By Jo Best, 9 May 2005 13:45
NEWS Widgets, one of the much-publicised features of Apple's latest OS, Tiger, could be ripe for exploitation by porn scammers.
Apple has been encouraging developers to create new widgets - a semi-transparent layer of everyday, often-used applications such as a calculator or currency convertor that flips down over the user's desktop - but within days of its public release, one developer claims to have already found a way to turn widgets into potential malware.
Developer Stephan, who has posted the widgets to his blog, has created two mini-apps which he describes as "slightly evil". One widget, he says, will automatically install itself on users' desktops when his 'Zaptastic' website is visited using Apple's Safari browser.
This, according to Stephan, is a golden opportunity for porn scammers, enabling them to auto-install widgets which can hijack browsers.
According to Stephan's blog: "I happen to like [auto-install] I think it's a great thing. But, as I have demonstrated here, it has the side effect of setting up a situation where a user can be given an application without their knowledge.
"That's not such a big deal; by default, widgets can't do much damage, and they can't run unless you drop them into your dashboard. The funny thing is that once that widget is there, according to Apple, you CANNOT remove it."
Widgets cannot be removed from the toolbar, but they can however be deleted from the Library folder.
"The average user, who can't find their Library folder with two mice and a spotlight, is stuck. It would take all of 30 seconds for me to pick out a nice porn image, make it the icon of a widget, drop it in your dashboard and you're stuck with it. It doesn't even need any Javascript," Stephan added.
Stephan has also created the zaptastic_evil widget, which redirects the user's browser to a website every time the widget Dashboard is launched - and drops the user out of Dashboard, preventing the widget from being closed.
A fellow blogger, going by the name of Aaron, has created a series of widgets that closely resemble Apple's own set of widgets and can be used to displace the genuine ones. One of these fake widgets can run with full system access without the user's express permission.
Apple declined to comment.
Despite the potential for mayhem, Mac users can kill the widgets by deleting them from their Library and using Activity Monitor to kill any instance of the widget already running.
Comments
There are 15 comments. Join the discussion
1. anonymous
"The funny thing is that once that widget is there, according to Apple, you CANNOT remove it."
I don't know where your source got this idea, but it wasn't from Apple. You remove widgets by opening the /Library/Widgets folder and dragging the unwanted widget to the Trash. (Ed note. And if you read the article that becomes clear, though if you look at the Tiger help section you'll note Apple's assertion along similar 'unremovable' lines. )
When did reporters stop checking the assertions made by the strangers they interview? (Ed. Perhaps about the same time readers stopped reading articles to the end...) Sorry (Ed note. Think nothing of it, we'll let you off.)
2. anonymous
I hope the jerk in your article is being pursued for creating malware - I don't care if he claims that his actions are to help expose vulnerabilities - he has posted his malware for others to use and that is wrong
3. Dan Ashley
I'm reasonably competent (I can use the Terminal to ftp pages up to a website and I set up my own ethernet file server that serves files to both the PC and the Mac) and I did not even know there was a Library.
And Activity Monitor? I saw nothing about it in the booklet that came with my new G5.
This is scary!
- Dan
4. anonymous
Porn I like. On my time and when I specifically ask for it. Not on Stephan's time.
5. anonymous
Porn Wiggets!!!!
Cool!
;-)
6. Roger
Sounds like a update is needed (I'm guessing 10.4.1 will be right around the corner). I just don't understand how a couple dozen smart programmers can design this stuff without thinking about the negative implications. Who wants to be sifting through the library? (This sounds like something MS would do!)
7. A W Hardie
In response to the previous poster,
surely it is better that this problem is publicized and people made aware of the work around (turn off run on download).
If this person hadn't announced the problem people might still be in the dark.
Better to be knowledgeable and able to defend oneself than ignorant and defenseless.
8. Just this guy, you know
If there was an exploit like this available in Internet Explorer people would be screaming bloody murder. Apple need to patch this ASAP.
9. Mark SPLINTER
so stupid. how can programmers sit around making "auto-install" features and not check to see if they can be subverted? did nobody say "isn't this dangerous" in any meeting? the same thing happened with firefox, didn't it? i have no idea how to code applications but i certainly have an alarm bell in my head whenever anyone says "automatic".
10. Jim
Its funny how even when a Security Hole is genuinely found in another Operating System, people still manage to turn it round into a slate against Microsoft, LMFHAO.
11. Me
Does Konfabulator have the same vulnerabilities? If not, best stick with Panther and Konfabukator.
But how, how, how can a product get to this stage and NOBODY said "Whoa! Isn't blind trust in the benign integrity of all of cyberspace just a little naiive?" ?
12. anonymous
Have to agree with Jim. What has this article got do do with Microsoft.
This article clearly details a mistake that apple have made. If joe bloggs off the street was to buy a Mac because they are fed up with Microsoft they will probably fall foul of this security issue. How long would it have taken the Virus writers to exploit this. At least apple are now aware of this and can rectify it.
13. David J Walker
Well done Apple! Steve Ballmer will be proud of you!
14. anonymous
If you lock your Widget folder zaptastic will not install. Get info and lock the folder. Apple should fix this hole though. Only when you are confident
about what the Widget does should you unlock and drop it in.
15. Peter Risdon
This is a really, really dumb mistake by Apple, and the developer who has pointed it out deserves thanks.
At this rate, they'll threaten Microsoft's monopoly on fundamental security holes.
Buck up, Apple, before the only properly secure operating systems are some of the Linuxes and all of the BSDs.