Apple's Dashboard Hacked

Top Tech News ^ | May 9, 2005

[Stoat]

Apple's Dashboard Hacked

May 9, 2005 1:50PM

What makes the issue particularly difficult to deal with, according to Stephan.com, is Apple's decision not to provide a documented way to remove Widgets once installed. In fact, Apple's Mac OS X Help files state specifically that "You cannot remove widgets from the Widget Bar or change their order."
 

A developer has demonstrated a Dashboard exploit in Mac

OS X 10.4 "Tiger" that a malicious Web site owner could use to install Widgets you might not want on your Mac.

Writing under the name of Stephan.com, the developer said that a combination of Apple's lack of documentation for removing Widgets, Safari's download controls, and a Widget feature all make it possible for the bad guys to use Dashboard to take you to any Web site of their choosing, hijacking Dashboard for their nefarious purposes.

At issue is a feature in Safari called "Open safe files" that is turned on by default.

This feature allows your Mac to automatically open image files, PDFs, movies, disk images and other files considered safe when downloaded. Unfortunately, this also includes Widget files downloaded, which are installed when opened.

When combined with the ability to automatically download a file when visiting a Web page (an HTML feature not limited to Safari), Stephan.com demonstrated how easy it is for a Web site operator to autoinstall a Dashboard Widget without the consent of the user.

 

Where this really becomes a problem, however, is what the designer of the Widget does. According to Stephan.com, a Widget can be made to do such things as automatically send the user to a given Web page whenever the Widget is clicked on, and even when a user simply switches to Dashboard.

"This could be taken further, of course," wrote Stephan.com, "using all the nasty tricks developed by the [porn] industry over the last few years -- opening hundreds of different pages in a few seconds, or moving the close box around quickly. I haven't tried this, but it looks like you can trivially make a Dashboard widget continue to execute even when Dashboard isn't open."

What makes the issue particularly difficult to deal with, according to Stephan.com, is Apple's decision not to provide a documented way to remove Widgets once installed. In fact, Apple's Mac OS X Help files state specifically that "You cannot remove widgets from the Widget Bar or change their order."

The work around for this is to manually remove any particular Widget from your ~Library/Widget directory, and rebooting your Mac, but this is something that many, if not most, users won't know. That means that for many people, once a malicious Widget is installed, it's going to stay installed.

He details further examples of areas of potential problem at his Web site. Please note that visiting the demonstration page with Safari in Tiger with the "Open safe files" option turned on will install his demonstration Widget, called Zaptastic, into your Dashboard panel.

Warning: In his discussion of the issue, Stephan.com links to (but does not display) a porn image that many will find offensive and/or disturbing.

[Stoat]

Let me apologize

Apology accepted, no problems.

I was beginning to think that I had truly entered the Twilight Zone

[Spktyr]

No "start" button on Mac, the menu bar is always at the top of the screen instead of at the top of a window, there is more than one action item at the upper left corner of the window. Things work differently in the UI, too. Too much other stuff to list; but there's nothing completely and utterly alien to a Windows user that can't be explained with analogies and a little help, since Windows has always been a bad copy of the Mac OS from day one.

Check out the following urls for info:
http://www.apple.com/macosx/overview/aquauserinterface.html
http://www.apple.com/switch/
http://www.apple.com/macosx/
http://arstechnica.com/guides/tweaks/miniguide.ars

There's more out there, but I'm too tired to really go into them. Swordmaker should have more of them...

[Swordmaker]

Note the fully developed comment threads..

That really isn't a duplicate. The article in the link is much more general but I posted a reply to General_Re about this vulnerability.

[Swordmaker]

Widget problem in Tiger PING!

If you want on or off the Mac Ping List, Freepmail me.

[Swordmaker]

Why not use this much simpler procedure.

That will work for the deletion steps BUT you have to stop the process before that will work. If the widget is running, OSX will not let you empty the trash.

You could restart and THEN empty the trash... that would work... but it requires a restart. My method does not require a restart.

Incidentally, Spotlight DOES return the folder "Widgets" but it does not provide a list of widgets.

[Swordmaker]

I have just posted a more detailed article on this vulnerability and solutions to avoid the problem... which is really not that serious. Why is it not that serious? Because it is necessary to actually DRAG the new malicious widget onto the Dashboard manually. Just because it is installed into the Widget Library does not cause it to run. AND when you do drag it onto the Dashboard, it ask you if you are certain you want to run this widget for the first time.

Oh. The article:

http://www.freerepublic.com/focus/chat/1400014/posts

[bwteim]

Petronski, You are a Psychic!

Forthcoming Mac OS X 10.4.1 Update addresses Tiger issues
By AppleInsider Staff Published: 10:15 AM EST May 5, 2005

SNIP SNIP SNIP

Anonymous but reliable sources say that after a month in development, Mac OS X 10.4.1 Update, code-named "Atlanta," is ready to be deployed for rigorous and wide-spread testing. Its objective will be to rectify any and all outstanding issues present in the shipping version of Mac OS X 10.4 "Tiger," which went on sale over the weekend.

http://www.appleinsider.com/article.php?id=1058

[bwteim]

I think that if you click on Spotlight and type 'widgets' and then select
Group By
flat file list

you should see the individual widgets in question.

[zeugma]

I find this entire dashboard issue to be fairly interesting because it is such an inredibly weak argument to hang the "see OSX is vulnerable too" hat on.

From what I've seen from several different sources, the author's claim that it autoinstalls is false. He must have something seriously misconfigured to allow that. Given that, this would appear to be an example of folks complaining because a computer lets them install programs on it. Heavens! OSX allows you to install and run programs??? What is the world coming to? OSX must be hermetically sealed or it is just as bad as that other OS from Redmond!

I'd say that Apple needs to provide a tool to allow for easy deletion of 'dashboard' programs, but if it is true that it doesn't automatically install the software without user intervention, then this is nothing but hot air about nothing.

For the record, I don't use a Mac.

[Swordmaker]

you should see the individual widgets in question.

Nope.. just tried that... still only the "widgets" folder...

[bwteim]

Got "any date selected" would be one thing to check, but more importantly, check System Preferences under Spotlight and make sure you have the proper categories selected. They range from documents, applications, system preferences, folders, mail messages, etc etc. down to fonts and presentations.

I think if some are deselected, you may not see widgets such as:
widget-com.apple.widget.flighttracker.plist

[HAL9000]

There should be at least two widgets folders - one in the system library, and one in each user's home directory library.

[PayNoAttentionManBehindCurtain]

I just bought a mini mac and am wondering if there is a good better best way to setting it up, It came with Tiger but I haven't downloaded it yet.

I'm an old windose 98 user and have no idea about to set up a mac, anything I should do or not do?

Thanks

BigMack

[Swordmaker]

Sorry, still no widgets. Everything is checked in the System Preferences. Are you seeing them? I only get the folder and can merely click on that. Even searching for a file name that contains .wdgt as an extension will only bring up those widgets that happen to have the extension... most do not.

Hal, you get the second folder ONLY if the widget is downloaded by a user with lower than administrator access. The ~/Library/Widgets folder is not created until it is needed.

[Swordmaker]

I just bought a mini mac and am wondering if there is a good better best way to setting it up, It came with Tiger but I haven't downloaded it yet.

I'm an old windose 98 user and have no idea about to set up a mac, anything I should do or not do?

If your Mac Mini came with OSX.4 Tiger, it is most likely already installed on the computer and you need to do nothing. You would not want to download Tiger... it is over six gigabytes in size.

To check if it is already installed, select "About the Mac" under the Apple Menu, highlight it and release the mouse button. If OSX.4 is installed it will tell you "Mac OS X Version 10.4". If it is something lower, go ahead and install it.... just follow the prompts and all should be well some 30-45 minutes later.

If you are installing OSX for the first time (unlikely, unless you wipe the HD) you can select to omit some of the languages under the "custom" install options. You can also omit some of the keyboard layouts that go with those languages. If you aren't hurting for HD space, the languages allow you to see websites for those languages in the proper fonts (not gobbledegook). It will cut the install time in half if you only install English language and QWERTY keyboard (USA) layouts.

It is always a good idea to immediately run "Software Update" (found under the Apple Menu) a couple - three times after you install a new OS or re-install the OS. This will get the latest and greatest updates and security features.

If you have a broadband internet connection, be sure to set the Software update preferences to check for updates at least weekly.

Then, just enjoy.

[Swordmaker]

OH... if you don't have a two or more button mouse... get one.

[HAL9000]

Hal, you get the second folder ONLY if the widget is downloaded by a user with lower than administrator access. The ~/Library/Widgets folder is not created until it is needed.

I'm running a secondary Admin account. It has the ~/Library/Widgets folder. Spotlight is finding both Widgets folders.

[HAL9000]

If your Mac mini did not include Tiger, you may be able to get it for $9.95 with the Tiger Up-To-Date Program. It covers Mac minis purchased since April 12th, but your order must be postmarked by July 9th to get the $9.95 price.

[Swordmaker]

Widgets in a user's Library will not be available to other users. Are their any Widgets in it?

[bwteim]

See your FReep mail plse