The cat's mustaches — Dashboard security

by Francois Joseph de Kermadec

Promise me you are not going to try the following command: rm -R ~/

What will it do? Well, normally, it will dutifully and silently wipe out your entire home directory. That is bad, very bad. All your files will be lost, gone poof in a UNIX massacre that no self respecting cable channel would show before all kids are safely put to bed. However, would you expect Mac OS X to refuse to execute that command? No, certainly not: after all, you issued it and it is your responsibility to know what you do. Start, for a second, imagining that your computer asks you every minute or two for confirmation on your every gesture and you will see why one of the fundamental assumptions in computing is that you know what you do.

Let's get this one step further. Let's say I am doing my best to tempt you and entice you to download a new, super sleek application that will keep you updated on the status of your laundry and your baked potatoes — while my competitors still cannot check both the oven and the washing machine simultaneously. You obviously don't know me and cannot be sure of my intentions. After all, maybe all my application does is wipe your home directory and play a little gloomy music… But let's say you go ahead, download it and run it anyway… What would you expect to happen? Should Mac OS X display a very long alert dialog telling you that, yes, maybe there is no way for an application to talk with your non-bluetooth enabled washing machine and that this might just be an elaborate hoax or would you just expect it to run it?

The same thing happens with Dashboard widgets. Widgets, although they are web based and "are as easy to develop as web pages", can do some pretty serious things, as shown by the Apple-provided ones but, more importantly, by the documentation published on the ADC website. A widget is an application and, therefore, running a widget from a non-trusted source means taking a risk — a real risk.

Of course, just like there are safeguards in Mac OS X (an application cannot gain root privileges without your expressly granting them, for example), there are safeguards in Dashboard but, ultimately, Mac OS X (like all operating systems) has no way to know what is good and what isn't, as long as an application that you run affects only your files. So far, there isn't anything new.

What is new in Dashboard, however is the heavy marketing that has been launched around it, potentially misleading users and creating a favorable ground for Dashboard-based social engineering. While I do admire some of the ideas that pop up at Apple's marketing department, I have to deplore the lack of communication that seems to sometimes happen between engineers and marketers. If both teams could interact just a bit more, I dare not imagine how successful Apple would be!

Certainly, in a quest to make things easy for the user, Apple did implement some auto-install features for widgets and forgot to provide an obvious way to un-install them. However, in no circumstance (that I am aware of, at least), does Apple auto-launch a widget, meaning that a user still needs to click on it to open it.

Should you be concerned about the security of your Dashboard, simply set Safari to not automatically open "Safe" files — something I am sure most would consider a wise choice, even if Dashboard didn't exist. This will make any attempts to force a download on you a lot more noticeable. Also, be sure that you only browse trusted sites when using a browser where JavaScript and other interactive components are enabled.

In a nutshell, there is no need to lose sleep over Dashboard. It is a powerful feature and, like most powerful features, it comes with a responsibility for the user — remember what Terminal now tells you when you sudo for the first time! While I agree that Apple could further improve the warnings that are already in place, saying there is a "security hole" in Mac OS X today is a bit of an exaggeration.

[Update, on a dramatic, deep voice, with a violin background] : This is just to thank you all for your wonderful mails and talkbacks and sharing with me some of the studies you made of Dashboard: they are most instructive and I believe some of you have brought to light some potential issues that were previously unheard of. For now, I would definitely recommend that you uncheck the "Automatically Open Safe files" option in Safari and keep an eye on the situation. No need to run for the hills but, as the story evolves and until the dust settles, I would advise — as always — to stay on the safe side. What I tried to convey in the blog remains true (applications that you run and install have power over your files, even if they are called widgets) and, needless to say, I never intended to "downplay" any real issues there might or might not be — you know I would never do that and the safety of your data is my priority. To be on the even safer side, I notified Apple of the development you will find in the talkbacks, in order to ensure that as much information as possible is brought up the chain. As usual, I remain at your entire disposition to answer any questions you might have, through mail or on this very blog. Once again, thank you all: I am glad to see cooperation and interaction once again make the Mac community one of the most rewarding and enriching there can be! — FJ.

8 Comments

pshantxx
2005-05-11 10:29:40
Really sad
What the hell are you talking about in here? You mean its OK for my browser to install anything from the web? And in your opinion a message box saying "A widget is about to be auto installed on your dashboard. Do you want to continue?", is not necessary at all? Its sad that such articles make it to such reputed websites.
F.J.
2005-05-11 10:35:56
Really sad
Hi!


First of all, thanks for taking the time to write! :^)


I am sorry you feel that way about this blog. As you probably know, though, Safari does not perform a complex install, it merely puts the file in a folder. The fact that Dashboard picks it up because of its location makes it a lot easier to make a mistake but nothing is "run" strictly speaking.


Then, I agree with you (and this is what I point out at the end) that better, more frequent, warnings would be a good idea and would help prevent issues. In my experience, Safari does detect widgets when downloading them and, if a widget requires access to system resources, will pop up a message. Should you feel that there are some instances where this security procedure is bypassed, you might want to send feedback to the Mac OS X development team so that it can be corrected.


Finally, allow me to say for the sake of clarity, that this blog entry is strictly personal and does not engage the responsibility of O'Reilly or any of its editors.


FJ

chaldean
2005-05-11 11:30:07
Read this page
http://www1.cs.columbia.edu/~aaron/files/widgets/


Then tell me whether you think this is a minor quibble! Silently replacing Apple-supplied widgets with malicious ones is pretty bad.

F.J.
2005-05-11 14:09:11
Read this page
Hi!


First of all, thank you very much for taking the time to write, I really do appreciate it! :^)


Thank you for bringing this to my attention. It indeed is most interesting and, should you think you have found a way to bypass any security dialogs, worth escalating to Apple. Have you done so yet?


FJ

maartensneep1
2005-05-11 16:57:53
Prevent installation of Widgets
A simple way to prevent installation of Widgets in the first place is to set the permissions for the Widget directory in ~/Library to "read Only" for yourself. This way a process that you run (Safari) will not be able to write a new Widget there, causing any (automated) install to fail. This will allow you to check the "process safe files" checkbox (which can be handy in some cases), without having to worry about auto-installing widgets.


The page at Stephan.com (warning: this page auto installs a benign widget) shows some of the side effects. You could use this page to check your prevention measures (the one I described above works).


Maarten

F.J.
2005-05-12 02:07:29
Prevent installation of Widgets
Hi!


Thank you very much for taking the time to submit this technique!


It is indeed a way to prevent the auto-installation of widgets and should, in most cases, deter attempts to "sneak" something into your Widgets folder. Nevertheless, as the permissions could potentially be reverted by a third-party process or application with administrative privileges in a silent fashion, I would recommend using it as an additional measure but not as the only line of defense.


FJ

stupidkiwi
2005-05-12 15:55:34
User responsibility?!
I have only recently moved from Windows to Mac. I am no longer recommending Macs to my mother, or anyone else.


Microsoft fanboys say the same rubbish as you have said in your article(?). You have just defended Apple in the same way, using the same words and terms as any fanatic defending Windows security.


I know how to protect myself, but I would never recommend that any beginner or intermediate user use one insecure system over another insecure system.


I am not even referring to the automatic and invisible installs of malware widgets. I am referring to the defence that people "have to know what they are doing". Apple have a sad little stable of widgets, especially when you look at how many are USA only. If you live outside USA and want to use widgets to improve your life, you are going to have to depend on those "Untrusted" download sites. Maybe you could help yourself by learning a dozen languages and do deals with telecommunication and weather forecasting companies worldwide to get data for these widgets you can produce that we can trust. Just remember, we the end users can't trust you any more than anyone else online whom we do not know. So are beginners going to have to learn Java and Unix to go online on a Mac? The reality is that the vast majority of people just click and hope.


I have to ask. Why would any Widget need to access Unix comands on your machine? The main uses for widgets will obviously be the ability to gather data regularly from sites online. Why would you EVER need a widget that could delete anything off your hard drives?! I can. It's called a virus. Can you tell me why a widget would ever need to scan any directory on my hard drive? I can. Its called spyware. Adware may be impossible to stop as long as you can fetch data from the net using Java etc.


So when eighty thousand children and retirees infect their machines with malware, will you personally volunteer to clean their sytems up before they get their checkbooks (or nag their parents) to go buy a PC? PCs after all may have the same rubbish security, but at least they have a wider range of software, especially games. PCs have more support. On OSX we have had until now two bonuses. "It just works" philosophy, and real security. Now we have lost security we get to "Malware, it just works". Unless you propose we cut the fingers off all beginners and intermediate users to prevent them from hurting their systems by clicking on something they "can't trust". Give me a PC under those conditions.


My guess is that you, and Apples development staff have lost track of beginners. What year did you last help a beginner fix a problem that was their fault? My wife and I have had to be the fixit people for all these people who are our family and friends. We do it for free and it takes all our spare time which disadvantages our children. Now you are advocating for increasing the hoards of crippled beginners.


If the only OS that is secure in the future is Linux, that is what we will switch to in our next lot of hardware purchases, and it is the OS we will recommend for all family members and friends to switch to. We have already convinced one friend to switch to Linux for security reasons as she was pissed off with Malware. She is now very happy.

F.J.
2005-05-12 16:19:24
User responsibility?!
Hi!


First of all, thank you for taking the time to write and express your concerns! :^)


I am most sorry you feel that way about Mac OS X, although I think that you may be overreacting to the current situation. Even the best designed of operating systems have security issues — I have heard of none that has not had one. Mac OS X, Windows, Linux and the great many other operating systems out there all face security problems. The question is how frequent these problems are, how deep they are, how well the developers of the operating system in question react to them and how they affect your work — as your exposure to vulnerabilities will vary depending on what you do with your computer.


As a matter of fact, I am just in the process of helping someone switch (right as I write this message) and I am acutely aware of the issues and problems a beginner may face. I do not consider myself an expert and do not think in any way that I am "above" anything or anyone and can relate to the difficulties associated with learning how to use an operating system for having gone through them myself many times.


You allude to the weather widget, which actually is able to get international information — the only one that is of no use to non-US users so far is the Yellow Pages one.


You raise valid questions about why a widget would need to perform certain classes of actions such as running commands and accessing files. This is unfortunately something I cannot answer as only the developers of that feature could give you the definitive view on their original ideas. It appears that there are lots of legitimate uses for the current features such as writing temporary files or preferences files, which even the most simple of widgets will need to do in order to remember your settings, or getting information on your current configuration to answer your needs.


As usual, the choice of operating system and of technologies is yours. If you feel Mac OS X is not for you and Linux would be better suited, feel free to use it — many Linux distributions would actually run beautifully on your Mac. Basing such a decision on one security alert and on a blog entry you do not agree with may be hasty but the most important thing of all is that you are happy with your computer and find an environment on which you feel comfortable and productive.


Once again, thanks for taking the time to share your thoughts with me.


FJ