Widget Authentication Hijacking Vulnerability - Page 3

elander · #17 May 21st, 2005, 01:18 AM

Quote:

Originally Posted by fryke

Shall I be the one painting the _really_ dark picture? We've always said that the Mac was inherently safe. That Mac viri wouldn't spread like Windows viri, because they couldn't use the Mac's E-Mail applications like they could with Windows, spreading stuff quickly all over the place.

1.) Someone writes a malicious Dashboard widget that looks delicious.
2.) Someone writes a Windows worm/virus combo that spreads all over the net.
3.) The worm starts using the Windows machines and will be sending out millions of E-Mails containing the Dashboard widget.

Windows, in this dark picture, will be a needed part. But it's not like there weren't any Windows machines out there, right?

Well, if you have Postfix enabled on your computer, all you need is a short shell script to send mail. Another script can get to your address book to extract the mail addresses.

I don't beleive that this is a great risk though, users running Postfix often know what they're doing, and probably are more paranoid than other users ('nix admins are, it's a prerequisite

). Still, a heads up is nice.

I really have mixed feeling about this Dashboard thing. There are a lot of things you can do without sudo in a shell script, and the ability to run them without user intervention in Dashboard can lead to all sorts of trouble.

I hate scaremongering, and we haven't actually seen any really bad stuff being propagated yet. We have however seen convincing proof of concept, like the autoloading (and really annoying) zaptastic*, so I guess a heads up is in place.

*/ Yes, I know. The autoloading hole has been plugged in 10.4.1, but it was rather worrying, and I thought it was worth mentioning.

jzdziarski · #18 May 21st, 2005, 07:39 AM

I wouldn't say it was plugged in 10.4.1, at least adequately. Safari now asks you if you want to download the application. It says nothing about running it...so your choice is to either not download it, or download+install it. That seems pretty asinine to me.

I don't think anyone's trying to create a scare tactic; the reason advisories like this exist is to warn people so that there aren't any actual exploits. Something like this, which has a workaround, should be reassuring rather than scary. I think the Apple user scene is just not very used to experiencing many security vulnerabilities, at least as many as windows and *nix users.

My biggest frustration isn't these two holes, but the fact that the dashboard is so well integrated with the operating system. It shouldn't be a part of the dock IMO. There should be a "widgetd" process of some sort running, perhaps even as an unprivileged user like 'nobody'.

elander · #19 May 21st, 2005, 12:50 PM

My comment about scare tactics wasn't directed towards any of the other posts in this thread. This thread is rather balanced and deals with the problem in a sane way. Possibilities explored and explained without exaggerations and unnecessary extrapolations into an abysmal future.

I just wanted to explain that I don't want to scare anyone, but that it might be appropriate to be a little extra careful when selecting widgets to install.

I also agree that the hole isn't totally plugged, but the worst part of it is. A widget can't sneak by you without your knowledge anymore. Another thing they should have done was to make "Open 'safe' files after download" deselected by default. Either that, or don't include .wdgt files in the list of "safe files".

jzdziarski · #20 May 21st, 2005, 12:52 PM

Hmm is there a way to edit the safe files list, I wonder.

Krevinek · #21 May 23rd, 2005, 01:09 PM

Well, the good news is that widgets are forced to sleep (their process is suspended) while Dashboard is not in the foreground. This decision was based on the idea that users should not have to put up with possibly misbehaving widgets that need to constantly update the display when there is nothing to display, sucking down CPU.

This is a definite threat, as it does open the door for all sorts of nastiness beyond what is currently capable... since this knowledge elevates the access of Dashboard widgets beyond that of a normal application. This is /bad/. Widgets should have LESS access than applications. I personally agree with the idea that Dashboard should be seperated further, even though it already has its own Daemon process, but it is tied to the system quite tightly. Have it run as nobody.

However, those who don't like Dashboard and don't bring it to the front are safe... especially since there are 4 conditions that have to be met before code can actually do something malicious:
1) User has downloaded the widget or had it installed
2) User has chosen to put the widget onto his/her dashboard screen (spawn it)
3) User has authenicated
4) User has brought Dashboard forward before the sudo timeout occurs

That is pretty user involved here, so it is much more like an old MacOS 9-style trojan than anything else. Still, it needs to be plugged ASAP, as it is a danger, and that is bad.

jzdziarski · #22 May 23rd, 2005, 01:15 PM

Widgets aren't forced to sleep, they just have a function that gets called when hidden. It's up to the widget whether to fall asleep or not. In fact, I've made a small modification to the weather widget so it'd update in the background while I was working. This means a malicious widget could do its thing the second you sudo.

**fryke** · #23 May 23rd, 2005, 01:25 PM

Can you post what exactly you did to the Weather widget?

jzdziarski · #24 May 23rd, 2005, 01:30 PM

It's posted on macosxhints.com

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Weather Widget	Scottfab	Mac OS X System & Mac Software	2	May 17th, 2005 11:15 AM