By Joris Evers, 23 May 2005 08:50
NEWS Despite Apple updating its latest OS this week to solve a security problem with widgets, worries persist that the small applications still pose a potentially serious risk.
Widgets, or small programs that automatically install after downloading, were introduced in Tiger for the Dashboard, which overlays the desktop. An attacker could write a malicious widget for Mac OS X 1.4 Tiger that would run invisibly in the background and hijack a user's "sudo" (or administrative) privileges on a system, according to an alert distributed on the Full Disclosure mailing lists. With administrative privileges, the attacker would have full control over the targeted Mac.
Last Monday, Apple published the Mac OS X 10.4.1 update to fix an earlier security issue related to the widgets. Before the patch, widgets would download and install without warning. Patched machines display a box which asks the PC user to confirm a download but doesn't tell the user that the confirmation also triggers installation of the widget.
While the patch mitigates the risk, security issues remain with widgets, according to Jonathan Zdziarski, a software engineer and author of the Full Disclosure posting.
"Those widgets should never be allowed to get administrative access on the system," Zdziarski said in an interview. "Apple has taken sort of the Microsoft stance with widgets, in that it is one of the few tools that is completely built into the operating system."
Zdziarski is also unhappy with how the Mac maker addressed the previous widget problem. It should be clear to users that a widget is not only being downloaded but also installed, he said. "They terribly mis-worded that button. When I click 'download', I expect to just download it. In fact, the widget is installed."
A malicious widget, after it is installed, can run in the background and wait until a time when the user logs in as administrator. It can then hijack those credentials to deliver its payload, Zdziarski said. The action could be anything from wiping a hard drive to sending the attacker the victim's list of usernames and passwords on Apple's Keychain tool, he said.
For a user to fall victim to a malicious widget, the application first needs to be installed on a Mac. This required user interaction disqualifies it as a security vulnerability, according to several responses to Zdziarski's posting on Full Disclosure.
Apple is encouraging developers to create new widgets and its website already lists 209 of them. Widgets are also available elsewhere on the web.
For protection, users should download widgets only from trusted websites, Zdziarski suggests.
Apple declined to comment for this story.
Joris Evers writes for CNET News.com
Comments
There is 1 comment. Join the discussion
1. anonymous
Apple should forget "Wigets", and not let the community into it's OS.
I am only considering the purchase of an Apple for my 16 year-old because I did not want the both of us to spend our days fighting the thousands of viruses, malware, and hackers that seem to invade and debilitate every MicroSoft Windows computer. Most of our personal computer time, and the vast majority of our network administration cost and resources are directed at battling the relentless hords of MicroSoft security hole invaders (which continuously increase exponentially).
Mac's were 10 years ahead of their time when I had my IICi, but Apple killed itself by not including enough RAM in its first machine, then not going on the attack when PC Mag published the "10 Lies About Windows 95". A Mac would be on every desk, but even now, Apple continues to kill itself, but just NOT Marketing!
The public needs a computer that's secure !!! The public needs a computer that is safe for children !!! Apple has (had) the machine, but the company appears to deviating from its previously straight and narrow path.