Widgets: an avenue for Apple malware?
Quite by accident I got in touch the other day on quite another matter with stephan.com, who came up over the weekend with the exploit recorded here (Tiger users beware: downloads a widget you can’t get out without going into your file system if you visit it with Safari. Do NOT do this.). Silicon.com has this writeup, if you’re feeling wary. Or there’s this Slashdot discussion.
Interesting: I comented earlier (not once but twice before) that I thought Dashboard and widgets had a bit too much power. Seems I was right, if for the wrong reasons. (Only faintly wrong: I did express concern about the Javascript being owned by root, the super-super-user on an OSX (or any *nix) machine.
And I added: I really hope wiser heads have since prevailed and that in the finished product there’s a special user called , say, “dashboard” (just as there are special invisible users called “mysql” and “www” and “postfix” on OSX machines already, for the open-source database and the web server and mail program) which has not unlimited authority to do things on your machine. Else this could get ugly. There’s a truckload of “invisibble” users on Tiger with names like mavisd, so I don’t know if this was done or not.)
Basically, the problem is that Safari lets things that call themselves widgets auto-install. This is a big no-no. In the world today, stuff downloaded off the Net that can execute should never be allowed to auto-install. It’s a simple rule (which I couldn’t test pre-release, as there weren’t any widgets to download), and the fact Dashboard ignores it - even as Safari warns you that other stuff you download (even Windows .exe files, for gossake) says “This contains an application - are you sure you want to download it?” - shows that Dashboard is an immature technology within an otherwise much better thought-through OS.
Dashboard, for instance, doesn’t have a keyboard shortcut to let you move between widgets. Nor to click the “+” that brings up the widget shelf at the bottom.To bring up the + sign at the bottom, use Cmd-= (see this macosxhint). It’s just not.. complete, you know? And that seems to go for the security too.
I doubt though that this will get fixed until at least 10.4.2, which is bad.
- These posts might be related (the database thinks..):
- Developing Dashboard Widgets... looks like fun but has security implications (12 December 2004; score: 56.07%)
- Get it while it's late: my exclusive review of Tiger (you know.. that new software thing) (2 May 2005; score: 38.89%)
- A question for the Microsofties out there: ever been hit by a virus? (8 October 2004; score: 34.89%)
![[Valid RSS]](wp-includes/images/valid-rss.png "Validate my RSS feed"){kind=small}
May 9th, 2005 at 10:47 pm
This is definitely some dodgy thinking on Apple’s part: they’re treading on some ground that once, long ago, legions of Microsoft developers trampled on.
I think the problem lies mostly in Safari’s “open safe files after downloading” preference:
1) It’s checked by default, I believe.
2) It considers zip files safe, even though unzipping a zip folder containing a widget installs that widget. (Although I have to say, I don’t recall this happening when I installed my one non-Apple widget. So is this a special Safari thing? If so, that means someone at Apple actually thought about it, and decided to implement it this way. Bad Apple.)
It’s this combo that allows visiting a link in Safari to install something on your machine, with no warnings or anything. This is BAD, because it can lead to danger, and it makes users think that this method of doing things is alright. It’s not.
It would also be good if Tiger always asked users whether they *really* want to install this widget, like it does with programs.
However…
1) I’m not convinced a widget could manage to do really bad stuff - could it ever write files to the file system? If not, that limits it a fair bit.
2) You can uninstall widgets by deleting one file. Granted, most users shouldn’t have to know how to do this, but it’s not like Windows XP where you’ll never get rid of the spyware.
3) There’s now a third party preference pane that allows you to manage widgets outside of the Dashboard or /Library/Widgets/ - http://www.tuaw.com/2005/05/09/widget-watch-widget-manager/
Still, I hope Apple beefs this up. I agree that the Dashboard doesn’t seem finished properly. Very much an add-on to the rest of the OS.
May 10th, 2005 at 2:51 pm
I was wondering why the widgets I downloaded never self-installed as described in Apple’s documentation. I could not figure how to get them into the widget shelf even after unzipping the downloaded file until I read developer documentation on widgets that describe the destination for widgets (either /Library/Widgets or ~/Library/Widgets).
So my first complaint about Dashboard is poor documentation. My second complaint is the inability for widgets to work with the system the same the older desk accessories did. You either have widgets and an unusable desktop or you have no widgets. My third complaint is the very one addressed in this post. I experimented and found out that Safari’s option “open safe files after downloading” is exactly the reason why widgets self-install. I have ALWAYS turned this option off since the fuss a year or so ago about malicious executables embedded in music files.
Of course Apple knows that widgets are not guaranteed to be safe, in that widgets are executables. And Apple knows how the Safari option about downloading is set, but I’ll bet these are the left and right hands of Apple knowing this and they failed to communicate. Another sign of marketing pressure. I’ll also bet that widgets will not self-install without a prompt (and a password) in 10.4.1, which is coming soon I hear (and hope).
Dashboard is a marketing tool, meant to make users feel good about buying Tiger. It’s too hard to explain all the truly substantial and wonderful changes in the OS, especially the kernel, the file system, and standardization. When will “Max OS X now has standard kernel APIs” ever entice a buyer?