Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Malicious Web Pages Can Install Dashboard Widgets

timothy posted more than 9 years ago | from the not-good dept.

Security 610

bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.

cancel ×

610 comments

Sorry! There are no comments related to the filter you selected.

yeah (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12470931)

fuck you !!!! anal sex ?

fp? (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#12470933)

But wait! I thought Mac was nigh-invulnerable!

Re:fp? (0)

Anonymous Coward | more than 9 years ago | (#12470996)

Indeed. What with Firefox being able to execute arbitrary code, and now dashboard adware coming in via Safari, today really hasn't been a good day for proponents of alternative browsers.

yes but... (5, Funny)

Anonymous Coward | more than 9 years ago | (#12470934)

magine porn sites auto-installing adware widgets without your knowledge.

Yes, but do they install porn?
-SJ53

Serves you right (3, Funny)

th1ckasabr1ck (752151) | more than 9 years ago | (#12470936)

If people would just run a secure OS like Linux or Windows, they wouldn't be hit with attacks like this. When will people learn?

Re:Serves you right (0)

Anonymous Coward | more than 9 years ago | (#12470955)

Linux is not as secure as Windows according to Gartner.

Re:Serves you right (5, Insightful)

Janitha (817744) | more than 9 years ago | (#12470980)

There is no such thing is a secure OS, all Operating systems have flaws.

Re:Serves you right (1)

zkn (704992) | more than 9 years ago | (#12471082)

You are totaly right, so we should stop pointing out the flaws and just run around naked. All countries have idiots, so why aspire to be anything better?

Re:Serves you right (4, Insightful)

EtherAlchemist (789180) | more than 9 years ago | (#12471135)


That's quite apt. And I imagine you will be modded down due to the OS in question here.

When a Windows OS exploit is discovered there are thousands of zealots who scream "USE LINUX, STUPID" and "I use a Mac, there are not exploits for my OS" but whenever either of those OSes is found to have a flaw, those zealots are awfully quiet.

The best thing for me reading the comments so far has been the Mac users who point out that settings can be changed to allow or deny this action. They treat that like it's a magic feature only Mac has, when the truth of the matter is shit like that can be turned off in Windows also.

All of the common OSes can be locked down tight, IF THE USER CHOOSES TO. Every OS ships with the potential to be exploited, and even if it comes out the box secure, the user can always undo that.

I guess the difference when it's a Mac OS, it's a big deal because someone actually bothered to write something malicious for a small segment of the computer population.

This is actually a good thing though. It's lets all of you Mac users know that the security you've been takeing for granted is only as good as long as their is no attention to you.

Looks like this is changing.

Re:Serves you right (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12471019)

now that's thick

Ouch! (1, Redundant)

Godboy_g (794101) | more than 9 years ago | (#12470940)

That seems liek quite a security flaw... Any timeline on it being patched?

Re:Ouch! (0)

Anonymous Coward | more than 9 years ago | (#12470992)

maybe a potential hole for spyware to get in on a mac? uh, oh. time to replace that obsolete mac with a shiny new windows box. those NEVER get spyware.....

Re:Ouch! (-1, Troll)

daveschroeder (516195) | more than 9 years ago | (#12471079)

Um, never? Because it actually prompts you and asks you if you're sure you want to run it?

Re:Ouch! (3, Informative)

justMichael (606509) | more than 9 years ago | (#12471101)

That seems liek quite a security flaw... Any timeline on it being patched?
Preferences -> General -> Open "safe" files after downloading (uncheck)

Problem solved. Having that pref checked is asking for trouble. You can drop whatever you want in my downloads, I'll open it myself when I'm ready.

Disclaimer: I am not running Tiger, so this may not be 100% correct.

Firefox asks what to do (2, Informative)

HermanAB (661181) | more than 9 years ago | (#12470941)

with somethingorother.zip. Interesting, but not dangerous.

Re:Firefox asks what to do (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12470977)

wow big deal...now if adware came in zip files that may help.....idiot.

Re:Firefox asks what to do (5, Informative)

Bungopolis (763083) | more than 9 years ago | (#12470985)

This warning applies specifically to Safari. It's obviously not going to affect Firefox, because Firefox does not have the widget auto-installation feature that Safari does. Most users of Tiger, however, are probably using Safari, so this most certainly is dangerous.

Re:Firefox asks what to do (1)

bsharitt (580506) | more than 9 years ago | (#12470991)

I generally disable the automatic opening of files in safari, so while it may download, it should serve the same purpose, although I'm on 10.3 and the widget files don't do anything, so I can't be sure. By the way, does Safari 2.0 at least have the option of letting bringing up a dialog box asking where to download. that is one of my biggest pet peeves with Safari.

Re:Firefox asks what to do (1)

pcmanjon (735165) | more than 9 years ago | (#12471040)

Well, that solves the claims mac users make when they say their OS is the most secure in the world.

Now it isn't!

Re:Firefox asks what to do (2, Insightful)

linguae (763922) | more than 9 years ago | (#12471095)

Same thing on my computer. I'm running Firefox 1.0.1 on FreeBSD, and the exact same thing happened. At least Firefox asked what to do with the file before downloading it, but still it is a bit weird.

I guess that you can run away from Windows and all of its problems with ActiveX and Internet Explorer, but you can't hide from all of the problems of Internet security. All this takes is for some clueless Mac users to just say "Yes" when Safari asks does the program want to be downloaded/run, and voila, they get the Macintosh equivalent of spyware. Just as easy as it is in Windows.

This problem needs to be fixed quickly, before spyware widgets start becoming more common on the Mac platform. And users need to be more educated about such dangers such as software automatically downloading themselves. They need to know how to withstand social engineering abuses, and they also need to get into their heads quickly that just because they're away from Windows and Internet Explorer doesn't mean that they're away from crackers and exploiters.

no way! (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#12470942)

Macs have security issues too? Who'd a thunk it!

widgets limited (4, Informative)

RobertTaylor (444958) | more than 9 years ago | (#12470954)

this page [apple.com] at Apple's Developer Connection says that a 'widget' cannot ask for any resources or do anything to the filesystem outside of the widgets bundle.

Re:widgets limited (5, Insightful)

ender81b (520454) | more than 9 years ago | (#12470987)

True, true. But hasn't apple learned anything from MS? Automatically running/installing *anything* from the internet is a bad, bad idea. And a widget could, in theory, do things like make widget pop up ads, revolving goatse/tubgirl widget, etc.

Basically, bad apple bad. Fix.

Re:widgets limited (2, Interesting)

taybin (622573) | more than 9 years ago | (#12471047)

How would you suggest they "fix" widgets to keep them from pulling offensive images? I can't think of a reasonable way (and I don't consider a blacklist reasonable) that wouldn't cripple the functionality.

Re:widgets limited (4, Insightful)

ender81b (520454) | more than 9 years ago | (#12471054)

I meant they should fix it in not allowing an untrusted remote application to be downloaded on a local computer with no interaction from the user.

Re:widgets limited (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12471103)

I know you are in a rush to karma whore your comments all over this story but huh??? dumbass think about what you just wrote...

Re:widgets limited (2, Informative)

Ilgaz (86384) | more than 9 years ago | (#12471115)

The software which they didn't steal :) is a very advanced application in fact. I tried it myself just recently and for windows people out there, Konfubulator XP has shipped, give it a try until it gets this time into longhorn *g*

Asked myself why such advanced coders give plain sit,sitx,zip files for installing manually to widgets directory (or anywhere) and require user to double click it to launch.

Now I had my answer ;)

Re:widgets limited (1)

Squareball (523165) | more than 9 years ago | (#12471117)

But you would only see the popup when you go to Dashboard. Widgets basically stop running when you leave dashboard and start up again when you enter dashboard. I do agree that this is a concern however. I never understood why apple sets to default "Open safe attachments" in Safari. I understand that it helps the less experienced but it also creates a bit of a security problem IMO.

Re:widgets limited (0)

Anonymous Coward | more than 9 years ago | (#12470989)

hmm maybe that's why it's called a security hole...do you think other holes are written in the dev manuals!?

Re:widgets limited (2, Interesting)

Anonymous Coward | more than 9 years ago | (#12470993)

They can take up RAM.

And in fact they often take up lots and lots of RAM.

A widget forkbomb wouldn't be so hard I don't think.

Widgets shouldn't be able to install this way.

Re:widgets limited (5, Interesting)

antibryce (124264) | more than 9 years ago | (#12471025)


True, but widgets can run external programs if certain permissions are set. The most insane part is that the widget itself sets the permissions it's allowed to have. Putting a key in the Info.plist file with "AllowFullAccess" set to "Yes" will allow the widget to run anything, access the network, etc. Basically at that point it's a full featured app. How hard would it be to make a widget that's invisible but periodically queries Safari's browser history, or songs played in itunes, or do a spotlight search for "password" and email the results to some guy in Russia? The widget could even be invisible to the user, with a 1x1 transparent gif as it's screen.

It seems really really dumb in this light to have Safari not only automatically download zip files, but uncompress them and if it finds a Widget bundle inside to install it. All without user intervention.

Re:widgets limited (1)

yardbird (165009) | more than 9 years ago | (#12471094)

Yes, and there are multiple levels of "dumb". Not only is it installed automatically, but there is no way to uninstall in the GUI. All in all, this is the weakest thing I've seen from Apple in a while.

Re:widgets limited (1)

antibryce (124264) | more than 9 years ago | (#12471129)


Dashboard feels like it was really rushed out the door in general. Everyone I know who upgraded to Tiger had to go through a reboot to install their first widget, and I've managed to crash Dashboard several times now just by trying to write a simple widget. I agree that Apple didn't do it's best work here (but I'm hopeful they can get it cleaned up, because outside of the bugs it's extremely handy.)

Although it's still better than the Mail.app UI changes they made (wtf were they thinking?!?)

The really funny part is (3, Insightful)

mcc (14761) | more than 9 years ago | (#12471112)

Safari is uber paranoid about other filetypes now-- if you download a tar or a dmg it says "warning, this file may contain an application, are you sure you want to uncompress this?" It didn't do this before Tiger.

The unzip/install widgets thing wasn't a conscious decision. This is clearly a bug.

Re:widgets limited (1)

tyagiUK (625047) | more than 9 years ago | (#12471142)

Almost as scary as an "invisible" keystroke logger or spotlight hijacker is the possibility of your Dashboard becoming a battleground for full-screen adverts from auto-installed ad-widgets. Close the widget and it auto-starts a secondary one in its place. Rinse and repeat.

Glad I've stuck with 10.3 for now.

Re:widgets limited (1)

zkn (704992) | more than 9 years ago | (#12471042)

It may be limited but as it is shown, it's still capeble of both being installed without your knowlage, and after that installing varies other widgets by sending you to webpages when you try to view dashboard.
Not a serius security treat or anything, but very annoying and very IE like.
If you made a simple "ring" of widgets with names similar to the standart widgets you could succede in making the average user reboot several times just to remove it(Reminds me of MS spyware).

Too integrated (4, Insightful)

m50d (797211) | more than 9 years ago | (#12470957)

This is what happens when you tie together parts of the OS that shouldn't be put together. In particular, has apple not realised that having the browser tied to anything that expects local rather than remote content is fundamentally an incredibly stupid idea?

Re:Too integrated (1)

zkn (704992) | more than 9 years ago | (#12470999)

Well the widgets are rather "remote". At least 50% of them are pulling stuff from the internet.
However there are problems with the dashboard/safari integration beyond this.
Since it runs both ways(The extended usebility of widgets is supported in safari) there is potentiel for some IE like *BLAM spamware en mase* situations.

Hopefully this will wakeup someone at apple and they'll cut the ties between safari and dashboard. And fix auto install to propt while they are at it.

Re:Too integrated (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12471013)

Wow, way to make yourself look like an imbecile!

not insightful (0)

ashot (599110) | more than 9 years ago | (#12471141)

so I take it then that all web apps are an 'incredibly stupid idea'?

In soviet russia (4, Funny)

zkn (704992) | more than 9 years ago | (#12470958)

Apple copies Microsoft.....

That would have been funny (0)

Anonymous Coward | more than 9 years ago | (#12471156)

if Apple actually invented anything original. Both Apple and Microsoft copy just about everything from others.

Mirror in case of slashdot effect (-1)

Anonymous Coward | more than 9 years ago | (#12470959)

bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.

HAH! (2, Funny)

JoeCommodore (567479) | more than 9 years ago | (#12470960)

I'm running Jaguar!

I can't afford to buy all the Apple "upgrades of the month."

Thanks Slashdot! (1, Funny)

CypherXero (798440) | more than 9 years ago | (#12470961)

Nothing happened to me (I'm running XP at the moment), but there's a friggin ZIP file sitting on my desktop. OK, time to bring out my tin foil hat! And to the /. editors, don't link to shit like that, damn! That's just common sense.

Re:Thanks Slashdot! (4, Funny)

jericho4.0 (565125) | more than 9 years ago | (#12471015)

Oh. My. God. There's a zip file on your desktop. Holy Shit. A zip file, for Christ's sake! What will your fate be? Long and painful, or medium and painful? How will your family go on?

Re:Thanks Slashdot! (1)

CypherXero (798440) | more than 9 years ago | (#12471031)

That ZIP file could have been anything, like vbs, batch, etc..I'm smart enough not to open stuff like that, but there are a lot of people that aren't. Also, I don't like stuff download to my computer without my knowledge (like what happened). So it's not the ZIP file I'm worried about, it's the ease it took to get it there. And I'm running Firefox 1.0.3, too.

Re:Thanks Slashdot! (1)

pmazer (813537) | more than 9 years ago | (#12471053)

Strange... Firefox asked me if I wanted to download it or not.

Re:Thanks Slashdot! (3, Informative)

YrWrstNtmr (564987) | more than 9 years ago | (#12471096)

FF can be set to d/l automatically. "Do this automatically for files like this from now on." If you've clicked that box in the past, zip files will be automagically downloaded. This will work for any filetype. Automatically play a .wav/mp3 file, or open a .doc, or d/l whatever.

Dumb to do, but it can be set like that.

Re:Thanks Slashdot! (0, Redundant)

mike5904 (831108) | more than 9 years ago | (#12471050)

That's interesting, I just tried it with IE, Firefox, and Opera, and all of them simply displayed the standard dialog asking to download the file. Might be worth noting I'm just running XP SP1 though.

Re:Thanks Slashdot! (1)

Bungopolis (763083) | more than 9 years ago | (#12471138)

Jesus christ, read the article! This is a security warning applying specifically to the Safari browser on Apple's MacOS 10.4 "Tiger". If you're either not running Safari or not running Tiger (if you don't HAVE dashboard, how could it possibly install a widget to it?) then you are obviously not going to see anything out of the ordinary at this link!

1st real ad-ware? (2, Interesting)

EggyToast (858951) | more than 9 years ago | (#12470967)

Definitely easier to remove than most Windows Ad/spyware, but still a pain in the butt. Just goes to show that making something painless for the user can often lead to the technology being abused by more nefarious individuals.

I know that Windows usually posts security fixes and doesn't address spyware exploits specifically in many cases -- it'll be interesting to see if Apple addresses this in 10.4.1 or if we see a patch sooner (or later!)

Yeah... (3, Funny)

Nanoda (591299) | more than 9 years ago | (#12470968)

imagine porn sites auto-installing adware widgets without your knowledge.

Yeah... I'm imagining those porn sites.........

Nothing to worry about... (0)

Anonymous Coward | more than 9 years ago | (#12470971)

This is similar to the "scary" Firefox exploit mentioned earlier: if you don't have automagic download and installation of software enabled, you have nothing to worry about.

In other words, unless you're a hopelessly ignorant @$$wad, you're in the clear.

trying to be popular (0)

Anonymous Coward | more than 9 years ago | (#12470972)

ignoring is not a good way to become popular. yes, we know it worked for microsoft, but um

nelson says.... (-1)

Anonymous Coward | more than 9 years ago | (#12470975)



HA HA!

Bout time someone started messin with you uppity mac users.

next week. reports of real spyware being installed!

Not much of a problem... (5, Informative)

InternationalCow (681980) | more than 9 years ago | (#12470978)

If you do not tick the "open safe files" check box in the prefs. Which you should left unchecked if you're not entirely stupid, as there is no way to tell whether any file is actually "safe". Good Internet Practice, as I like to call it.

Re:Not much of a problem... (2, Insightful)

mattgreen (701203) | more than 9 years ago | (#12471011)

If this were a Microsoft product, the consensus would not be nearly so optimistic. Between this and the 19 holes recently fixed, looks like Apple doesn't exactly have a sparkling record when it comes to security anymore. Much better than Windows, but then again pretty much everything is.

Re:Not much of a problem... (5, Insightful)

Anonymous Coward | more than 9 years ago | (#12471041)

No, it should be pretty easy to tell what is a "safe" file. PDF, for example, is a safe file, as is HTML, as is a GIF. A dashboard widget is NOT.

Apple really screwed up with allowing dashboard widgets to be listed as a "safe" file and they need to patch this as soon as possible. This is one of the big problems with IE, that they went from "autoopen anything, even unsafe stuff" to "warn you about viruses when you try to download ANYTHING, including a PDF". Clearly identifying what is safe is as important as identifying what is unsafe, otherwise people just double-click everything they download not realizing it's a .app.

Re:Not much of a problem... (2, Insightful)

Temporal (96070) | more than 9 years ago | (#12471057)

as there is no way to tell whether any file is actually "safe".

Wrong. Text files are "safe". JPEG files are "safe". Java applets are "safe". Flash is "safe". Any software written in a verifiable-bytecode-based, pointer-safe language with capability-based security should be "safe".

Obviously a dashboard widget should not be considered safe, but that doesn't prove that it's impossible to tell if a file is safe. It only proves that the Safari developers made a mistake when deciding what should be considered safe.

Re:Not much of a problem... (2, Funny)

Anonymous Coward | more than 9 years ago | (#12471116)

JPEG files are "safe"

hello.jpg, tubgirl, need I go on?

Re:Not much of a problem... (5, Insightful)

Mike McTernan (260224) | more than 9 years ago | (#12471098)

Which you should left unchecked if you're not entirely stupid

I always thought that one of Apple's selling points was that they are made for non-experts. So giving users an option to potentially shoot their foot off seems to be a little unfortunate. Almost by definition, few people are experts.

The solution (5, Informative)

Little Grey (571460) | more than 9 years ago | (#12470979)

Is to turn off "Open 'Safe' downloads" in Safari's Options.

It's just common sense anyways

Re:The solution (5, Insightful)

ender81b (520454) | more than 9 years ago | (#12471014)

The solution to spyware on windows is to turn off activex in internet explorer and set it to run as guest...

It's just common sense.

Seriously though this is a very bad idea and apple needs to fix this ASAP.

Re:The solution (0)

Anonymous Coward | more than 9 years ago | (#12471110)

"Is to turn off "Open 'Safe' downloads" in Safari's Options."

Eh? That's certainly not common sense. In fact, that makes no sense at all. You're turning off 'Open Safe Downloads' so you don't get dubious 3rd party downloads? What does OSX regard as an unsafe download?

Oh Joy! (-1)

Anonymous Coward | more than 9 years ago | (#12470994)

Another manufactured Apple security story where all the dipshits still running Windows all regurgitate the Microsoft "all systems are insecure, but since we're so darn popular..." mantra.

Re:Oh Joy! (-1, Offtopic)

Saeed al-Sahaf (665390) | more than 9 years ago | (#12471144)

Naaa! Actually, it's just so fun to poke at the zealots.

WCS (0, Redundant)

LittleGuernica (736577) | more than 9 years ago | (#12470997)

So the worst case scenario is that the icon in de dashboard bar is pornographic? I;m going back to windows instantly, because with windows, I can also immediately dial-up to a porn site, eat that Apple! (no pun intended)

It's true that it's too easy to install a widget with safari, because it unzips and install automatically, but it can't do anyharm but to your eyes..

Still, some sort of warning with a preview would be a good idea.

uh... (2, Funny)

pkboy (864629) | more than 9 years ago | (#12470998)

"imagine porn sites auto-installing adware widgets without your knowledge." I guess Mac users can now blame their browsers for the pr0n popping up on their computers as well.

hey (0)

Anonymous Coward | more than 9 years ago | (#12471000)

The guys at Apple finally have something to do!

Like everyone else in the tech industry, (0, Troll)

Mordant (138460) | more than 9 years ago | (#12471005)

the idiots at Apple, completely unheedful and unmindful of prior art and experience - this is especially true of security-related matters - are going about slowly ensuring that OS/X will end up just as full of security holes and vulnerabilities as Windows.

This is sad; I love my PowerBook, I love OS/X, I'm a *NIX switcher (i.e., not an Apple person, but a *NIX person who switched from Linux to the Mac in order to get the benefits of FreeBSD along with all the goodness of Apple's hardware and multimedia capabilities, not to mention Office).

Someone needs to whack Jobs over the head and get him to focus his people on security, or the Mac will end up being as full of malware as Windows, solely because Apple programmers are doing stupid things which undermine the solid security foundation of FreeBSD which OS/X was built upon, but which can be bypassed by doing stupid things with the GUI/APIs layered atop it.

Re:Like everyone else in the tech industry, (-1)

Anonymous Coward | more than 9 years ago | (#12471051)

How dare such fucking piece of shit like you own anything made by Apple.

It sickening to think of all the garbage like you who are buying Mac these days.

GET THE FUCK OUT OF THE APPLE COMMUNITY.

Re:Like everyone else in the tech industry, (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12471055)

or the Mac will end up being as full of malware as Windows

The reason Windows is so full of malware is because everyone uses it.

YOU BAD MOUTHED ABOUT APPLE! (0, Funny)

Anonymous Coward | more than 9 years ago | (#12471091)

Mod parent down now!

But... (0, Redundant)

Homerew (149183) | more than 9 years ago | (#12471008)

but you'd also have to have the "open safe items" turned on in safari prefs, and that is kinda dumb.

Re:But... (1)

antibryce (124264) | more than 9 years ago | (#12471067)


I had it on by default because in Panther it was fine. It only opened PDFs and Zip files and mp3s and some other non-executable formats. If Safari just downloaded and unzipped the zip files it would be one thing, but to automatically install the Widget bundle is just dumb.

This exploit only works with certain safari prefs (1)

BugDave (874027) | more than 9 years ago | (#12471017)

By default safari has "open safe files after downloading" turned on in general prefs. I changed my to off on day 1. I am sure apple will change this in the future or set it to ignore auto installing widgets. to prevent the problem do as follows. Navigate in Safari to Safari>Preferences...>General Then uncheck the box that says 'Open "safe" files after downloading'

Feature (1)

Tharkban (877186) | more than 9 years ago | (#12471021)

I love features!

Anyone want a more minimalistic system? Say, one that doesn't do things behind your back?

Awww...How cute! (3, Funny)

justforaday (560408) | more than 9 years ago | (#12471022)

Looks like he was nice and made us a goatse.cx widget [stephan.com] . Too bad I don't have Tiger yet... :'(

Re:Awww...How cute! (1)

BugDave (874027) | more than 9 years ago | (#12471043)

heh goatse.cx is awesome....i wish they would be able to get their domain back

Re:Awww...How cute! (0)

Anonymous Coward | more than 9 years ago | (#12471119)

That's also my greatest wish, next to the Dalai Lama being allowed back into Tibet.

Bad design, for sure, however. (2, Informative)

mindstrm (20013) | more than 9 years ago | (#12471030)

it's not totally evil.

It installs the widget, but does not activate it.. it just makes it available.

Further, widgets do run in a sandbox, and require user approval to execute if they want to do certain things (like erase your HD).

Honestly, apple should have said "would you like to install this widget?".. that would be sensible and courteous.

Re:Bad design, for sure, however. (0)

Anonymous Coward | more than 9 years ago | (#12471149)

Honestly, how fucking sad, you realize the story is nothing but another hit generating fake Apple security story and see that there really is nothing there and still feel the need to throw in your pointless "security advice" for Apple.

It would be sensible and courteous for you to fuck off.

Re:Bad design, for sure, however. (0)

Anonymous Coward | more than 9 years ago | (#12471164)

"Honestly, apple should have said "would you like to install this widget?".. that would be sensible and courteous."

It might not run it, but your average user is more likely to trust an executable that's appeared on their machine. It still lulls them into a false sense of security.

The best solution would be to have no automated in-page downloads allowed. Packages and exectuables should only be able to be downloaded by the user and a mouse click. This whole automated pop-up, download, mess with the filetype scenario within the browser was what got IE into trouble in the first place.

Firefox Running Poorly on OS X (-1, Offtopic)

Tufriast (824996) | more than 9 years ago | (#12471048)

I have a 850MHz iBook with over 600MB of RAM, and a 32 MB vid card.

Firefox runs like mud on a California slope. Text renders pretty badly. Currently, OmniWeb and Opera seem to run fine though.

Ever since they did that Java Update on April 18th, Firefox has not run the same at all.

Just letting people know who don't have powerhouse Macs...

Re:Firefox Running Poorly on OS X (0)

Anonymous Coward | more than 9 years ago | (#12471143)

Firefox bills itself as being "fast and light"; how ironic, then, that it is slower and more memory hungry than Opera and IE combined.

It's like a fly in my Chardonnay :(

Move along... (0)

Anonymous Coward | more than 9 years ago | (#12471062)

If you set your browser to automatically execute downloaded files bad stuff can happen. What does this have to do with dashboard or even osx now?

Several levels of control (4, Insightful)

pelorus (463100) | more than 9 years ago | (#12471063)

First, when a widget starts to download, Tiger prompts me and says "This download contains an application, do you want to continue?" That should be the first dead-giveaweay.

Secondly, while the OS DOES copy downloaded widgets to the Widgets folder in the Users directory, the widgets do not become active until you actually activate them. (of course there's nothing stopping you from usign the same name and icon as ...say Calculator).

Getting widgets to do complex system-level stuff you WANT them to do is tough enough.

Re:Several levels of control (1)

YrWrstNtmr (564987) | more than 9 years ago | (#12471167)

First, when a widget starts to download, Tiger prompts me and says "This download contains an application, do you want to continue?" That should be the first dead-giveaweay.

Social engineering around that would be easy. "Mac's are immune to viruses, right? At least that's what everyone tells me."

(of course there's nothing stopping you from usign the same name and icon as ...say Calculator).

Precisely.

Reboot ? Who the fsck does the guy think he is ? (0)

Anonymous Coward | more than 9 years ago | (#12471073)

Mod this article back to the stone age. Tech the author to use "killall" and those grabbing this as the ultimate proof of OS X lack of security - get a grip !

If you have your browser set to auto-open files, your fault. You STILL have to EXECUTE the widget - that will NOT happen auto"magically".

GAH !

i use safari, nothing happened--what's this about? (0)

Anonymous Coward | more than 9 years ago | (#12471097)

i don't know what this discussion is all about. either somebody tries to be important or apple has fixed the issue before the tiger gm release.

i went on the page and a .zip file automatically downloaded to my desktop. ok. double-click on the .zip file. a widget "zaptastic.wdgt" appears. double-click on the widget file. dashboard asks me whether i want to use this widget because it is launched for the first time. just deny.

as far as i can see--no security risk, am i wrong?

O Great Oracle of Slashdot (5, Funny)

Dachannien (617929) | more than 9 years ago | (#12471104)

If there's anything that Slashdot has taught us, it's that it's never safe to use your computer.

Install failed on my Mac!!! How to protect yours! (1)

malchus842 (741252) | more than 9 years ago | (#12471123)

The default settings I used on my Mac stopped this cold. First, I have the setting in Safari to not automatically run 'safe' files after download. Thus, it just downloaded, didn't install.

Second, I don't have a personal Widgets folder. I only use the system one, and copy the widgets there with su. So, even after setting the 'run safe' option, it still didn't install!

So, yes, it does affect Macs, but those of us who are completeloy paranoid are pretty safe.

My suggestion - block auto-open of 'safe' downloads AND move all your widgets to the system folder and delete your widgets folder.

Not an exploit (-1, Flamebait)

daveschroeder (516195) | more than 9 years ago | (#12471126)

1. You can, and always have been able to, disable "Open 'safe' files after downloading". This means nothing happens except that the widget gets downloaded to you computer in its packed/compressed form. In this case, a .zip.

2. Whether or not a user does 1., ou are *PROMPTED* to run the widget for the first time! What more can Apple do? The site says this is still a problem because of - cue scary music - *social engineering*.

...

Um.

So how would it be any better if you downloaded it and double clicked on it manually? It *still* prompts you to run the widget! You must explicitly give the computer permission to run it.

In other words, there is NO WAY for any widget or any malicious website to do ANYTHING unless you explicitly give it permission!

This reminds me of the MP3 "virus". Some blog/website/AV vendor makes a shiny web page supposedly illustrating the "exploit" and why it's bad.

Except for one thing: the user has to EXPLICITLY GRANT it permission to run! Forget about the fact this is a Dashboard widget, or that he can write a goatse widget, or that he can make Dashboard unusable, etc etc etc. I don't CARE what the widget does. It can only do these things AFTER IT HAS BEEN GIVEN EXPLICIT PERMISSION TO RUN BY THE USER CLICKING "YES" IN A DIALOG BOX ASKING HIM/HER IF THEY'RE SURE THEY WANT TO RUN IT!

To reiterate: there is NOTHING automated or automatic about this, and the fact that Safari in its default state will easily make a widget ready to use is uninteresting. NO MATTER WHAT, THE USER IS STILL PROMPTED AND HAS TO GIVE EXPLICIT PERMISSION.

And I hope we all know by now that if a bad guy can trick you into running ANYTHING on your computer, the game's over.

The mechanism and method via which Safari can install Dashboard widgets coupled with explicit prompts to run them are perfectly acceptable, and this is a non-issue.

(Isn't it funny how the only "exploits" people can find for Mac OS X almost always exclusively revolve around social engineering, and never real flaws in the platform itself?)

More 'Windows like' (2, Insightful)

SmoothTom (455688) | more than 9 years ago | (#12471139)

With this new addition to Safari under Tiger, Apple has made a large step in catching up with Microsoft Windows...

Now the script kiddies won't feel as limited in their options in annoying Mac users just like they do MS Windows users.

A nice, new, open window (no pun intended) for the black hats to use... *sigh*

--
Tomas

How To Remove (1)

robbieduncan (87240) | more than 9 years ago | (#12471145)

If anyone else let the evil version install to see what it did (like me) it's really easy to remove.

Step 1: Remove the folder zaptastic_evil.wdgt from ~/Library/Widgets.

Step 2: Using Activity Monitor to kill any running instance of it (yes Activity Monitor shows each widget as a separate process).

No reboot.

There is "K"arma (0, Flamebait)

Ilgaz (86384) | more than 9 years ago | (#12471146)

Here, another proof ;)

Imagine it? (4, Funny)

Anonymous Coward | more than 9 years ago | (#12471152)



imagine porn sites auto-installing adware widgets without your knowledge

Imagine it? I'm a Windows/IE user...I live it!

Dashboard: Slightly OT but worth a look (3, Interesting)

uprock_x (855650) | more than 9 years ago | (#12471160)

Click OnLine, BBC's tech show:

http://stream.servstream.com/ViewWeb/BBCWorld/File /worl_click_030505_show_hi.rm?Media=60506 [servstream.com]

Cole asks Apple manager: is Dashboard a big rip off of Konfabulator?

Apple manager's response:um, er...Desk..Accessory...um...things......from before....like

Not necessarly a problem... (1)

mentalray (869096) | more than 9 years ago | (#12471166)

I did go the the "malicious" website using Safari and Tiger, but the widget did not install. Then I figured out that unchecking the "open 'safe' files after downloading" option is sufficient to prevent this behavior.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?