I shot the sherrif.
|
Apparently Safari's default settings in 10.4 allow the download and execution of widgets all without user interaction.
If you're using Safari you might want to turn off the feature to autorun safe downloads. An example of the evil widgets can be found as a link off of this page: http://www1.cs.columbia.edu/~aaron/files/widgets/ Google is your frenemy. Caveat Emptor - Latin for tough titty I tend to interpret things in the way that's most hilarious to me |
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
That was fun , but, ugh, I'm not surprised. On the flip side, Safari 2.0 is terribly annoying with its hyper paranoia on perfectly normal downloads.
"Are you sure you want to download this?" "Why, yes, you blithering idiot!" The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
quote |
Member
Join Date: Jul 2004
|
Quote:
Nothing is executed. All that happens is the files are copied to the widgets directory instead of the user's download folder. The user would still have to explicitly install any new widgets that appear in the widget bar. |
|
quote |
I shot the sherrif.
|
I linked to the nicer example code of what this can do. If you want the evil stuff I'll post a link below. But please read the info on it first.
Quote:
His page can be found here: http://stephan.com/widgets/zaptastic/ But it autoinstalls a widget, so don't click on that page unless you want an example of the less mean version of the Evil Widget. Google is your frenemy. Caveat Emptor - Latin for tough titty I tend to interpret things in the way that's most hilarious to me |
|
quote |
Member
Join Date: Jul 2004
|
" This means that once you install zaptastic_evil"
How are you missing this one fundamental point? "Because Apple didn't actually give you a way to relaunch Dashboard without a reboot, though I suppose you could just kill the process. " Hype and BS. Next... |
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
Quote:
Seriously. Do it. Click that link with Safari's default "open safe items" enabled. Then hit your Dashboard command and see what happens. How many people know how to kill the right process and where to find the widget? It's probably the same ratio of people that know how to kill off a Windows malware program and remove it, obviously not the majority. Besides that, he's right. Apple gives absolutely no documentation for killing a widget. You're blind if you can't see that this is a serious problem that Apple needs to address ASAP. Perhaps in the goatse one loaded automatically instead you'd change your mind. The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
|
quote |
Banging the Bottom End
Join Date: Jun 2004
|
Quote:
|
|
quote |
Hoonigan
Join Date: May 2004
Location: Canada
|
The Goatse Rip Effect??!!!!
Oh, ripple. Well, still. Whoa. |
quote |
Veteran Member
Join Date: Jun 2004
Location: Portlandia
|
I like ripple fudge ice cream.
|
quote |
Member
Join Date: Jul 2004
|
Quote:
B) Someone downloads a widget that shows up in the list of available widgets to run and they drag it out into the active dashboard area and it takes them to a goatsex webpage. How are those two things different? Neither cases is code executed without user initiation. And both cases are equally succeptable to a trojan masquarading as an existing app. The headline for this story should be "Trojans are still an potential security risk" unless there is some way I'm missing that code is getting executed without user interaction. |
|
quote |
Banging the Bottom End
Join Date: Jun 2004
|
Tuttle,
The code is getting autodownloaded and autoexecuted when you visit the page. No user interaction is required (unless you have 'open safe files' disabled in preferences). Maybe you should research what's actually happening at the exploit webpage before you dismiss it out of hand. Oh yeah, it's Goatse, not goatsex. NOT WORK SAFE Goatse: http://www.putalocura.com/autoconten...120/goatse.jpg Goatsex: |
quote |
Member
Join Date: Jul 2004
|
For the last time: No Code Is Being Executed.
|
quote |
Member
|
I've tried the dreaded evil widget, and I don't see what the big deal is. Any app that you download off the net and run has the potential to be malicious. widgets are no different. Some people think Safari shouldn't put the widget in ~/Library/Widgets. Meh, what is the first thing folks will do when they download a widget, put it in ~/Library/Widgets? You think having to copy the file will save you from a widget that is malicious? If you downloaded it, why wouldn't you copy it over and run it? That, and either way, Safari moving it or you, it doesn't auto execute. I don't know where that came from. Both ways you have to drag it out of the widget dock to execute it. Safari just saves you the copy step.
Also, if Safari just downloaded the widget to the Desktop, and you double click it, it'll still run. Its just like any other app. The lesson is don't trust just any old app you download off the net. "Slow vehicle speeds with frequent stops would signal traffic congestion, for instance." uh... it could also signal that my Mom is at the wheel... |
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
Quote:
1. Safari automatically downloads the file when simply visiting a web page without any interaction or approval from the user. The user doesn't have to click any download link; it downloads on its own. 2. Safari then automatically moves the file away from the default download location to some location unknown to the user. 3. Step two automatically loads said file into the Dashboard toolbar. 4. Said file can do practically anything once the user enters the Dashboard screen and uses the widget, as exhibited by the evil examples. The user won't even realize he's using an evil widget. This is wholly different from a user deliberately downloading and running a program. Every step but the last is done without any interaction from the user and the last step isn't too hard to make look completely legitimate. That's Very Bad™. The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
|
quote |
Multi-touch Piñata
Join Date: May 2004
|
So, since widgets run with the user's permissions, could one, say, use curl to download porn to the Screensaver folder and use AppleScript to set Screensaver to Images?
...nasty. "Peace cannot be kept by force. It can only be achieved by understanding." - Albert Einstein |
quote |
Member
|
Well looking at the page source, the problem seems to lie with how Safari handles those iframe tags. That is a problem not just restricted to dashboard or widgets though. However, there still is no auto execution. You still have to drag them off the dashboard dock to do anything.
"Slow vehicle speeds with frequent stops would signal traffic congestion, for instance." uh... it could also signal that my Mom is at the wheel... |
quote |
Banging the Bottom End
Join Date: Jun 2004
|
Quote:
|
|
quote |
I shot the sherrif.
|
The combination that looks really mean would be the auto install of widgets that looked like Apple's, had the same name (only with spaces in front) and were auto installed. (See the first example).
Then the user, without knowing it would have replaced their entire first row of default widgets. Say they wanted to launch "Address Book" and click on its icon. Bam, home directory gone. Dashboard should indicate visually when a dashboard widget is new to the system, and should also ask for confirmation before launching the first time. That would help with this problem. Google is your frenemy. Caveat Emptor - Latin for tough titty I tend to interpret things in the way that's most hilarious to me |
quote |
Multi-touch Piñata
Join Date: May 2004
|
Quote:
|
|
quote |
Banging the Bottom End
Join Date: Jun 2004
|
Quote:
|
|
quote |
Multi-touch Piñata
Join Date: May 2004
|
That'd be too scummy. That'd just drain resources away from investigating real kiddie porn cases.
Anyway my (and I assume your) point is data loss isn't the worst that can happen. "Peace cannot be kept by force. It can only be achieved by understanding." - Albert Einstein |
quote |
Member
Join Date: May 2004
|
Looks like there's quite a few of you that don't want to believe that Apple made a booboo and now there is a vulnerability in their Operating System. I think we should have a competition to see who can create the widget that causes the most damage to Tiger, and then you guys who don't want to believe can click the links and here comes teh ghey
No awkward goodbyes. No 'still friends' bullshit. Just a couple of bruised titties and a failed relationship. I rule. |
quote |
Banging the Bottom End
Join Date: Jun 2004
|
Quote:
|
|
quote |
Banging the Bottom End
Join Date: Jun 2004
|
Quote:
|
|
quote |
Member
|
The first one to make a widget, that loads lots of bright images on my display, really fast and scares my betta fish Takahashi gets a Simpsons lava lamp.
Its challenging though, since I'm still using Panther [Yeah for randomly plugging things around my desk!] /* styling for my posts */ .intelligence {display: none;} |
quote |
Posting Rules | Navigation |
|
Thread Tools | |