Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Dashboard from Tiger may bring the first real OS X Virus...

Status
Not open for further replies.
D

dotdotdot

macrumors 68020
Original poster
Jan 23, 2005
2,391
44
This should be on the front page or somewhere when users can see it...

WARNING: Only visit this website if you want to see the simulation of a malicious dashboard widget! Accessing this website will only download a widget that is 100% SAFE but simulates a malicious widget!

http://64.70.134.217/widgets/zaptastic/ <- Malicious Widget Simulator

---

Going to this website downloads a Dashboard widget automatically, but heres the catch. It can't be removed.

Yep, visiting it with Safari will automatically download and run the widget.

Don't worry, this website is only a simulation, and teaches you how to remove it.

It downloads a widget to your computer and runs it. It can not be removed without deleting it and rebooting. But, in the future, the widget can be set up to download and run malicious programs, thus leading to *gasp* possibly the first OS X virus that can be widespread.

Because I'm a windows user, I'm unnafected. Here is the text from the site:

Welcome to zaptastic.

If you are using Safari on Tiger, thanks to the magic of widget autoinstall, combined with the <meta> tag, a slightly evil widget has been installed in your dashboard. It could be a lot worse. There's a slightly more evil widget linked lower in this page, and I think it would be possible to make a much more destructive widget. I gave you something fairly tame.

You're welcome.

Other browser users will probably find it on their desktop.
In case the autoload doesn't work, here's a link: zaptastic

I picked up Safari at launch time from my local Apple store, brought it home, and got inspired to start in on a widget the next day. My flores and coras widgets are taking off like crazy. Over the last few days I've figured out quite a lot, including the fact that there are some potentially very annoying things one can do with a widget.

Let's start with autoinstall. I happen to like it, actually, I think it's a great thing. But, as I have demonstrated here, it has the side effect of setting up a situation where a user can be given an application without their knowledge.

That's not such a big deal; by default, widgets can't do much damage, and they can't run unless you drop them into your dashboard. The funny thing is that once that widget is there, according to Apple, you CANNOT remove it. Type "remove widget" into Apple Help, and you find out:

You cannot remove widgets from the Widget Bar or change their order.

Most of those reading this are probably aware of the workaround - just remove the offending widget from ~/Library/Widgets/. The Dashboard bar is not very good about updating when a widget is removed, but eventually it figures things out.

The average user, who can't find their Library folder with two mice and a spotlight, is stuck. It would take all of thirty seconds for me to pick out a nice porn image, make it the icon of a widget, drop it in your dashboard, and you're stuck with it. It doesn't even need any Javascript. Oh, hell, why not? (warning: oh me oh my, this is SO VERY NSFW) Click on this: ******.cx

Aren't you glad I didn't autoload THAT one?

Annoying, but not actually deadly. Unless, of course, some porn site installs 'chickswithdicks.wdgt' and your heavily armed and unstable spouse sees it. Actually, now that I look at that on my Dashboard, I'm kinda proud of it. Mr. ******, wherever you are, I tip my hat. And I hope you can sit down now.

Next, let's talk about zaptastic. I went to the trouble of making it ostensibly useful: it is a countdown timer for the launch of alleged PayPal competitor GreenZap. GreenZap is probably a Ponzi scheme, but do remember that PayPal gave away money when they were new, and it really would be a good idea on general principle if they had competition. Decide for yourself if this is of any utility. That really wouldn't be necessary, though, because the real point of the widget is that when it initializes or you click on it, it takes you to the GreenZap site, with my affiliate code, to try to get you to sign up. GreenZap is a pretty benign place to send you; I'm sure you can think of some less friendly destinations. Otherwise, it's rather well behaved, at least until June 1, after which it will take you there on every refresh.

This is annoying.

With one more line of code, the more evil version that I promised earlier takes you to GreenZap every time the widget is shown. This means that once you install zaptastic_evil, every time you launch Dashboard, your web browser goes to the GreenZap site. Which has the side effect of immediately dropping you out of Dashboard, preventing you from closing the offending widget.

You cannot get rid of zaptastic_evil without deleting it from ~/Library/Widgets/ and rebooting your computer. You cannot use your Dashboard until you delete it from ~/Library/Widgets/ and reboot your computer. Write that down if you're not clear on the concept, on a piece of paper, not a Dashboard sticky, because you won't be able to read it once you've installed this. Because Apple didn't actually give you a way to relaunch Dashboard without a reboot, though I suppose you could just kill the process. Certainly there is no user documentation for that.
This is very annoying.

I am SO not kidding! Do not install zaptastic_evil unless you actually know how to delete it and reboot your computer. zaptastic_evil shouldn't do any real damage, it's not that smart, but I take no responsibility if it does.

This said, here it is: zaptastic_evil.
Click to expand...

Right now the widgets dont really do anything except stay in the Dashboard widget chooser. The article has a widget that is NSFW because it has nudity in the dashboard widget chooser, as an example. Other sites can do this though, and since it automatically can load a website, it can steal information and maybe lead to an OS X virus. Probably not, but it COULD.

Oh Apple, PLEASE make it easier to kill widgets and remove it from the Dashboard widget chooser!
 
OK so its like the 8th repost today... BUT its the most informative!
 
8 times?

I am not surprised: I think that we all are in a heightened security state waiting for something like this...

in the meantime, I will only download widgets from the Apple website.

Cheers
 
i often wonder why those that are so enraptured with security and keeping things "safe" keep publishing exploits like this.

kinda like offering a manual for gun assisted suicide, but putting a note that it's only for demonstration purposes and shouldn't be tried, and that we don't recommend you use it.

ever poured fuel on a fire? these "tips" offer the same result, encouraging snapperheads to start creating malicious code. maybe not such a good idea.
 
Sometimes media sucks. You guys suck!! *grins*

No seriously, it's stupid that we advertise to the community of hackers/malware writers out there that OSX has holes so they can take advantage of them!!

I know we should all know blah blah, but can't we keep it to ourselves and let the lowlives who are gonna write the things work their asses off to find the holes themselves? I'm sure we'd have a lot less problems then.

Anyway, just my thoughts! Feel free to pound on me!
 
superfunkomatic said:
i often wonder why those that are so enraptured with security and keeping things "safe" keep publishing exploits like this.
Click to expand...
Because "security through obscurity" is a bad, bad idea. The quickest way to get something fixed is to make sure that everyone knows there's a problem.

Of course, under ideal circumstances the person who found the problem would contact the vendor (in this case, Apple) and give them an ultimatum: Fix the problem ASAP, or we out it. This happens to Microsoft a LOT, but they also see a lot of cases where folks do what this guy did... they just out the problem without any warning, causing two mad rushes: The developers rush to fix the issue ASAP, and hackers rush to exploit the issue ASAP.

Let's hope the good guys win the race.
 
Status
Not open for further replies.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back