Widgets Of Doom

Diatribe

macrumors 601
Original poster
Jan 8, 2004
4,226
21
Back in the motherland
Found this today.
Basically it describes how Widgets can go really bad and I must say after visiting the mentioned link in the story and reading the actual article, I must say it is pretty scary.
It really lowers the bar for malicious code to break into one's computer. And since Widgets are SUPPOSED to be programmed by another person, most likely NOT a trusted company, I must say it is kinda disturbing.
I guess this won't be that much of deal for users who know what they are doing but for the rest this can pose a serious issue.
And don't come with the regular argument that there is not such Widget yet. I know there isn't but there will be, I'm sure.
 

greenguy4

macrumors 6502
Jan 2, 2005
289
0
Wow...Wonder if apple will do anything about this? If people only download widgets from Apple.com and apple lets people submit them and then screens them it won't be a problem.
 

hodgjy

macrumors 6502
Apr 15, 2005
423
0
Security of a computer ultimately lies within the end user's hands. Just don't download anything from an untrusted source. Disable the ability of your browser to open programs.

If you do that, you'll be pretty safe.
 

broken_keyboard

macrumors 65816
Apr 19, 2004
1,144
0
Secret Moon base
People are going to get burned by Widgets. He is right about the social engineering thing: people know that you shouldn't install programs except from a trusted source, but I don't know that they will equate a widget with a fully fledged program.

They will think it is a little harmless thing and safe to install from anywhere, and they will be wrong.
 

superbovine

macrumors 68030
Nov 7, 2003
2,872
0
greenguy4 said:
Wow...Wonder if apple will do anything about this? If people only download widgets from Apple.com and apple lets people submit them and then screens them it won't be a problem.
a virus scanner would also slove the problem. however, that is the case with every program you download. do you think the malicous code can only go in widgets?
 

ifjake

macrumors 6502a
Jan 19, 2004
562
1
it would be really cool if someone made a widget of the original DOOM shooter. now that would be a widget of DOOM.

seriously, how much power over the system can dashboard widgets have? if there really is a security issue could apple put some kind of limitation on widgets in a future update to prevent any malicious actions from taking place?
 

katie ta achoo

macrumors G3
May 2, 2005
9,170
2
I was about to post this...

I just read it and I'm kind of freaked out.
I hope that this doesn't ever flourish.
I've since disabled opening of "safe downloads".

Eep.
 

superbovine

macrumors 68030
Nov 7, 2003
2,872
0
MoparShaha said:
The worst a malicious program under OS X could do is delete your home account. That and perhaps a keystroke logger.
heh your not very creative. what if there was code to delete firmware on your computer, and the you couldn't even boot without replacing a motherboard. How about code that goes through your address book and emails everyone in it pornographic material or worst yet post it on usenet as some type of sex ad with names and addresses. there are far worse things that deletions.
 

yg17

macrumors G5
Aug 1, 2004
14,888
2,480
St. Louis, MO
superbovine said:
heh your not very creative. what if there was code to delete firmware on your computer, and the you couldn't even boot without replacing a motherboard. How about code that goes through your address book and emails everyone in it pornographic material or worst yet post it on usenet as some type of sex ad with names and addresses. there are far worse things that deletions.
I don't believe the firmware thing is possible without it asking for an admin account password, and if you either dont have a password on your admin account or type it in, you deserve it. For the porn, I know a few people in my address book that would appreciate it :D
 

maxterpiece

macrumors 6502a
Mar 5, 2003
729
0
superbovine said:
heh your not very creative. what if there was code to delete firmware on your computer, and the you couldn't even boot without replacing a motherboard. How about code that goes through your address book and emails everyone in it pornographic material or worst yet post it on usenet as some type of sex ad with names and addresses. there are far worse things that deletions.
whoa... I'm not downloading anything from you!
 

lssmit02

macrumors 6502
Mar 25, 2004
393
34
Don't know if it's correct, but...

this was posted on that site, in the comments section:

18. Posted 5/8/2005 1:18:45 AM by Dale
Talk about a storm in a teacup....

Dashboard widgets run in their own process ('sandbox') and Apple have put limits on what a widget can do. They're also subject to the normal security precautions built in to Mac OS X accounts ie they can't run as root, etc.
Again, I don't know if this is accurate, but perhaps the risk isn't as great as the article makes out?
 

admanimal

macrumors 68040
Apr 22, 2005
3,530
2
hodgjy said:
Security of a computer ultimately lies within the end user's hands. Just don't download anything from an untrusted source. Disable the ability of your browser to open programs.

If you do that, you'll be pretty safe.
Doesn't doing that also keep harmless things like PDFs from being displayed automatically? That's kind of annoying...A better solution would be to add an option in Dashboard to at least prompt the user before it installs a new widget, asking whether it's OK.
 

lssmit02

macrumors 6502
Mar 25, 2004
393
34
I found this link in the Developer Connection:
Widget Security Model

Jist of it is as follows:

Using certain resources within your widget may pose a security risk for users. In these circumstances, the widget security model provides a method for Dashboard to be aware that your widget may perform insecure tasks. If your widget is working with resources that pose a security threat to the user, the user must approve before access is granted.
So, apparently you have to actively allow the widget to do bad things, although the user is only asked once.

If the request is approved, your widget is loaded and granted access to the resources that it requested. The request is not repeated on subsequent loads if approved.
 

admanimal

macrumors 68040
Apr 22, 2005
3,530
2
lssmit02 said:
this was posted on that site, in the comments section:



Again, I don't know if this is accurate, but perhaps the risk isn't as great as the article makes out?
It does seem like Apple took some precautions to prevent widgets from really messing up your system...but perhaps not from spamming and/or scamming you. A widget is technically doing nothing wrong by displaying porn on itself, and likewise by sending information it collects to a 3rd party website, since these behaviors are identical to what many legitimate widgets would do.

Really the main problem here is with the fact that the widget can install itself just by you going to a website without having to click on anything. As others have pointed out, as long as you're not dumb about where you download from, any widgets you purposely click on to download should be fine.
 

lssmit02

macrumors 6502
Mar 25, 2004
393
34
admanimal said:
It does seem like Apple took some precautions to prevent people from really messing up your system...but perhaps not from spamming and/or scamming you.
Yeah, the trojan horse model of malware would seem to work.

Widgets can open applications and web pages outside of their bundle. If your widget provides a subset of information found on the Internet, a link to the full data set that opens in Safari is appropriate. If your widget interfaces with an application, for example, iTunes, it should open it first. Dashboard can do this all for you.
From External Access
 

Dave Marsh

macrumors regular
Jul 23, 2002
210
0
Sacramento, CA
Dashboard Widgets slowed my Mac to a crawl

I installed Tiger on my 1GHz G4 iMac (with 768MB of memory) a week ago today, and this evening I found my Mac almost unresponsive. It hadn't actually locked up, but it was responding very slowly. A check of Activity Monitor (after waiting patiently for several minutes for the Mac to catch up to my mouse clicks) revealed that nearly all of my installed Widgets were hung (highlighted in red). I was able, using Activity Monitor, to kill each one individually to recover enough CPU cycles to gracefully restart the system.

Has anyone else experienced this behavior yet? I never shut down my desktop Macs, so I should know in another week whether this was an anomaly or something really is amiss with the widgets.

Concerning the other issue about widgets installing automatically following a download, I also disagree with this behavior. I wouldn't want to be spoofed into thinking I was clicking on a normal hotlink on a web page and finding it installing a Unix-specific virus using the widget's self-installing "feature." I hope Apple gives us a way to turn off this behavior and force us back into entering our admin password to confirm an intended application installation ... perhaps with a security update. That would be a reasonable confirmation that we know we're installing something intentionally. Even if a widget can't get access to root, an offending widget could apparently easily consume enough clock cycles to create a denial of service scenario. :(
 

admanimal

macrumors 68040
Apr 22, 2005
3,530
2
Dave Marsh said:
Concerning the other issue about widgets installing automatically following a download, I also disagree with this behavior. I wouldn't want to be spoofed into thinking I was clicking on a normal hotlink on a web page and finding it installing a Unix-specific virus using the widget's self-installing "feature." I hope Apple gives us a way to turn off this behavior and force us back into entering our admin password to confirm an intended application installation ... perhaps with a security update. That would be a reasonable confirmation that we know we're installing something intentionally. Even if a widget can't get access to root, an offending widget could apparently easily consume enough clock cycles to create a denial of service scenario. :(
It is unlikely that a widget could easily install a true virus of any sort...at least not one that could really do any harm to your system. As you point out, it is possible for one to hijak your resources, on purpose or not, but in that scenario it seems all you would have to do is kill the widget and them delete it from your ~/Library/Widgets folder. (Don't ask me why Apple didn't include some facility for gracefully deleting them)

All it would really take is one dialog box asking if its OK to install a widget and all of these potential problems (except the performance issues you had) would vanish.
 

Mechcozmo

macrumors 603
Jul 17, 2004
5,215
2
I'm pretty sure that this will be fixed, and soon, by Apple. At least it can't do devastating things without your permission.

Yes, we are mad, but yes, we know that it isn't the worst thing ever and it will be fixed.
 

admanimal

macrumors 68040
Apr 22, 2005
3,530
2
Yeah I have a feeling they will be making some changes to Dashboard in 10.4.1. I mean how can they let it stay with no (official) way to delete widgets from the tray? Worst. Idea. Ever.
 

Dave Marsh

macrumors regular
Jul 23, 2002
210
0
Sacramento, CA
User Widget Folder deleted overnight

An interesting thing happened overnight on both my desktop Macs. The ~/Library/Widgets folder (the one in the user account) was deleted on BOTH Macs. My laptop was asleep, so it remained OK.

Any ideas how this could have happened? The only thing that comes to mind for me is that Tiger's overnight system maintenance deleted it. But why?

I recreated it this morning and put new copies of the widgets into it. We'll see if anything happens this evening.
 

CubaTBird

macrumors 68020
Apr 18, 2004
2,135
0
this is very disconcerting.. or however u spell that... i think apple should fix this issue pronto.. but then hackers could always get creative and mess with the fix.. so go figure..