Skip to comments.
Apple's Dashboard Hacked
Top Tech News ^
| May 9, 2005
Posted on 05/09/2005 10:51:17 PM PDT by Stoat
Apple's Dashboard Hacked
May 9, 2005 1:50PM
What makes the issue particularly difficult to deal with, according to Stephan.com, is Apple's decision not to provide a documented way to remove Widgets once installed. In fact, Apple's Mac OS X Help files state specifically that "You cannot remove widgets from the Widget Bar or change their order." A developer has demonstrated a Dashboard exploit in Mac OS X 10.4 "Tiger" that a malicious Web site owner could use to install Widgets you might not want on your Mac. Writing under the name of Stephan.com, the developer said that a combination of Apple's lack of documentation for removing Widgets, Safari's download controls, and a Widget feature all make it possible for the bad guys to use Dashboard to take you to any Web site of their choosing, hijacking Dashboard for their nefarious purposes. At issue is a feature in Safari called "Open safe files" that is turned on by default. This feature allows your Mac to automatically open image files, PDFs, movies, disk images and other files considered safe when downloaded. Unfortunately, this also includes Widget files downloaded, which are installed when opened. When combined with the ability to automatically download a file when visiting a Web page (an HTML feature not limited to Safari), Stephan.com demonstrated how easy it is for a Web site operator to autoinstall a Dashboard Widget without the consent of the user. Where this really becomes a problem, however, is what the designer of the Widget does. According to Stephan.com, a Widget can be made to do such things as automatically send the user to a given Web page whenever the Widget is clicked on, and even when a user simply switches to Dashboard. "This could be taken further, of course," wrote Stephan.com, "using all the nasty tricks developed by the [porn] industry over the last few years -- opening hundreds of different pages in a few seconds, or moving the close box around quickly. I haven't tried this, but it looks like you can trivially make a Dashboard widget continue to execute even when Dashboard isn't open." What makes the issue particularly difficult to deal with, according to Stephan.com, is Apple's decision not to provide a documented way to remove Widgets once installed. In fact, Apple's Mac OS X Help files state specifically that "You cannot remove widgets from the Widget Bar or change their order." The work around for this is to manually remove any particular Widget from your ~Library/Widget directory, and rebooting your Mac, but this is something that many, if not most, users won't know. That means that for many people, once a malicious Widget is installed, it's going to stay installed. He details further examples of areas of potential problem at his Web site. Please note that visiting the demonstration page with Safari in Tiger with the "Open safe files" option turned on will install his demonstration Widget, called Zaptastic, into your Dashboard panel. Warning: In his discussion of the issue, Stephan.com links to (but does not display) a porn image that many will find offensive and/or disturbing. |
|
TOPICS: Business/Economy; Miscellaneous; News/Current Events; Technical
KEYWORDS: apple; dashboard; hacking; mac; macattack; secure; tiger; unhackable; widgets
Navigation: use the links below to view more comments.
first previous 1-20, 21-40, 41-53 next last
To: John Valentine
Let me apologizeApology accepted, no problems.
I was beginning to think that I had truly entered the Twilight Zone
21
posted on
05/09/2005 11:56:07 PM PDT
by
Stoat
(Rice / Coulter 2008: Smart Ladies for a Strong America)
To: BJungNan
22
posted on
05/09/2005 11:56:36 PM PDT
by
Spktyr
(Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
To: John Valentine
Note the fully developed comment threads.. That really isn't a duplicate. The article in the link is much more general but I posted a reply to General_Re about this vulnerability.
23
posted on
05/10/2005 12:48:56 AM PDT
by
Swordmaker
(tagline now open, please ring bell.)
To: Bush2000; antiRepublicrat; Action-America; eno_; bentfeather; byset; N3WBI3; zeugma; LeGrande; ...
Widget problem in Tiger PING!
If you want on or off the Mac Ping List, Freepmail me.
24
posted on
05/10/2005 12:50:49 AM PDT
by
Swordmaker
(tagline now open, please ring bell.)
To: CurlyDave
Why not use this much simpler procedure. That will work for the deletion steps BUT you have to stop the process before that will work. If the widget is running, OSX will not let you empty the trash.
You could restart and THEN empty the trash... that would work... but it requires a restart. My method does not require a restart.
Incidentally, Spotlight DOES return the folder "Widgets" but it does not provide a list of widgets.
25
posted on
05/10/2005 12:58:28 AM PDT
by
Swordmaker
(tagline now open, please ring bell.)
To: Stoat
I have just posted a more detailed article on this vulnerability and solutions to avoid the problem... which is really not that serious. Why is it not that serious? Because it is necessary to actually DRAG the new malicious widget onto the Dashboard manually. Just because it is installed into the Widget Library does not cause it to run. AND when you do drag it onto the Dashboard, it ask you if you are certain you want to run this widget for the first time.
Oh. The article:
http://www.freerepublic.com/focus/chat/1400014/posts
26
posted on
05/10/2005 1:32:08 AM PDT
by
Swordmaker
(tagline now open, please ring bell.)
To: Petronski
Petronski, You are a Psychic!
Forthcoming Mac OS X 10.4.1 Update addresses Tiger issues
By AppleInsider Staff Published: 10:15 AM EST May 5, 2005
SNIP SNIP SNIP
Anonymous but reliable sources say that after a month in development, Mac OS X 10.4.1 Update, code-named "Atlanta," is ready to be deployed for rigorous and wide-spread testing. Its objective will be to rectify any and all outstanding issues present in the shipping version of Mac OS X 10.4 "Tiger," which went on sale over the weekend.
http://www.appleinsider.com/article.php?id=1058
27
posted on
05/10/2005 5:46:41 AM PDT
by
bwteim
To: Swordmaker
I think that if you click on Spotlight and type 'widgets' and then select
Group By
flat file list
you should see the individual widgets in question.
28
posted on
05/10/2005 5:51:32 AM PDT
by
bwteim
To: John Valentine
I find this entire dashboard issue to be fairly interesting because it is such an inredibly
weak argument to hang the "see OSX is vulnerable too" hat on.
From what I've seen from several different sources, the author's claim that it autoinstalls is false. He must have something seriously misconfigured to allow that. Given that, this would appear to be an example of folks complaining because a computer lets them install programs on it. Heavens! OSX allows you to install and run programs??? What is the world coming to? OSX must be hermetically sealed or it is just as bad as that other OS from Redmond!
I'd say that Apple needs to provide a tool to allow for easy deletion of 'dashboard' programs, but if it is true that it doesn't automatically install the software without user intervention, then this is nothing but hot air about nothing.
For the record, I don't use a Mac.
29
posted on
05/10/2005 6:19:02 AM PDT
by
zeugma
(Come to the Dark Side...... We have cookies!)
To: bwteim
you should see the individual widgets in question. Nope.. just tried that... still only the "widgets" folder...
30
posted on
05/10/2005 7:13:08 AM PDT
by
Swordmaker
(tagline now open, please ring bell.)
To: Swordmaker
Got "any date selected" would be one thing to check, but more importantly, check System Preferences under Spotlight and make sure you have the proper categories selected. They range from documents, applications, system preferences, folders, mail messages, etc etc. down to fonts and presentations.
I think if some are deselected, you may not see widgets such as:
widget-com.apple.widget.flighttracker.plist
31
posted on
05/10/2005 7:19:14 AM PDT
by
bwteim
To: Swordmaker
There should be at least two widgets folders - one in the system library, and one in each user's home directory library.
32
posted on
05/10/2005 12:55:01 PM PDT
by
HAL9000
(Get a Mac - The Ultimate FReeping Machine)
To: Swordmaker
I just bought a mini mac and am wondering if there is a good better best way to setting it up, It came with Tiger but I haven't downloaded it yet.
I'm an old windose 98 user and have no idea about to set up a mac, anything I should do or not do?
Thanks
BigMack
33
posted on
05/10/2005 3:27:23 PM PDT
by
PayNoAttentionManBehindCurtain
(Don't be afraid to try: Remember, the ark was built by amateur's, and the Titanic by professionals.)
To: bwteim; HAL9000
Sorry, still no widgets. Everything is checked in the System Preferences. Are you seeing them? I only get the folder and can merely click on that. Even searching for a file name that contains .wdgt as an extension will only bring up those widgets that happen to have the extension... most do not.
Hal, you get the second folder ONLY if the widget is downloaded by a user with lower than administrator access. The ~/Library/Widgets folder is not created until it is needed.
34
posted on
05/10/2005 6:35:01 PM PDT
by
Swordmaker
(tagline now open, please ring bell.)
To: PayNoAttentionManBehindCurtain
I just bought a mini mac and am wondering if there is a good better best way to setting it up, It came with Tiger but I haven't downloaded it yet.
I'm an old windose 98 user and have no idea about to set up a mac, anything I should do or not do?
If your Mac Mini came with OSX.4 Tiger, it is most likely already installed on the computer and you need to do nothing. You would not want to download Tiger... it is over six gigabytes in size.
To check if it is already installed, select "About the Mac" under the Apple Menu, highlight it and release the mouse button. If OSX.4 is installed it will tell you "Mac OS X Version 10.4". If it is something lower, go ahead and install it.... just follow the prompts and all should be well some 30-45 minutes later.
If you are installing OSX for the first time (unlikely, unless you wipe the HD) you can select to omit some of the languages under the "custom" install options. You can also omit some of the keyboard layouts that go with those languages. If you aren't hurting for HD space, the languages allow you to see websites for those languages in the proper fonts (not gobbledegook). It will cut the install time in half if you only install English language and QWERTY keyboard (USA) layouts.
It is always a good idea to immediately run "Software Update" (found under the Apple Menu) a couple - three times after you install a new OS or re-install the OS. This will get the latest and greatest updates and security features.
If you have a broadband internet connection, be sure to set the Software update preferences to check for updates at least weekly.
Then, just enjoy.
35
posted on
05/10/2005 6:53:09 PM PDT
by
Swordmaker
(tagline now open, please ring bell.)
To: PayNoAttentionManBehindCurtain
OH... if you don't have a two or more button mouse... get one.
36
posted on
05/10/2005 6:55:48 PM PDT
by
Swordmaker
(tagline now open, please ring bell.)
To: Swordmaker
Hal, you get the second folder ONLY if the widget is downloaded by a user with lower than administrator access. The ~/Library/Widgets folder is not created until it is needed. I'm running a secondary Admin account. It has the ~/Library/Widgets folder. Spotlight is finding both Widgets folders.
37
posted on
05/10/2005 7:02:19 PM PDT
by
HAL9000
(Get a Mac - The Ultimate FReeping Machine)
To: PayNoAttentionManBehindCurtain
If your Mac mini did not include Tiger, you may be able to get it for $9.95 with the
Tiger Up-To-Date Program. It covers Mac minis purchased since April 12th, but your order must be postmarked by July 9th to get the $9.95 price.
38
posted on
05/10/2005 7:08:16 PM PDT
by
HAL9000
(Get a Mac - The Ultimate FReeping Machine)
To: HAL9000
Widgets in a user's Library will not be available to other users. Are their any Widgets in it?
39
posted on
05/10/2005 7:48:29 PM PDT
by
Swordmaker
(tagline now open, please ring bell.)
To: Swordmaker
40
posted on
05/10/2005 7:57:07 PM PDT
by
bwteim
Navigation: use the links below to view more comments.
first previous 1-20, 21-40, 41-53 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson