shavano
Even in America -- I long for America
join:2003-06-08
Dallas, TX
| Widget Security
This Dashboard widget thing in Tiger is pretty cool. Already I've found several very useful tools. And I see there are hundreds available and the number seems to be multiplying like fruit flies.
Now I'm no expert, but I've scanned the developer page and looked inside a couple of widgets. They get pretty complex. And according to Apple, you can access any Unix command from inside the widget.
So, tell me how these things are safer than ActiveX in Windows.
--
Seek truth, not validation of existing beliefs. |
|
Homunculus
Raye man kojast?
Premium
join:2000-12-14
Dar al-Harb
clubs: | They aren't IMO. |
|
HiVolt
Premium
join:2000-12-28
Toronto, ON
clubs:
 ·TekSavvy Solutions..
·Bell Sympatico
| reply to shavano
If you aren't asked to enter your admin password, and AFAIK, you aren't, to install or use the widgets, there's is a potential for trojans and other malware to exploit this I think.
--
}·.¸¸.·´¯`·.¸¸.·´¯`·.¸¸.·´¯`·.¸¸.·´¯`·.¸¸.·´¯`·.¸¸.·´¯`·.¸¸.·´ |
|
JJ
Beat It, Bill
Premium,MVM
join:2000-02-18
Madison, WI
| reply to shavano
The widget has to ask the user for permission to run the first time if it wants access to the system:
»developer.apple.com/documentatio···n_1.html |
|
jmirabella
Joe Mirabella
Premium,VIP
join:2003-10-20
Bowie, MD
clubs:
 ·Sprint Mobile Broa..
 ·VoicePulse
| reply to shavano
Also any outbound traffic can be 'cought' by programs such as Little Snitch
»www.obdev.at/products/littlesnitch/
--
RCN Customers PM jmirabella  your modem MAC address or RCN username if you have any questions. |
|
jDyno
Premium
join:2001-02-20
Washington, DC
clubs:
| reply to JJ
But it doesn't really tell you that it may be a security risk or that it accesses private system stuff. It just asks permission to run for the first time.
Also, no such warning exists when a widget needs Net access.
Yes, apps exist to monitor net traffic, and of course one is SUPPOSED to scan everything you put on your computer, but that's just not a practical security paradigm.
Even if everyone did have the discipline to check for security risks in every Widget (or any other thing they put on their machine), you can't expect everyone to have the knowledge to know what to look for. Hell, I'm a developer and I wouldn't be able to spot everything - probably even if I knew it was there.
And no, these do no more than any other Applescript could do, but Widgets and Automator actions will be used and downloaded many hundreds of thousand of more times than Applescript just by the very fact in how they are now more built-in adn accessible by the everyday user.
I am of the opinion that the security of Dashboard Widgets (and Automator actions) needs to be addressed by Apple ASAP.
--
Smart Marketing |
|
shavano
Even in America -- I long for America
join:2003-06-08
Dallas, TX
| reply to shavano
I was hoping they might only be able to execute informational commands, not execute any arbitrary command like "rm -Rf".
I'd like them to not be able to do anything that writes or modifies a file via Unix command.
Maybe there's something down in the bowels that prevents it?
But if not, and if they actuallly are just mini-browsers, then did this make Safari vulnerable as well? That is, the widget object with all it's power, is now available to any Javascript? Or is it "limited" to just widgets executing via the Widget Server?
--
Seek truth, not validation of existing beliefs. |
|
rjackson
Premium,Mod
join:2002-04-02
Ringgold, GA
clubs:
Host:
SMC Networks
Automotive
VOIP Tech Chat
ViaTalk
Teleblend
2 edits | said by shavano :I was hoping they might only be able to execute informational commands, not execute any arbitrary command like "rm -Rf". I'd like them to not be able to do anything that writes or modifies a file via Unix command. Maybe there's something down in the bowels that prevents it? If you're concerned about a widget accessing the system open it up by right-clicking (or cmd-clicking) on the widget and go to "Show package contents". Open up the widget's Info.plist and look for a key that says "AllowSystem" or "AllowFullAccess". Without either of these keys set to "Yes" the widget has no authority to run system commands.
Likewise the absence of the "AllowNetwork" key prevents the widget from using network resources.
said by shavano :But if not, and if they actuallly are just mini-browsers, then did this make Safari vulnerable as well? That is, the widget object with all it's power, is now available to any Javascript? Or is it "limited" to just widgets executing via the Widget Server? The widget object is only available in Dashboard, it doesn't have any properties in Safari. In fact most widgets will test to see if they're in the Dashboard environment before doing anything with the widget object:
if(window.widget) {
// do widget-only stuff here
} |
|
shavano
Even in America -- I long for America
join:2003-06-08
Dallas, TX
| reply to jDyno
said by jDyno :But it doesn't really tell you that it may be a security risk that's just not a practical security paradigm. Even if everyone did have the discipline ... you can't expect everyone to have the knowledge to know what to look for. I am of the opinion that the security of Dashboard Widgets (and Automator actions) needs to be addressed by Apple ASAP. Exactly!
I just took a few minutes this morning to see what it might take for me to write my own. I saw the note on the Apple page about system commands and looked inside a couple of widgets.
My immediate reaction was "holy sh*t!!!!!".
Though not a professional developer, I'm reasonably competent at the Unix command line and have done some HTML and C programs. And I immediately knew they will easily be so complex there is no chance I would be able to tell if a widget was going to do something malicious.
--
Seek truth, not validation of existing beliefs. |
|
bobrk
You kids get offa my lawn
Premium
join:2000-02-02
San Jose, CA
·SONIC.NET
| reply to shavano
said by shavano :I was hoping they might only be able to execute informational commands, not execute any arbitrary command like "rm -Rf". Can an adminstrator do an rm -Rf anywhere? Seems to me I have to use sudo just to edit the /etc/hosts file.
--
bobrk |
|
rjackson
Premium,Mod
join:2002-04-02
Ringgold, GA
clubs: | The most a widget could do without an admin password for sudo is wipe out your home directory, since it runs under your UID. |
|
bobrk
You kids get offa my lawn
Premium
join:2000-02-02
San Jose, CA | That's what I was thinking. |
|
Nighttime
join:2001-11-30 | reply to rjackson
I guess a widget could be cooked up to check that file. |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
 ·Optimum Online
| reply to rjackson
said by rjackson :The widget object is only available in Dashboard, it doesn't have any properties in Safari. In fact most widgets will test to see if they're in the Dashboard environment before doing anything with the widget object: if(window.widget) {
// do widget-only stuff here
} I'm confused here, as I thought you were able to debug/run widgets in Safari 2.x?
If I were a betting man, I'd say the first big Mac "trojan" will be a malicious widget. If they can be loaded in Safari, look out, then browsing becomes Active-X dangerous.
--
Bush/Cheney '04! - Scared Straight
"Patriotism is supporting your country all the time and your government when it deserves it." |
|
rjackson
Premium,Mod
join:2002-04-02
Ringgold, GA
clubs:
Host:
SMC Networks
Automotive
VOIP Tech Chat
ViaTalk
Teleblend
1 edit | Yeah, widgets can be debugged/ran in Safari but they won't have their full capabilities. The widget object is specific to Dashboard and as such none of its methods or properties are valid in Safari, so they wouldn't work anyways. That includes widget.system() for executing system commands.
Testing if window.widget exists is just a matter of good programming practices, there's no reason to execute code if you know it's going to fail or produce unexpected results. |
|
bobrk
You kids get offa my lawn
Premium
join:2000-02-02
San Jose, CA | So it's sort of up to the Dashboard to do security duties?
--
bobrk |
|
rjackson
Premium,Mod
join:2002-04-02
Ringgold, GA
clubs:
Host:
SMC Networks
Automotive
VOIP Tech Chat
ViaTalk
Teleblend
| said by bobrk :So it's sort of up to the Dashboard to do security duties? No, It's Up To You™. Some people might think it's unfair but you shouldn't trust a widget you downloaded any more than you would trust a shell script, Automator workflow, or AppleScript. The good news is it's fairly easy to audit a widget simply because they're scripts, rather than a binary that isn't very human-readable. |
|
jDyno
Premium
join:2001-02-20
Washington, DC
clubs:
| said by rjackson :said by bobrk :So it's sort of up to the Dashboard to do security duties? No, It's Up To You™. Some people might think it's unfair but you shouldn't trust a widget you downloaded any more than you would trust a shell script, Automator workflow, or AppleScript. The good news is it's fairly easy to audit a widget simply because they're scripts, rather than a binary that isn't very human-readable. Tell that to my 60-year old mother, for whom I'll be updating her new iBook to Tiger in the coming weeks.
Hell, tell that to my 36-year old sister, who is a very computer-savvy graphic designer, but wouldn't know what the code meant if you forced her to read it like a EULA every time the widget launched!
It's just not practical, rjackson. Even for me, and I write webdev code for a living. It would be really easy to hide some nefarious stuff in benign-looking code. And tell me, have you opened every single Widget you downloaded before loading it and thoroughly examined every single line to make sure it doesn't do anything you don't expect? C'mon.
And at this point, I'm not even asking for anything too advanced from Dashboard or Automator. I just want even the barest programmatic protections against nefarious stuff, like explicitly telling me that an app requires System or Net access (the current warning is too vague and I even missed that it was asking for access to the SYSTEM, rather than just telling me I'm running something for the first time) and ALSO telling me in idiot terms, why I should care about this.
This isn't about protecting those that know better or can do things to protect themselves. Apple is getting more and more into an uneducated consumer space, and that's a good thing, so they need to do more to protect those that can't protect themselves.
--
Smart Marketing |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| reply to rjackson
said by rjackson :said by bobrk :So it's sort of up to the Dashboard to do security duties? No, It's Up To You™. Some people might think it's unfair but you shouldn't trust a widget you downloaded any more than you would trust a shell script, Automator workflow, or AppleScript. The good news is it's fairly easy to audit a widget simply because they're scripts, rather than a binary that isn't very human-readable. Eek! That sounds like something you'd overhear in the Windows Help forum.
--
Bush/Cheney '04! - Scared Straight
"Patriotism is supporting your country all the time and your government when it deserves it." |
|
shavano
Even in America -- I long for America
join:2003-06-08
Dallas, TX
| reply to rjackson
said by rjackson :The most a widget could do without an admin password for sudo is wipe out your home directory, since it runs under your UID. The most? Like that's not enough?
Even with daily backups, you probably would lose something. Like that priceless photo you just uploaded and deleted from the camera. This is making me rethink Dashboard AND backup strategy. (As in, "I need a backup strategy!"  )
Hmmmm....maybe an Automator action that does an incremental backup to separate disk, changing ownership before and after. Or is that just a folder action......sheesh, more stuff to go learn....;)
--
Seek truth, not validation of existing beliefs. |
|
