[alcimedes]

Apparently Safari's default settings in 10.4 allow the download and execution of widgets all without user interaction.

If you're using Safari you might want to turn off the feature to autorun safe downloads.

An example of the evil widgets can be found as a link off of this page:

http://www1.cs.columbia.edu/~aaron/files/widgets/

[Brad]

That was fun , but, ugh, I'm not surprised. On the flip side, Safari 2.0 is terribly annoying with its hyper paranoia on perfectly normal downloads.

"Are you sure you want to download this?"
"Why, yes, you blithering idiot!"

[Tuttle]

Quote:

Originally Posted by alcimedes Apparently Safari's default settings in 10.4 allow the download and execution of widgets all without user interaction.

Did you even bother to try this?

Nothing is executed. All that happens is the files are copied to the widgets directory instead of the user's download folder. The user would still have to explicitly install any new widgets that appear in the widget bar.

[alcimedes]

I linked to the nicer example code of what this can do. If you want the evil stuff I'll post a link below. But please read the info on it first.

Quote:

With one more line of code, the more evil version that I promised earlier takes you to ******** every time the widget is shown. This means that once you install zaptastic_evil, every time you launch Dashboard, your web browser goes to the ******** site. Which has the side effect of immediately dropping you out of Dashboard, preventing you from closing the offending widget. You cannot get rid of zaptastic_evil without deleting it from ~/Library/Widgets/ and rebooting your computer. You cannot use your Dashboard until you delete it from ~/Library/Widgets/ and reboot your computer. Write that down if you're not clear on the concept, on a piece of paper, not a Dashboard sticky, because you won't be able to read it once you've installed this. Because Apple didn't actually give you a way to relaunch Dashboard without a reboot, though I suppose you could just kill the process. Certainly there is no user documentation for that. This is very annoying. I am SO not kidding! Do not install zaptastic_evil unless you actually know how to delete it and reboot your computer. zaptastic_evil shouldn't do any real damage, it's not that smart, but I take no responsibility if it does.

Evil Widget

His page can be found here: http://stephan.com/widgets/zaptastic/

But it autoinstalls a widget, so don't click on that page unless you want an example of the less mean version of the Evil Widget.

[Tuttle]

" This means that once you install zaptastic_evil"

How are you missing this one fundamental point?

"Because Apple didn't actually give you a way to relaunch Dashboard without a reboot, though I suppose you could just kill the process. "

Hype and BS.

Next...

[Brad]

Quote:

Originally Posted by Tuttle Hype and BS. Next...

Did you even bother to try this?

Seriously. Do it. Click that link with Safari's default "open safe items" enabled. Then hit your Dashboard command and see what happens.

How many people know how to kill the right process and where to find the widget? It's probably the same ratio of people that know how to kill off a Windows malware program and remove it, obviously not the majority.

Besides that, he's right. Apple gives absolutely no documentation for killing a widget.

You're blind if you can't see that this is a serious problem that Apple needs to address ASAP.

Perhaps in the goatse one loaded automatically instead you'd change your mind.

[bassplayinMacFiend]

Quote:

Originally Posted by Brad Perhaps in the goatse one loaded automatically instead you'd change your mind.

See, I'd probably use the Dashboard more if it had a Goatse effect instead of the stupid ripple effect. This would be a cool effect to use when removing a widget from the Dashboard.

[murbot]

The Goatse Rip Effect??!!!!

Oh, ripple.

Well, still. Whoa.

[sunrain]

I like ripple fudge ice cream.

[Tuttle]

Quote:

Originally Posted by Brad Did you even bother to try this? You're blind if you can't see that this is a serious problem that Apple needs to address ASAP.

A) Someone downloads an app to the desktop that looks innocent but does something bad like takes you to a goatsex webpage - assuming one considers that a bad thing when clicked on.

B) Someone downloads a widget that shows up in the list of available widgets to run and they drag it out into the active dashboard area and it takes them to a goatsex webpage.

How are those two things different? Neither cases is code executed without user initiation. And both cases are equally succeptable to a trojan masquarading as an existing app.

The headline for this story should be "Trojans are still an potential security risk" unless there is some way I'm missing that code is getting executed without user interaction.

[bassplayinMacFiend]

Tuttle,

The code is getting autodownloaded and autoexecuted when you visit the page. No user interaction is required (unless you have 'open safe files' disabled in preferences).

Maybe you should research what's actually happening at the exploit webpage before you dismiss it out of hand.

Oh yeah, it's Goatse, not goatsex.

NOT WORK SAFE
Goatse: http://www.putalocura.com/autoconten...120/goatse.jpg

Goatsex:

[Tuttle]

For the last time: No Code Is Being Executed.

[Mr Beardsley]

I've tried the dreaded evil widget, and I don't see what the big deal is. Any app that you download off the net and run has the potential to be malicious. widgets are no different. Some people think Safari shouldn't put the widget in ~/Library/Widgets. Meh, what is the first thing folks will do when they download a widget, put it in ~/Library/Widgets? You think having to copy the file will save you from a widget that is malicious? If you downloaded it, why wouldn't you copy it over and run it? That, and either way, Safari moving it or you, it doesn't auto execute. I don't know where that came from. Both ways you have to drag it out of the widget dock to execute it. Safari just saves you the copy step.

Also, if Safari just downloaded the widget to the Desktop, and you double click it, it'll still run. Its just like any other app. The lesson is don't trust just any old app you download off the net.

[Brad]

Quote:

Originally Posted by Mr Beardsley I've tried the dreaded evil widget, and I don't see what the big deal is.

The "big deal" consists of four things:

1. Safari automatically downloads the file when simply visiting a web page without any interaction or approval from the user. The user doesn't have to click any download link; it downloads on its own.
2. Safari then automatically moves the file away from the default download location to some location unknown to the user.
3. Step two automatically loads said file into the Dashboard toolbar.
4. Said file can do practically anything once the user enters the Dashboard screen and uses the widget, as exhibited by the evil examples. The user won't even realize he's using an evil widget.

This is wholly different from a user deliberately downloading and running a program. Every step but the last is done without any interaction from the user and the last step isn't too hard to make look completely legitimate.

That's Very Bad™.

[IonYz]

Yeah, there is a difference: "I download this, installed it and now my machine won't work" compared to "I visited this website and now my machine won't work."

I can just post a link, you click, thats it. There is no step three.

[johnq]

So, since widgets run with the user's permissions, could one, say, use curl to download porn to the Screensaver folder and use AppleScript to set Screensaver to Images?

...nasty.

[Mr Beardsley]

Well looking at the page source, the problem seems to lie with how Safari handles those iframe tags. That is a problem not just restricted to dashboard or widgets though. However, there still is no auto execution. You still have to drag them off the dashboard dock to do anything.

[bassplayinMacFiend]

Quote:

Originally Posted by johnq So, since widgets run with the user's permissions, could one, say, use curl to download porn to the Screensaver folder and use AppleScript to set Screensaver to Images? ...nasty.

or do an rm -rf ~/ *poof* there goes your whole user directory.

[alcimedes]

The combination that looks really mean would be the auto install of widgets that looked like Apple's, had the same name (only with spaces in front) and were auto installed. (See the first example).

Then the user, without knowing it would have replaced their entire first row of default widgets. Say they wanted to launch "Address Book" and click on its icon. Bam, home directory gone.

Dashboard should indicate visually when a dashboard widget is new to the system, and should also ask for confirmation before launching the first time. That would help with this problem.

[johnq]

Quote:

Originally Posted by bassplayinMacFiend or do an rm -rf ~/ *poof* there goes your whole user directory.

I know but that's rather mundane.

[bassplayinMacFiend]

Quote:

Originally Posted by johnq I know but that's rather mundane.

You're correct, it is mundane. How about this? The widget could upload kiddie-porn that came as encrypted data to all the FBI servers then download more kiddie-porn so that by the time the FBI knocks on your door there'd be a whole bunch of evidence for them to nail you to the wall.

[johnq]

That'd be too scummy. That'd just drain resources away from investigating real kiddie porn cases.

Anyway my (and I assume your) point is data loss isn't the worst that can happen.

[Random Hero]

Looks like there's quite a few of you that don't want to believe that Apple made a booboo and now there is a vulnerability in their Operating System. I think we should have a competition to see who can create the widget that causes the most damage to Tiger, and then you guys who don't want to believe can click the links and here comes teh ghey

[bassplayinMacFiend]

Quote:

Originally Posted by Random Hero Looks like there's quite a few of you that don't want to believe that Apple made a booboo and now there is a vulnerability in their Operating System. I think we should have a competition to see who can create the widget that causes the most damage to Tiger, and then you guys who don't want to believe can click the links and here comes teh ghey

Yea, these Widgets seem, for the moment, to be the ActiveX of the Mac world. Widgets have full access to user space (hope you're not running as root), they're not trapped in a security sandbox like a true Javascript app is.

[bassplayinMacFiend]

Quote:

Originally Posted by johnq That'd be too scummy. That'd just drain resources away from investigating real kiddie porn cases. Anyway my (and I assume your) point is data loss isn't the worst that can happen.

[IonYz]

The first one to make a widget, that loads lots of bright images on my display, really fast and scares my betta fish Takahashi gets a Simpsons lava lamp.

Its challenging though, since I'm still using Panther

[Yeah for randomly plugging things around my desk!]