Widgets Of Doom

[Diatribe]

A follow up.
As I said, most people will be safe, but it definitely lowers the bar for malicious code to intrude your system. A widget is installed faster than an app.
Apple.com and dashboardwidget.com both check the submitted widgets before they are displayed though. Just don't download from sources you don't know..
Apple will do something about this soon I guess.

 

[VanNess]

It would be nice if people who found the holes would quietly let Apple know about them instead of showing everyone else how to do it. Are they trying to help or hurt?

You're right. I'm using OS X 10.4 ("Tiger") right now and I have found over 160 holes!!! on my machine.

I'm going to share this with Apple, however it may already be public knowledge by now. Here's the "link" for what I'm guessing must be the proof of concept. For God's sake, look out for the traps...

http://www.apple.com/downloads/macosx/games/simulation_and_sports/glgolf.html

 

[dmarkman]

I'm not sure that there is any danger at all

create file foo.txt somewhere in your user's directory
change command in the quick comand widget to
rm -rf <path_to_your_foo.txt_file>
try to execute it
nothing will happen except you'll see the following message in the console
application: 2005-05-10 02:07:18.495 DashboardClient[611] (com.apple.widget.quickcmd) file:///Library/Widgets/QuickCmd.wdgt/quickcmd.html: Object (result of expression enterflip) does not allow calls. (line: 32)
so Apple doesn't allow to widget to alter your directory

 

[Chappers]

I do know one thing - this is awful publicity for Apple.

It doesn't matter if its true or not - the ignorant majority will believe it, they want to believe it.

The Mac haters will be pushing this as much as they can.

 

[Platform]

I hope apple fixes this although it can be stopped but some people will just install and the say "oh mac is crap" Think apple will fix it just as fast as the iTunes thingy

 

[hagge]

The worst a malicious program under OS X could do is delete your home account. That and perhaps a keystroke logger.

Which for a single user system means ALL, who cares about the OS, your files are the important thing.

 

[puuukeey]

anyone know how this compares to konfabulator? did apple make a bigger mistake than we thought?? my guess is konfabulator was probably MORE of a security risk. but you never know.

 

[Tulse]

It is my understanding that all widgets in the "Widget Gallery" of the official Konfabulator site are checked "manually" to ensure that they are safe. And Konfabulator doesn't have an automatic download option enabled by default, like exists in Safari.

That said, I don't believe there is any greater inherent security in the way Konfabulator works compared to Dashboard. Both can execute shell scripts and Applescript, so both presumably can hose your home directory. (Anyone know more about this?)

 

[peterjhill]

Nothing to see here, move along

Anyone who is still worried... read this post again... Widgets are as much a security flaw as downloading shareware/freeware... There is nothing new here... The same warnings apply... Don't be stupid... If you don't know what something will do, don't do it if you do not know how to fix it..

Peter

Who cares if it's auto installed? All that means is that the widget is copied to your Widgets folder. Big deal. So it shows up in the widgets list when you want to add something to your dashboard.

The important part is that it does not auto execute. Apple has already done their job here. The first time you go to add any new widget to your dashboard, a dialog comes up to ask if you really want to do that. It's no different from downloading a program except that the widget ends up in ~/Library/Widgets while the program ends up in ~/Desktop.

This is a complete non-issue. Either the person writing the original article doesn't fully understand it, or they're a very successful troll. I can't believe it got front page coverage here.

 

[PCMacUser]

The nastiest thing I've found with the built-in Widgets so far is in the dictionary...

If you enter "color", it defines it as "the British spelling of color".

I'll have to pop around to my old colleagues at the Oxford English Dictionary to teach them how it's meant to be spelt hahahah...!

 

[wnurse]

I'm not sure that there is any danger at all

create file foo.txt somewhere in your user's directory
change command in the quick comand widget to
rm -rf <path_to_your_foo.txt_file>
try to execute it
nothing will happen except you'll see the following message in the console
application: 2005-05-10 02:07:18.495 DashboardClient[611] (com.apple.widget.quickcmd) file:///Library/Widgets/QuickCmd.wdgt/quickcmd.html: Object (result of expression enterflip) does not allow calls. (line: 32)
so Apple doesn't allow to widget to alter your directory

This is funny, so becuase a widget can't alter your directory means there is NO danger?. I'm gonna give you time to think that over.

 

[zzen]

A very possible scenario

Alright, once more, for all those boneheads trying to tell you "there is no danger", "there is no way to delete something", "this is no different then downloading shareware" etc. Consider this, perfectly possible case:

You go about your business as usual. You surf a site or two, but do not download anything - you know that's not safe. One day, you notice this sexy new widget icon sitting in your Dashboard drawer. Curious what is is, perhaps it's something your pal installed the other day, you click on it.

Boom! Your home folder is gone! All your data, preferences, keychains, files. Of course, the widget could do more... Take your keychain and send it to the author. Snoop on your keystrokes and report them back to base. And my favorite one: invisibly download and auto-execute any program!

This is all resulting from a single, unknowing click on an unfamiliar icon sitting in your Dashboard drawer. There is no confirmation dialog, no need to aprove anything, no need to download anything.

People - do you seriously still think this is even remotely safe?!?

 

[Applespider]

You go about your business as usual. You surf a site or two, but do not download anything - you know that's not safe. One day, you notice this sexy new widget icon sitting in your Dashboard drawer.

Forget about new widget icons to warn you. How about the malwidget which looks entirely like the Apple widget (but has an extra space at the start of the name which means it appears on the 'add widget' bar before the real Apple widget? You click to check your translator and 'boom'...

Until a better option appears, my widget folder has a Folder Action on it to warn me of anything going in...

 

[zzen]

Forget about new widget icons to warn you. How about the malwidget which looks entirely like the Apple widget.

Exactly - even better. Good point!

And for anybody trying to doubt that the above mentioned is doable: I've done it as a proof of concept, trust me. No, I'm not going to support that claim with any widget, code, example or anything. I don't want all people running around with such info. It's not very hard to do, anyway.

 

[Dave Marsh]

Take a look at Widget Manager ( http://www.macupdate.com/info.php/id/17990 ) for deleting/deactivating widgets.

 

[ijimk]

i for one will only install apple approved widgets. I still can't wait to see the widgets offered to .mac customers!

 

[superbovine]

i for one will only install apple approved widgets. I still can't wait to see the widgets offered to .mac customers!

probably a good idea. The people who use PC without virus scanners installed are the ppl smart enough not to get a virus, or stupid enough to get a virus. The main reason for not getting a virus is because they downloaded from a trusted source which gives reasonablely secure download.

 

[ravenvii]

Anyone who is still worried... read this post again... Widgets are as much a security flaw as downloading shareware/freeware... There is nothing new here... The same warnings apply... Don't be stupid... If you don't know what something will do, don't do it if you do not know how to fix it..

Peter

You're the one who don't get it. When you download a Widget, it goes to hide in the Widget folder. The app stays in the desktop, so you know it's downloaded, and you can move it to wherever you want. With Widgets, it disappears from the desktop, and that's all the average user knows. The average user won't know about the Widgets folder in ~/library/. That's the problem.

 

[Applespider]

i for one will only install apple approved widgets. I still can't wait to see the widgets offered to .mac customers!

I hope to be wrong but I suspect they may end up being .mac-related widgets along the lines of 'check your mac mail', 'how many visitors has your Homepage had', 'how much space is left on your iDisc'. Fingers crossed that I'm wrong!

 

[ravenvii]

I hope to be wrong but I suspect they may end up being .mac-related widgets along the lines of 'check your mac mail', 'how many visitors has your Homepage had', 'how much space is left on your iDisc'. Fingers crossed that I'm wrong!

Hey, it would be cool if I could see how many people hit my poe404 page! Oh and how many downloaded images off my iDisk (i.e. for the Desktop threads).

 

[corvus]

Standard Unix Practice

First, never ever run as an administrator. Period. Just don't do it. Admin accounts are for system maintenance. When running as a standard account, what can a bad widget do, should it escape from its sandbox? Not much. Second, anyone who uses a Widget without first examining it --- look inside the package --- is not being too smart. Third, there are no safe files on the Internet, so disable that function in Safari. Would you leave your car unlocked in a bad neighborhood (60% porno businesses) or kiss someone you don't know? Hum? Oh, well. Sorry for asking!

 

[dav]

Saft now blocks widgets!

8.0.1

 

[fatfish]

You're the one who don't get it. When you download a Widget, it goes to hide in the Widget folder. The app stays in the desktop, so you know it's downloaded, and you can move it to wherever you want. With Widgets, it disappears from the desktop, and that's all the average user knows. The average user won't know about the Widgets folder in ~/library/. That's the problem.

I rather think it's you that doesn't get it. Anyone who has installed more than a couple of widgets will have likely had to install one manually (not all widgets auto install) to do this you need to know to drag them to your library. I beg to differ but I think most mac users if not already will shortly know where ther widgets go.

 

[skunk]

Saft now blocks widgets!

8.0.1

Thanks for that. Done and dusted. Apple should immediately buy Saft and issue an urgent Safari patch. Of course that doesn't help people who aren't using Safari. It's such a stupid idea: why let these things auto-install at all? What's the benefit?

 

[bankshot]

It's such a stupid idea: why let these things auto-install at all? What's the benefit?

I don't think it's a stupid idea at all. As I said earlier, this is a complete non-issue. The benefit is that "normal" (non-technical) users don't have to know a thing about where widgets go. They shouldn't have to. Download a widget and it automagically appears in your Dashboard next time you go there. That's convenience!

The security implications with this have been blown way out of proportion all over the web lately. No widget will execute without the user clicking on a dialog to agree the very first time. Nothing ever auto-executes, so it's really no different from a web page that auto-downloads a program to your Desktop. This can happen in just about any modern browser on any OS - and you still have to actively open the program before it can run. OS X has the extra safeguard of showing that dialog the first time any new program or widget runs.

Maybe they can also pop up a confirmation dialog whenever a web page redirects to a file that's not handled internally by Safari and therefore would normally be downloaded. But I wouldn't consider this a "security" fix, simply another usability enhancement. While they're at it, they need to go in and give us more fine grained popup blocking, image, and cookie controls like Firefox/Mozilla has had forever.

Now, Dashboard does need a user-friendly way to remove widgets from your disk - I can't believe they didn't just make it like the Dock somehow, or maybe have a little widget trashcan when you're viewing the widget list. That was stupid of Apple.