Re: Widget Security in All Things Macintosh

Re: Widget Security

Fri, 20 May 2005 12:48:27 EDT

manifest : Explanation of how 10.4.1 disables dashboard widgets from being installed here:

»docs.info.apple.com/article.html···m=301630

Impact: Malicious websites can download and install widgets via Safari without the Safe Download Validation warning

Description: This update blocks the automatic installation of Dashboard widgets. Mac OS X's Safe Download Validation warning is enabled, requiring user approval before a Dashboard widget is installed by Safari. This issue does not affect Mac OS X versions prior to 10.4. Further information on removing Dashboard widgets that you have installed is available here.

Re: Widget Security

Fri, 13 May 2005 15:13:08 EDT

jDyno : Wasn't really asking expecting an answer. I have a seed key, so I could find out (no time to install all the interim betas, sorry), but I would never say anything about it here, that's for sure.

I'm just more asking in general - not necessarily for this release. How far do you think they'll go in adding in security and management?

This release will be, undoubtedly, baby steps...
--
Smart Marketing

Re: Widget Security

Fri, 13 May 2005 14:37:39 EDT

manifest : With out seeing the changed code or having anything to test with, I have no idea :)

Any dev's out there that can tell us?

Re: Widget Security

Fri, 13 May 2005 14:34:36 EDT

jDyno : Ugh... But how will it know? Apple itself recommends packaging widgets in zip files. Plus, it's already been shown that you can change a bit to get around the error it gives you regarding the file you are downloading being an application.
--
Smart Marketing

Re: Widget Security

Fri, 13 May 2005 13:59:02 EDT

manifest : FTA:
After installing the update, sources say users of the Tiger operating system will be prompted before a widget is downloaded to their hard drive.

Re: Widget Security

Fri, 13 May 2005 13:40:28 EDT

jDyno : Question is fixed how? Just disabling of the auto-install won't do it. But, baby steps at least... Baby steps...
--
Smart Marketing

Re: Widget Security

Fri, 13 May 2005 12:27:20 EDT

manifest : »www.appleinsider.com/article.php?id=1073

Widget issue fixed in 10.4.1 which is to be released "soon".

Re: Widget Security

Thu, 12 May 2005 08:09:04 EDT

jDyno : - And one can bypass the "The file you are downloading is an application..." warning in Safari easily.

So, all those fun warnings everyone said were saving us from this being a problem... Sorry, you have to come up with something else.

And I don't see how you could check out the above site and not think this is a problem anymore.

And still nothing from Apple...

EDIT:

If you're concerned about this issue (and you should be, to beat a dead horse), you should submit your opinion (keep it civil and intelligent, no seething rants) on the OS X feedback page:

»www.apple.com/macosx/feedback/

Re: Widget Security

Wed, 11 May 2005 23:14:40 EDT

sporkme :

said by jDyno :

More info on Dashboard Insecurity. Another exploit proof-of-concept.

»www1.cs.columbia.edu/~aaron/files/widgets/

This ups the bar considerably, IMO.

Short version:

-An auto-installed widget WILL NOT cause Dashboard to prompt with the "this runs a program, blah blah blah..." warning.
-An auto-installed widget can "overwrite" an existing widget (ie: stickies, etc.)
--
Bush/Cheney '04! - Scared Straight
"Patriotism is supporting your country all the time and your government when it deserves it."

Re: Widget Security

Wed, 11 May 2005 23:14:35 EDT

sporkme : dupe!

Re: Widget Security

Wed, 11 May 2005 20:44:02 EDT

jDyno : More info on Dashboard Insecurity. Another exploit proof-of-concept.

»www1.cs.columbia.edu/~aaron/files/widgets/

This ups the bar considerably, IMO.
--
Smart Marketing

Re: Widget Security

Wed, 11 May 2005 09:40:27 EDT

jDyno : A little bit of patting myself on the back here, but I have been quoted in an article on Wired News on the topic of Dashboard Security:

»www.wired.com/news/mac/0,2125,67484,00.html

Just glad this continues to get press at higher and higher levels.

Edit:

Apple continues to hide from the problem:

quote:
J Nicholas Tolson,

Your post titled "Wired News picks up Dashboard security issue" has been removed from Apple Discussions. A copy of this message can be found below. This area is intended to address technical issues about Apple products. Posts that do not conform to the Apple Discussions Terms of Use are inappropriate.

Please see the Terms of Use Agreement at »discussions.info.apple.com/help for more information on the proper use of Apple's Discussion forums. Each Discussion user is required to agree to these terms before gaining posting privileges. You reserve the right to not post on Apple Discussions should you disagree with these terms.

If you would like to send feedback to Apple about a product, please use the appropriate selection at »www.apple.com/feedback

Sometimes you have comments or concerns for which there is no technical response. If you need the kind of help that a troubleshooting expert can't provide, you can call Apple's Customer Relations group.

++++++++++

This message is sent from a send-only email account. Any replies sent to this address are deleted automatically by the system.

----------

A copy of your message for reference:

Glad to see this is continuing to get press and make its way higher and higher up the media food chain. Once it hits USA Today (or the like) I'm hoping Apple will be forced to deal with it in more effective ways than the revisionist history tactics it seems to be deploying by deleting posts on the subject here.

Dashboard leaves Macs vulnerable
»www.wired.com/news/mac/0,2125,67484,00.html

Edit:

Full disclosure: I am quoted in this article, but I would have posted about this here anyway. Too big of an issue to let Apple slide by on, IMO.

Re: Widget Security

Tue, 10 May 2005 00:43:23 EDT

Nighttime : Its a small problem. Turn off that flag and makes thing ok for now.

But if I was Apple. I would set up a dirty tricks group. All they do is try to break into the software. No holds bar. Try everthing they can. Every nasty trick they can come up width. Thats there only testing job.

Did this at different companies. Be supprise at how brittle software really is.

More news

Tue, 10 May 2005 00:24:51 EDT

anon : »news.com.com/Mac+malware+door+cr···ubj=news

Re: Widget Security

Tue, 10 May 2005 00:10:15 EDT

shavano :

said by jDyno :

Oh, yeah, it's all over the place now. MacNN, Slashdot, and I think I saw it on CNET, too. Wired's on top of the topic of Dashboard security, too, I know. :-)

Remember, you heard it here first...;);)
--
Seek truth, not validation of existing beliefs.

Re: Widget Security

Mon, 09 May 2005 22:16:21 EDT

sporkme :

said by Goatseman:

Heh, goatse

And the .cx nic site runs on a Mac:

»www.nic.cx/suspended.jsp?domain=···oatse.cx

Re: Widget Security

Mon, 09 May 2005 21:22:53 EDT

anon : Heh, goatse

Re: Widget Security

Mon, 09 May 2005 19:23:29 EDT

jDyno : Oh, yeah, it's all over the place now. MacNN, Slashdot, and I think I saw it on CNET, too. Wired's on top of the topic of Dashboard security, too, I know. :-)

And I'm happy about all the media attention! The more press, the more likely Apple will do something about it and soon, even if only to save face.

EDIT:

And BTW, I just downloaded a Widget that searches Amazon.com, so it obviously access the internet... It never warned me about anything. So, for all I know it could be emailing itself to everyone in my address book right now. Fun.

Re: Widget Security

Mon, 09 May 2005 14:57:10 EDT

jtk7 : Just saw this:

»www.macnewsworld.com/story/42964.html
--
Diary of a Switcher

Re: Widget Security

Mon, 09 May 2005 01:40:12 EDT

anon : For a widget to use any possibly harmful commands (system or local file access), it has to include some special -keys- in it's info.plist. So in theory, Safari would first warn you, then Dashboard would warn you when you try to run it the first time, that makes two warnings, which I think is enough. This is... in theory...

But...

Here is the problem, according to Apple's own documentation at:

»developer.apple.com/documentatio···n_1.html

"If any of these -keys- are present in your information property list file and it’s located outside of /Library/Widgets/, a dialog is presented to users upon your widget’s first load."

So in other words the warnings only appear if you run a Widget from outside the Library/Widget(s) folder.

Please note that widgets do not run automatically in any case, a newly installed widget must be dragged out of the widget bar first.

Actually the supposed "exploit" didn't even work for me as advertised, the "evil" widgets didn't appear in my widget bar, I had to manually double-click them in the Finder. Also note that Apple's standard widgets are installed in the root /Library/Widgets folder while Safari install them in the user ~/Library/Widgets folder.

I hope Apple will "fix" this, but in the mean time: Don't Panic

Re: Widget Security

Sun, 08 May 2005 22:48:18 EDT

jDyno : Yep, and just think how annoying all the "na-na-na-na-nas" from Windows users will be.

C'mon, Apple! Hook us (and your reputation!) up with an update that at least applies a bit of a salve for this!
--
Smart Marketing

Re: Widget Security

Sun, 08 May 2005 21:15:37 EDT

jtanner :

said by rjackson :

The most a widget could do without an admin password for sudo is wipe out your home directory, since it runs under your UID.

Better check again: the contents of /Applications, /Library, and /Users can be altered or wiped out without any user prompting, at the very least.

This is absolutely as big a disaster as ActiveX, especially since a website can cause Safari to install a widget. If Apple doesn't fix both of these issues, it spells the end of the legendary Mac "invincibility", and we'll all have to begin the monthly tithe to Symantec...

Jim

Re: Widget Security

Sun, 08 May 2005 19:53:32 EDT

Nighttime : That was the comment at Slashdot. Turn off the "auto load" feature. It just dumps the zip where you normally have it set to download to.

Locks only keep honest people out.

Re: Widget Security

Sun, 08 May 2005 19:22:49 EDT

jDyno : If you have Safari set to automatically open "safe" items after download, it will unzip the Widget zip file and automatically move it to the Widgets folder... and also Trash the original zip file. Yikes!

I didn't know about this functionality until JL pointed it out, since I had that feature turned off... And I use Firefox anyway.
--
Smart Marketing

Re: Widget Security

Sun, 08 May 2005 19:09:22 EDT

Nighttime : Since the widgets are compressed as a zip file. You would need to open it to "run" it. I guess. Just sent the hulla dancer from a PC to my mini. Pop up as a zip attachement. But I guess there could be a way to get it to download and install.

Its a Slashdot items also.

»it.slashdot.org/it/05/05/08/2131···79&tid=3

Re: Widget Security

Sun, 08 May 2005 17:59:15 EDT

sporkme :

said by shavano :

And I didn't know when I first posted that they could be automatically installed by just visiting a website.

This is all he's doing to "force" the install:



(*) WARNING 1 long line(s) split

I wonder what Mail does if it receives an email with a link to a widget? Or an email with the widget attached and a link back to it as above? If it blindly installs, then you've got a nifty way to get your malware spreading.

--
Bush/Cheney '04! - Scared Straight
"Patriotism is supporting your country all the time and your government when it deserves it."

Re: Widget Security

Sun, 08 May 2005 17:39:32 EDT

shavano :

said by sporkme :

This will end up biting Apple in the ass.

That's my point.

And I didn't know when I first posted that they could be automatically installed by just visiting a website. The problem is thus much worse than I thought. I don't know if the widget will execute automatically, but how many people are going to see something new and say, "what's that?" then click, bam, thank you ma'am.

So is it sufficient to "chmod 555" on the two directories?
--
Seek truth, not validation of existing beliefs.

Re: Widget Security

Sun, 08 May 2005 17:21:37 EDT

sporkme :

said by jDyno :

Fom:

»www.tuaw.com/2005/05/07/the-prob···widgets/

This is a link to the article, not the site that automatically triggers the download of the Widget, BTW.

Cool, so not only can you bypass any user checks with the "self install" feature, but once it's in a more benign use is adware. Lovely. This will end up biting Apple in the ass. All the excuses about "dumb users" are just really short-sighted. The world is not perfect, people will click on things (or in the case of zaptastic, simply visit a web site). To blame the user seems a bit harsh, and terribly naive.
--
Bush/Cheney '04! - Scared Straight
"Patriotism is supporting your country all the time and your government when it deserves it."

Re: Widget Security

Sun, 08 May 2005 15:55:52 EDT

jDyno : Fom:

»www.tuaw.com/2005/05/07/the-prob···widgets/

This is a link to the article, not the site that automatically triggers the download of the Widget, BTW.
--
Smart Marketing

Re: Widget Security

Sun, 08 May 2005 00:46:42 EDT

SweetDelight : I'm not going to make an active link to this site, but I am going to tell you about it and then list the link, and if you really want to check it out, then you can copy and paste the address in your address bar. Here's the address:
hp://stephan.com/widgets/zaptastic/

Now, if you jump over to that site, it automatically downloads a widget and it also automatically installs it if you are on Tiger, using Safari, and you haven't bothered to disable the "Open 'safe' files after downloading" feature.

So what? How's that a risk? Read more after the jump.

Continue reading The Problem with Widgets

- TUAW.com

Re: Widget Security

Sat, 07 May 2005 16:08:18 EDT

yabos : It's not as big a deal as you make it out to be. There'd have to be a way to spread the thing automatically for it to make a big impact. If someone made a malicious widget the word would spread pretty fast that it does bad things.

The most it could do is modify files or delete files which you have write permissions to.

I can actually think of an easy way to secure dashboard without hampering it's functionality though. Just disable it write access to files or to any commands that delete or modify files.

I can't think of any reason why a widget should need to modify files anyways so why let them.

Re: The bottom line

Sat, 07 May 2005 15:53:03 EDT

jDyno :

said by Thinkdiff :

said by Shamayim :

U Never Install eXtemporaneously��™

ex-tem-po�rane�ous�ly adv.
Carried out or performed with little or no preparation
(def. 1, American Heritage Dictionary)

�2005 MoeDumb Patent Pending Marcas Registrada All Rights&Wrongs Reserved

Exactly my feelings... it's your own fault.

That's a perfectly acceptable position for an individual to take, but it's not so acceptable a position for a company that makes software that millions of people use. I'm just hoping Apple takes care of those less technologically gifted and wary as you in the future by enhancing their built-in security for Widgets in some way.
--
Smart Marketing

Re: The bottom line

Sat, 07 May 2005 13:38:52 EDT

Thinkdiff :

Exactly my feelings... it's your own fault.
--
Thinkdiff's Website | Td's Other site | Altoids iPod Charger

The bottom line

Sat, 07 May 2005 11:04:00 EDT

Shamayim : U Never Install eXtemporaneously��™

ex-tem-po�rane�ous�ly adv.
Carried out or performed with little or no preparation
(def. 1, American Heritage Dictionary)

�2005 MoeDumb Patent Pending Marcas Registrada All Rights&Wrongs Reserved
--
"tick...tick...tick..." »www.jtf.org/

Re: Widget Security

Sat, 07 May 2005 10:45:58 EDT

jwsmiths4 : The thing is widgets require a slightly higher user interaction than windows viri do. Generally windows viri can be attached to other files (pictures, documents, whatever) or can be loaded via webpages. At least with a widget you have to manually carry it to the Widgets directory and then activate it. I know that isn't bullet-proof but its a long ways better than being able to be embedded in a web-page and cause havoc without the user ever getting involved.
Justin

Re: Widget Security

Sat, 07 May 2005 10:01:23 EDT

jDyno :

said by Johnny :

Now if the dialog said "This file erases a folder" then we'd be talking about some actually useful security features. Or if those kinds of destructive commands were not in the allowed set of commands for a widget.

Ding ding ding!! That's exactly what I'm calling for, JL. Exactly.
--
Smart Marketing

Re: Widget Security

Sat, 07 May 2005 08:08:29 EDT

anon :

quote:
Yes, but why would I download it, no matter what cool name you gave it? Before Widgets the download/app had to have a more compelling (and usually complex) function.

Hmm... How many copies of OnyX, MacJanitor, Cocktail, etc. have been downloaded? You could easily bury that in an app that "optimizes your system" or some other nonsense. Most would download it. (How do you think the Windows crap spreads?)

But, I think there may be some sort of checking in these things. If nothing else, Apple should make some checking mandatory.

But, even the other application that does a similar function - Konfabulator (on PC and Mac) allows the same things - you can get some pretty detailed stuff from it and even run commands.

Either way, people need to be wary. They would be wary of a guy on the street giving away concert tickets, yet will download anything off the 'net.

Re: Widget Security

Sat, 07 May 2005 00:35:18 EDT

shavano : Yeah! What JDyno said.

Actually, Johnny and TD are correct. It's always been technically possible to create havoc with applications and scripts.

But I think JDyno is more correct. Dashboard widgets are a whole new league.

Their superficial simplicity but astonishing capabilities, their triviality, their "cuteness", combined with Apple's marketing of them ("you too, can write your own widgets") make them orders of magnitude more dangerous.

Not because they bring new technical capability, but because the widget concept encourages people to ignore the danger.
--
Seek truth, not validation of existing beliefs.

Re: Widget Security

Fri, 06 May 2005 23:58:00 EDT

bobbyzee :

said by rjackson :

The most a widget could do without an admin password for sudo is wipe out your home directory, since it runs under your UID.

It's not that simple. Let's take the exploit with isync. Although fixed in Tiger, Dashboard could allow you to exploit this in a very user friendly way. Someone could author a widget that, for arguments sake, is some cool looking clock. You put some time delay feature in there so when it's, for example, August 31st at 11am it activates code which gains root through the isync exploit and from there, well, it's up to the hackers imagination.

Re: Widget Security

Fri, 06 May 2005 23:39:32 EDT

Johnny : That's the point - I can make that script look and behave exactly like a widget. All I have to do is wrap JavaScript around that line of AppleScript. If I give the file a type identifier of widget, it will download, move it to Library/Widgets, and when Dashboard is triggered it will erase that folder, after the user clicks OK to a dialog that he doesn't understand ("This file contains a program"; "Well, yeah, I know that; so what?").

Now if the dialog said "This file erases a folder" then we'd be talking about some actually useful security features. Or if those kinds of destructive commands were not in the allowed set of commands for a widget.

Re: Widget Security

Fri, 06 May 2005 23:24:29 EDT

jDyno : Yes, but why would I download it, no matter what cool name you gave it? Before Widgets the download/app had to have a more compelling (and usually complex) function. Now, it doesn't take much if anything to entice a download, since widgets aren't design to do more than a single function, most of the time. I'd imagine, given their newness, that people are downloading them just to see what they do even.

It's all these factors - not just one - that make Widgets different than apps of old and as such, this newness is another factor that increases the vulnerability created by Dashboard Widgets, I think.
--
Smart Marketing

Re: Widget Security

Fri, 06 May 2005 23:01:53 EDT

Johnny : Anything can be a Trojan.
[att=1]

I could just save this as an application, slap on a cute icon, and upload it. I don't know if Tiger Finder would put up the "This file contains an application" dialog, but I think it would put up the "This is the first time this application has been run" dialog. That's about all one can do.

In the example above, the testxxx folder could be replaced with the Documents folder or the Pictures folder.

Trojans are Trivial

Re: Widget Security

Fri, 06 May 2005 22:22:05 EDT

jDyno :

said by Thinkdiff :

said by jDyno :

said by Thinkdiff :

I think they probably have people that try out most of them.

I think this is naive. More to the point, I think it's incorrect.

I think it's naive to have such a lengthy discussion on this "issue" and then not even pay attention to the real point of my posts, which is this "risk" has been around since way before dashboard was ever created.

Um, naive probably not, but regardless, I edited my post after you saw it.

And this discussion is about Widget security in general, not just your post.
--
Smart Marketing

Re: Widget Security

Fri, 06 May 2005 22:18:27 EDT

Thinkdiff :

said by jDyno :

said by Thinkdiff :

I think they probably have people that try out most of them.

I think this is naive. More to the point, I think it's incorrect.

Re: Widget Security

Fri, 06 May 2005 22:07:56 EDT

jDyno :

said by Thinkdiff :

I think they probably have people that try out most of them.

I think this is naive. More to the point, I think it's incorrect. But anyway...

The reason why these are a worry (as opposed to other apps you download) is that they are easier to produce, just like little worms/virii. Plus, they are well-documented. So, with very little knowledge and very little time, you can create yourself a little bad guy. Just like all those little things attached to emails that cause billions of dollars worth of problems. All it takes is one kids who knows a little html and one unix command to seriously damage your system and the reputation of Apple.

Plus, it takes little convincing to get someone to download a little thing like a Widget, which usually have very simple functionality, and are sometimes purposely frivolous or "fun." With an app, it would have to purport to doing something more substantial than a Widget or Automator Workflow, and thus would automatically have a smaller download base.

Why make excuses for Apple on this? They need to step up and protect thier users from an easily exploitable security vulnerability. It's an obvious place for some 12-year old to mess with Apple's well-deserved and well-fought reputation for building more secure products.

Re: Widget Security

Fri, 06 May 2005 21:17:38 EDT

Thinkdiff : I think they probably have people that try out most of them. Of course, none of us know for sure if they do or don't. the real point of my post still applies, you downloaded, you installed it, you accept the consequences

edit: just to put down the ridiculous argument of "that's windows talk", that applies to ANY application. ANY application can erase the user folder and documents without a password. If you guys haven't realized that yet.. jeez..

Re: Widget Security

Fri, 06 May 2005 21:12:22 EDT

bobrk : You think they test them all?

Re: Widget Security

Fri, 06 May 2005 21:11:33 EDT

Thinkdiff :

said by bobrk :

said by Thinkdiff :

As a general rule if you want to be safe, only download widgets from the apple website.

Uh, no.

said by »www.apple.com/downloads/macosx/dashboard/:

Apple is providing links to these applications as a courtesy, and makes no representations regarding the applications or any information related thereto. Any questions, complaints or claims regarding the applications must be directed to the appropriate software vendor.

Uh, that's just to save their asses. I wouldn't hold your breath waiting for the day a trojan widget appears on apple's website.
--
Thinkdiff's Website | Td's Other site | Altoids iPod Charger

Re: Widget Security

Fri, 06 May 2005 21:09:23 EDT

bobrk :

said by Thinkdiff :

As a general rule if you want to be safe, only download widgets from the apple website.

Uh, no.

--
bobrk

Re: Widget Security

Fri, 06 May 2005 21:01:23 EDT

Thinkdiff : I've always had the same stance on viruses and the like. YOU downloaded, YOU installed it, YOU ran it. Just like ANY other application, script, etc. If you download a widget from joeswidgetshack.com and expect it to be completely safe, you are in for whatever comes to you. If I happened to download a widget that deleted my entire user folder, I would take it as a lesson learned. I've always made it a point not to install every little POS application or utility (as some other people like to do).

As a general rule if you want to be safe, only download widgets from the apple website.
--
Thinkdiff's Website | Td's Other site | Altoids iPod Charger

Re: Widget Security

Fri, 06 May 2005 18:25:44 EDT

shavano :

said by rjackson :

The most a widget could do without an admin password for sudo is wipe out your home directory, since it runs under your UID.

The most? Like that's not enough?

Even with daily backups, you probably would lose something. Like that priceless photo you just uploaded and deleted from the camera. This is making me rethink Dashboard AND backup strategy. (As in, "I need a backup strategy!" :D)

Hmmmm....maybe an Automator action that does an incremental backup to separate disk, changing ownership before and after. Or is that just a folder action......sheesh, more stuff to go learn....;)
--
Seek truth, not validation of existing beliefs.

Re: Widget Security

Fri, 06 May 2005 18:03:13 EDT

sporkme :

said by rjackson :

said by bobrk :

So it's sort of up to the Dashboard to do security duties?

No, It's Up To You™. Some people might think it's unfair but you shouldn't trust a widget you downloaded any more than you would trust a shell script, Automator workflow, or AppleScript. The good news is it's fairly easy to audit a widget simply because they're scripts, rather than a binary that isn't very human-readable.

Eek! That sounds like something you'd overhear in the Windows Help forum.
--
Bush/Cheney '04! - Scared Straight
"Patriotism is supporting your country all the time and your government when it deserves it."

Re: Widget Security

Fri, 06 May 2005 17:55:19 EDT

jDyno :

said by rjackson :

said by bobrk :

So it's sort of up to the Dashboard to do security duties?

Tell that to my 60-year old mother, for whom I'll be updating her new iBook to Tiger in the coming weeks.

Hell, tell that to my 36-year old sister, who is a very computer-savvy graphic designer, but wouldn't know what the code meant if you forced her to read it like a EULA every time the widget launched!

It's just not practical, rjackson. Even for me, and I write webdev code for a living. It would be really easy to hide some nefarious stuff in benign-looking code. And tell me, have you opened every single Widget you downloaded before loading it and thoroughly examined every single line to make sure it doesn't do anything you don't expect? C'mon.

And at this point, I'm not even asking for anything too advanced from Dashboard or Automator. I just want even the barest programmatic protections against nefarious stuff, like explicitly telling me that an app requires System or Net access (the current warning is too vague and I even missed that it was asking for access to the SYSTEM, rather than just telling me I'm running something for the first time) and ALSO telling me in idiot terms, why I should care about this.

This isn't about protecting those that know better or can do things to protect themselves. Apple is getting more and more into an uneducated consumer space, and that's a good thing, so they need to do more to protect those that can't protect themselves.
--
Smart Marketing

Re: Widget Security

Fri, 06 May 2005 17:30:46 EDT

rjackson :

said by bobrk :

So it's sort of up to the Dashboard to do security duties?

Re: Widget Security

Fri, 06 May 2005 16:52:51 EDT

bobrk : So it's sort of up to the Dashboard to do security duties?
--
bobrk

Re: Widget Security

Fri, 06 May 2005 16:30:21 EDT

rjackson : Yeah, widgets can be debugged/ran in Safari but they won't have their full capabilities. The widget object is specific to Dashboard and as such none of its methods or properties are valid in Safari, so they wouldn't work anyways. That includes widget.system() for executing system commands.

Testing if window.widget exists is just a matter of good programming practices, there's no reason to execute code if you know it's going to fail or produce unexpected results.

Re: Widget Security

Fri, 06 May 2005 16:18:17 EDT

sporkme :

said by rjackson :

The widget object is only available in Dashboard, it doesn't have any properties in Safari. In fact most widgets will test to see if they're in the Dashboard environment before doing anything with the widget object:

if(window.widget) {
     // do widget-only stuff here
}

I'm confused here, as I thought you were able to debug/run widgets in Safari 2.x?

If I were a betting man, I'd say the first big Mac "trojan" will be a malicious widget. If they can be loaded in Safari, look out, then browsing becomes Active-X dangerous.

--
Bush/Cheney '04! - Scared Straight
"Patriotism is supporting your country all the time and your government when it deserves it."

Re: Widget Security

Fri, 06 May 2005 16:14:25 EDT

Nighttime : I guess a widget could be cooked up to check that file.

Re: Widget Security

Fri, 06 May 2005 15:46:11 EDT

bobrk : That's what I was thinking.

Re: Widget Security

Fri, 06 May 2005 15:45:06 EDT

rjackson : The most a widget could do without an admin password for sudo is wipe out your home directory, since it runs under your UID.

Re: Widget Security

Fri, 06 May 2005 15:38:51 EDT

bobrk :

said by shavano :

I was hoping they might only be able to execute informational commands, not execute any arbitrary command like "rm -Rf".

Can an adminstrator do an rm -Rf anywhere? Seems to me I have to use sudo just to edit the /etc/hosts file.
--
bobrk

Re: Widget Security

Fri, 06 May 2005 14:01:00 EDT

shavano :

said by jDyno :

But it doesn't really tell you that it may be a security risk

that's just not a practical security paradigm.

Even if everyone did have the discipline ... you can't expect everyone to have the knowledge to know what to look for.

I am of the opinion that the security of Dashboard Widgets (and Automator actions) needs to be addressed by Apple ASAP.

Exactly!

I just took a few minutes this morning to see what it might take for me to write my own. I saw the note on the Apple page about system commands and looked inside a couple of widgets.

My immediate reaction was "holy sh*t!!!!!".

Though not a professional developer, I'm reasonably competent at the Unix command line and have done some HTML and C programs. And I immediately knew they will easily be so complex there is no chance I would be able to tell if a widget was going to do something malicious.
--
Seek truth, not validation of existing beliefs.

Re: Widget Security

Fri, 06 May 2005 13:54:29 EDT

rjackson :

said by shavano :

I was hoping they might only be able to execute informational commands, not execute any arbitrary command like "rm -Rf".

I'd like them to not be able to do anything that writes or modifies a file via Unix command.

Maybe there's something down in the bowels that prevents it?

If you're concerned about a widget accessing the system open it up by right-clicking (or cmd-clicking) on the widget and go to "Show package contents". Open up the widget's Info.plist and look for a key that says "AllowSystem" or "AllowFullAccess". Without either of these keys set to "Yes" the widget has no authority to run system commands.

Likewise the absence of the "AllowNetwork" key prevents the widget from using network resources.

said by shavano :

But if not, and if they actuallly are just mini-browsers, then did this make Safari vulnerable as well? That is, the widget object with all it's power, is now available to any Javascript? Or is it "limited" to just widgets executing via the Widget Server?

The widget object is only available in Dashboard, it doesn't have any properties in Safari. In fact most widgets will test to see if they're in the Dashboard environment before doing anything with the widget object:

if(window.widget) {
     // do widget-only stuff here
}

Re: Widget Security

Fri, 06 May 2005 13:47:48 EDT

shavano : I was hoping they might only be able to execute informational commands, not execute any arbitrary command like "rm -Rf".

I'd like them to not be able to do anything that writes or modifies a file via Unix command.

Maybe there's something down in the bowels that prevents it?

But if not, and if they actuallly are just mini-browsers, then did this make Safari vulnerable as well? That is, the widget object with all it's power, is now available to any Javascript? Or is it "limited" to just widgets executing via the Widget Server?
--
Seek truth, not validation of existing beliefs.

Re: Widget Security

Fri, 06 May 2005 13:46:26 EDT

jDyno : But it doesn't really tell you that it may be a security risk or that it accesses private system stuff. It just asks permission to run for the first time.

Also, no such warning exists when a widget needs Net access.

Yes, apps exist to monitor net traffic, and of course one is SUPPOSED to scan everything you put on your computer, but that's just not a practical security paradigm.

Even if everyone did have the discipline to check for security risks in every Widget (or any other thing they put on their machine), you can't expect everyone to have the knowledge to know what to look for. Hell, I'm a developer and I wouldn't be able to spot everything - probably even if I knew it was there.

And no, these do no more than any other Applescript could do, but Widgets and Automator actions will be used and downloaded many hundreds of thousand of more times than Applescript just by the very fact in how they are now more built-in adn accessible by the everyday user.

I am of the opinion that the security of Dashboard Widgets (and Automator actions) needs to be addressed by Apple ASAP.
--
Smart Marketing

Re: Widget Security

Fri, 06 May 2005 13:39:52 EDT

jmirabella : Also any outbound traffic can be 'cought' by programs such as Little Snitch

»www.obdev.at/products/littlesnitch/
--
RCN Customers PM jmirabella your modem MAC address or RCN username if you have any questions.

Re: Widget Security

Fri, 06 May 2005 13:28:03 EDT

JJ : The widget has to ask the user for permission to run the first time if it wants access to the system:

»developer.apple.com/documentatio···n_1.html

Re: Widget Security

Fri, 06 May 2005 13:14:59 EDT

HiVolt : If you aren't asked to enter your admin password, and AFAIK, you aren't, to install or use the widgets, there's is a potential for trojans and other malware to exploit this I think.
--
}�.��.��`�.��.��`�.��.��`�.��.��`�.��.��`�.��.��`�.��.��

Re: Widget Security

Fri, 06 May 2005 13:07:08 EDT

Homunculus : They aren't IMO.

Widget Security

Fri, 06 May 2005 13:05:44 EDT

shavano : This Dashboard widget thing in Tiger is pretty cool. Already I've found several very useful tools. And I see there are hundreds available and the number seems to be multiplying like fruit flies.

Now I'm no expert, but I've scanned the developer page and looked inside a couple of widgets. They get pretty complex. And according to Apple, you can access any Unix command from inside the widget.

So, tell me how these things are safer than ActiveX in Windows.
--
Seek truth, not validation of existing beliefs.