On MovieTome: Whedon makes an offer on Terminator
BNET Business Network:
BNET
TechRepublic
ZDNet
51 TalkBacks

By Joris Evers
Posted on ZDNet News: May 21, 2005 12:34:00 AM

Though Apple Computer updated its latest OS this week to solve a security problem with widgets, worries persist that the small applications still pose a potentially serious risk.

Widgets, or small programs that automatically install after downloading, were introduced in Tiger for the Dashboard, which overlays the desktop. An attacker could write a malicious widget for Mac OS X 1.4 Tiger that would run invisibly in the background and hijack a user's "sudo," or administrative, privileges on a system, according to an alert distributed on the Full Disclosure mailing lists late Wednesday. With administrative privileges, the attacker would have full control over the targeted Mac.

On Monday, Apple published the Mac OS X 10.4.1 update to fix an earlier security issue related to the widgets. Before the patch, widgets would download and install without warning. Patched machines display a box that asks the PC user to confirm a download but don't tell the user that the confirmation also triggers installation of the widget.

While the patch mitigates the risk, security issues remain with widgets, according to Jonathan Zdziarski, a software engineer and author of Wednesday's Full Disclosure posting.

"Those widgets should never be allowed to get administrative access on the system," Zdziarski said in an interview. "Apple has taken sort of the Microsoft stance with widgets, in that it is one of the few tools that is completely built into the operating system."

Zdziarski is also unhappy with how the Mac maker addressed the previous widget problem. It should be clear to users that a widget is not only being downloaded, but also installed, he said. "They terribly misworded that button. When I click 'download,' I expect to just download it. In fact, the widget is installed."

A malicious widget, after it is installed, can run in the background and wait until a time when the user logs in as administrator. It can then hijack those credentials to deliver its payload, Zdziarski said. The action could be anything from wiping a hard drive to sending the attacker the victim's list of usernames and passwords on Apple's Keychain tool, he said.

For a user to fall victim to a malicious widget, the application first needs to be installed on a Mac. That required user interaction disqualifies it as a security vulnerability, according to several responses to Zdziarski's posting on Full Disclosure.

Apple is encouraging developers to create new widgets and its Web site already lists 209 of them. Widgets are also available elsewhere on the Web.

For protection, users should download widgets only from trusted Web sites, Zdziarski suggests.

Apple declined to comment for this story.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 51 Talkback(s)
out of Microsoft's book
http://www.analogstereo.com/volkswagen_caddy_owners_manual.htm... (Read the rest)
Posted by: Apple ipod Posted on: 05/26/07 You are currently: a Guest | | Terms of Use
This new OS is still beta  FADS_z | 05/20/05
You must be talking about...  Rick_K | 05/21/05
Your Head Is In The Sand  nikoli | 05/21/05
ok.. how about  doh123 | 05/23/05
Auto Install  nikoli | 05/23/05
That mature Apple is rotten on the ground  FADS_z | 05/22/05
Nothing "worser" than ActiveX. (NT)  b.d.hi | 05/21/05
No matter you are hi or lo.  FADS_z | 05/22/05
So you agree with him?  doe_z | 05/23/05
Not a chance...  BitTwiddler | 05/23/05
Where does ZDNet get it's reporters from?  Richard Flude | 05/21/05
Tie-in to sudo is *NOT* ridiculous  rpmyers1 | 05/21/05
Ridiculous spin  Steven Rogers | 05/21/05
You Spun The Spin  nikoli | 05/21/05
The tie-in is  Richard Flude | 05/22/05
Wrong  nikoli | 05/21/05
What?  Richard Flude | 05/22/05
Wrong Again  nikoli | 05/23/05
Clearly you do not know what you are talking about  Richard Flude | 05/24/05
do you understand what you read?  doh123 | 05/23/05
Doh = Dumb  nikoli | 05/23/05
Read the article  Apple ipod | 05/26/07
Drop Widgets like a hot potato  DarthRidiculous | 05/21/05
There's a difference  Qbt | 05/21/05
Take another sip of the M$ koolaid  DarthRidiculous | 05/21/05
Its not about the quantity of users  Steven Rogers | 05/21/05
So what you are saying is that...  Qbt | 05/21/05
The bottom line is this  TWRX | 05/21/05
OSX Is Not The Safest OS Ya Dumbass  nikoli | 05/21/05
Read the post you are posting to  DarthRidiculous | 05/21/05
I Read It Bro  nikoli | 05/21/05
Prove it.  Jkirk3279 | 05/23/05
Any *nix you can dig up  nikoli | 05/23/05
Use both  DarthRidiculous | 05/21/05
Slight correction, and comments  toadlife | 05/22/05
Correction to the correction  rpmyers1 | 05/22/05
Like download widgets in the first place  DarthRidiculous | 05/22/05
Back in the pre OSX days the vast majority of vri/worms  Laff | 05/23/05
I totally agree  toadlife | 05/23/05
Let me get this straight...  thetargos | 05/23/05
Nope  rpmyers1 | 05/23/05
this is funny  zeusfuse | 05/23/05
More of what hacks? So far all of this seems to be  Laff | 05/23/05
That's the funniest part about all this mudslinging  Jeff Spicoli | 05/23/05
Theoretical - AND EASY  rpmyers1 | 05/23/05
Which is what is being worked on as we speak is it not?  Laff | 05/24/05
Have you ever noticed...  alterego_z | 05/23/05
hmmm  IT Scion | 05/23/05
I'm uninstalling Tiger today  dzash2000 | 05/23/05
Apple, What were you thinking?  4pvl | 05/25/05
out of Microsoft's book  Apple ipod | 05/26/07

What do you think?

advertisement
advertisement

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here