Introducing Mac Worm X

by Giles Turnbull

The security hole in Dashboard is a little wider, following some further investigation of the issues by Aaron Harnly and Rixstep.

Things start to go wrong if a user leaves Safari's "Automatically open safe files" option checked.

If checked, it allows Safari to automatically download, unzip, and install a Dashboard widget on your computer.

But: widgets installed in this manner are put in your user widget directory, ~/Library/Widgets. The default widgets supplied by Apple are in the system widget directory, /Library/Widgets.

And: when Dashboard starts, it first loads up widgets in the system directory, then loads the ones in the user directory. There's nothing to prevent one of the user widgets having the same bundle identifier as one of the default ones.

The upshot is that if someone were to 'embed' a malicious widget in a web page, it could be designed to call itself Stickies - over-riding the Apple-supplied Stickies widget with something else.

Simply by looking at the Dashboard widget bar, a user would have no way of telling the difference.

A series of screenshots on Aaron's web page explains this very simply. It's surprisingly easy for a potentially harmful widget to get into your computer, and for you to execute it regardless.

The Rixstep analysis goes one step further.

Imagine a mail message arrives from a friend, with an attached file. "I found this great Dashboard widget!" it says, "Try it out!"

User double-clicks. A widget is installed.

But: this widget has a plug-in. Which copies itself everywhere. Which delves into the Mail Delivery API and sends copies of itself to people in your Address Book.

Dashboard is supposed to ask the user if it's OK to run a new widget for the first time. But that doesn't always happen. Aaron puts it simply:

However -- incredibly, amazingly, stupidly -- Dashboard does not present a prompt before running a privileged widget that is one of the Library/Widgets folders, including our auto-installed widgets. So now your auto-installed replacement look-alike widget has complete access to your system, and could do nasty things like delete your home folder.

As I said a few days ago, I've been smugly telling every Windows user I know how much safer and secure my Mac is. Maybe I should just shut up.

Have Aaron and Rixstep found something we need to worry about? Or is this a storm in a teacup?


2005-05-13 04:23:08
We shouldn't need to wonder
Regardless of the technical ins and outs, it seems foolish to take risks for sake of the trivial convenience of not having to drag a widget to a folder to install it. Widgets should behave like the best of other applications: drag and drop to install.

But of course, that raises more questions:
1. Are widgets apps? Or are they more equivalent to web pages?
2. Are widgets self-installing to solve the problem of making them immediately available? Or just to make installing them easy on my mom? (She's gonna have to install applications at some point, so where's the advantage?)

Widget Manager helps me feel like I have a little control:

- "Do you think it's risky to go to the crack quarter at 3am?"
- "Why do you need to go to the crack quarter at 3am?"

2005-05-13 06:23:20
Double-clicking a widget does not install it anywhere. It just runs it and it doesn't appear in the widget drawer.
2005-05-13 13:57:05
Applications don't need to drag-and-dropped to run
Sorry, you have that wrong. Applications can run from anywhere.

The article from Rixstep is wildly exaggerated. How can a widget running from a user account copy something to /Library/Widgets? Answer: it can't. Widgets only auto install to ~/Library/Widgets. They run with the user account's permissions, nothing else. Can a widget get to your address book and email something in the background, sure. So what? Any application installed on your computer can do the same thing. Widgets actually take extra steps since they don't run until you click on them from the Widget bar.

From Rixstep, here are the fallacies:

Fallacy 1: Plug-ins run automatically and copying to the "end" of something will hide them. This doesn't even make sense. The plug-ins are part of the Widget bundle. The Widget is either copied to ~/Library/Widgets or it is not. The Widget can be double clicked and run from anywhere but so what, any application has the same feature. Even if installed in the users Library, the Widget only runs if it is clicked from the Widget bar.

Fallacy 2: A email voluntary virus will spread like Wildfire. There is no evidence that this is true at all. Exactly how does it spread? There is exactly one person in my 50-60 name address book of someone with a Mac. And she isn't running Tiger yet. I suspect that I'm somewhat typical. Macs are 5 to 10% of the market. OS X is obviously less than that. This is not an argument that OS X is secure through obscurity but an argument that the Windows monoculture is the main culprit for these kinds of voluntary viruses.

Fallacy 3: That Apple will never fix the obvious security problems in Safari and Dashboard. Sorry Rixstep but they will be marginally fixed in the next release of 10.4 and probably further refined in later versions. Apple has a security model in Dashboard all set up but for some reason didn't implement it in the first release of Dashboard. I suspect that they will do it soon.

There are 2 major security problems with Widgets right now. They are described very well on Aaron Harnly's site. The first is that Safari auto installs the Widget without user confirmation into the ~/Library/Widget folder. This is just plain broken. The second problem is a little more buried but in a nutshell, any Widget can overwrite a known good previously installed Widget and completely replace it from the UI perspective. This is very bad as Aaron points out in his demonstration. You can't tell the difference between his Sticky Widget and Apple's and Apple's Widget is nowhere to be found.