to make sure that they do not link to similar articles or discuss similar concepts?

Is this truly what you are saying?

Where can this "duplicate thread" identification criteria be found in the Free Republic posting guidelines?

[John Valentine]

Please see Post 17.

By the way, it wasn't me that posted the original "Duplicate Post" remark. I only provided the link to the aritcle I was (and remain) sure was the one referred to. Unfortunately, my familiarity with that particular thread came from a ping to me that led me deep into the responses, and I had just assumed that the discussion was relevant to the original article.

I was wrong.