Attack of the malicious widgets

by Giles Turnbull

Stephan "stephan.com" Nosurname has opened a can of worms with his post detailing the potential security hazards of automatically-installed Dashboard widgets.



When the first announcements were made about widgets some months ago, warning bells should have gone off in our collective heads. Applications made like web pages? Aren't web pages sometimes a bit ... dodgy? How come we didn't see this coming a long way off?



(Perhaps some of us did; if you made a fuss about this at the time, I'd love to hear about it.)



Several people have contacted Stephan to point out that by disabling auto-install, people can avoid this kind of problem. Others have reminded him that it is possible to remove widgets, just with a simple Terminal command or a root around in the Finder.



But those people are missing an important point, I think.



One of the main reasons that everyone is getting so excited about Tiger is that it is better than Windows. Even some Windows supporters are saying so. Microsoft's Longhorn development is delayed and even the work that's been done doesn't compare to the attractive ease-of-use offered by Mac OS X.



This is Apple's chance to grab some market share, people are saying. It has the advantage, it has the momentum; go, Apple, go!



So imagine if you, or perhaps a member of your family, is one of this new generation of switchers. People pulled in first by the iPod, sold on the gorgeous user interface of Tiger; wooed by the eye-candy of Dashboard.



Imagine if your loved one starts using Tiger on their shiny new Mac, and is seriously impressed. And then hits a web page like Stephan's, only this time with something far more malicious and unpleasant buried within it.



This imaginary newbie won't know about killing widgets via the Terminal, won't realise that changing a preference in Safari could make all the difference. They'll just suddenly see Dashboard go crazy, and they'll wonder what on earth is going on.



I've been spending much of my free time in the last couple of years telling Windows users I know to switch from Internet Explorer to Firefox.



"IE has too many potential security holes," I tell them. "Firefox is much safer."



I don't want to have to start doing that for people who use Safari.



This sort of security hole is precisely the kind of thing that people have been criticising Microsoft for. Just as it is on Windows, if you're geeky enough, you can avoid problems. But for most users, it's a potential cause of serious trouble.



Let's hope a fix -- one for ordinary users, not power users -- appears in Software Update soon. Otherwise Apple can kiss a decent chunk of that momentum for change goodbye.




Shocked? Horrified? Bemused?


12 Comments

bluesthemoose
2005-05-09 04:52:37
it's not that bad...
Well, when you launch a newly installed a widget for the first time, you are asked if you really want to run said widget.
So I don't think there is a way to have a widget that would install and run silently on your machine.
rmeister0
2005-05-09 05:21:02
it's not that bad...
Windows does that now too when you download an executable. That doesn't stop people from simply clicking through that dialog box without readng it; all you have to do is give the widget some innocuous sounding name and most people won't think once about it.
joshuawait
2005-05-09 09:00:08
An Excellent Point
I thought about writing a short article called "Is Dashboard a security threat?", but I never got a around to developing a proof of concept.


You make an excellent point when you talk about the average user. The average user lacks an understanding of how applications and the operating system work.


Such a person trusts the software developers to know what they are doing. Spyware and other malicious applications prey upon this trust.


Dialog boxes may help some, but often times people are so bombarded with meaningless but seemingly important dialog boxes "Do you, 70 year old person who was a lifelong homemaker wanting see photos of your grandchildren, promise never to reverse engineer our software?" that they have become habituated clicking the default answer without even reading it. I know I have. And I should know better.

jason.
2005-05-09 09:20:26
The first-time-run warning doesn't always appear
While I haven't been able to determine when and why, that first-time-run warning doesn't always appear. I know that, according to Apple's own page [1], the warning is supposed to appear if you use certain resources (like running a command-line utility), but even then I haven't seen it always.


[1] http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html


MickeyKnox
2005-05-10 09:50:21
Meh
Knee-jerk reaction to a very small problem. I know people who would LOVE to be able to use their PCs for more than a week without it slowing down to a crawl. I've set up numerous Windows machines, emphasizing to the owner to run Ad-Aware or other similar program EVERY TIME they get off of the internet. Do you think they remember? Until 2 weeks later, when they call me and say, "I can't get online!" or "My PC is sooo slow!"


"Have you been running that software I told you to?"


"Uh, I forgot..."

jdb8167
2005-05-10 13:46:55
Simple fix for now, use Folder Actions
OS X has a feature called Folder Actions. It allows you to run Applescripts when a folder changes. You can enable it from
'/Applications/AppleScript/Folder Actions Setup'


In addition there is a script called 'add - new iitem alert.scpt' that you can attach to the ~/Library/Widgets folder. This will alert you when anyone or anything tries to alter your Widgets folder.


Problem solved. The potential issue here is being overly exaggerated as far as I can tell. This is one lame avenue for spyware and the like if it is this trivial to overcome.

gilest
2005-05-10 15:16:16
Simple fix for now, use Folder Actions
Yes, it is a fairly simple fix for anyone with some experience of using Mac OS X, but my point was that for newbies, for the kind of people Apple wants to attract, even this solution would be far from straightforward.


These people might well be switching to Apple products because they've heard that they're more secure, and more stable. If we start blinding them with stuff about Folder Actions and Scripts, Mac OS X won't seem nearly as user-friendly as they might have been lead to believe.


I'm talking about perception of difficulty, rather than the level of difficulty itself.

gilest
2005-05-10 15:56:06
Widget Manager
Just found this: Widget Manager is
gilest
2005-05-10 15:57:40
Widget Manager
(gah! hit wrong key there!)


As I was saying; Widget Manager is a prefpane for, um, managing widgets. It makes removal or disabling individual widgets very easy.

nst
2005-05-10 18:52:39
What's the diff between this and any other trojan ?
Not having experienced Tiger yet myself, I have to rely on other people's reports of Tiger's behaviour.


From what has been reported, the user still has to manually install downloaded widgets. What's the difference between this and any other Trojan Horse ?


If this exploit had the potential to be self-replicating without user intervention it would be a concern. Otherwise, the golden rule of "Know what a program does before you run it" still applies.


No matter what an OS publisher does, there are still going to be people who click on programs that purport to be screensavers of Paris Hilton or promise to make them rich. That's how it goes.


eberharda
2005-05-10 21:37:18
Some lessons must be learned the hard way
When windows hackers on their $300 Mac Mini's get wind of this, they're going to have a field day creating the PERCEPTION that the Mac isn't as secure as it's been cracked up to be. Apparently Apple learned nothing from Microsoft's sorry trip down ActiveX lane. I completely agree with the author: incredibly simplified dialog boxes are no solution. In fact, in my opinion, the very existence of such a dialog tells me the widget shouldn't have been installed automatically. Couldn’t Apple have said only “safe” widgets get auto installed? More complexity, oh good. Finally, I agree that on a platform which professes to be “the computer for the rest of us,” expecting users to do literally anything more than use the software EXACTLY as it was shipped in order to maintain the PERCEPTION that their computer is safe is pure folly.
gilest
2005-05-11 05:13:22
For the sake of clarity...
Some people have suggested that the threat is lessened because there are warnings about running newly-installed widgets, or that the user is responsible for 'running' the widget by dragging it out of the widgets bar. I wanted to clarify *exactly* what happened when I tried out this exploit on my machine.


Here's what happened, step-by-step.


1. In Safari, I opened http://stephan.com/widgets/zaptastic/


2. The page loaded, and the Downloads window opened, showing that a file had been downloaded.


3. I invoked Dashboard, and found a new widget listed called 'Zaptastic'. I dragged it out of the widgets bar, and it ran immediately - there was no warning of any kind, nothing asked me if I intended this to happen - and caused my default browser (Firefox, in this instance) to open a new tab at the GreenZap web site.


4. Further investigation showed that the file 'zaptastic.wdgt' had been installed in ~/Library/Widgets. The widgets that come with Tiger are in the /Library/Widgets directory (ie, not within my User space).


The *install* was automatic. User intervention was required to run the widget, but if the user has been informed that the widget does something cool or useful, that isn't hard to bring about.


What's more, if I were a newbie, someone who had only recently switched to OS X, I would *not* have known where to look for the offending widget. I would not know how to remove it from the system.


It seems clear to me that the opportunity exists for so-inclined people to release malicious .wdgt files that auto-install, fool the user into activation, and are, at the very least, intrusive and annoying.