This from the Apple Developer site, Dashboard Programming Guide:
Widget Security Model
Using certain resources within your widget may pose a security risk for users. In these circumstances, the widget security model provides a method for Dashboard to be aware that your widget may perform insecure tasks. If your widget is working with resources that pose a security threat to the user, the user must approve before access is granted.
Dashboard allows you to ?declare your intentions? when you:
Access files outside of your widget bundle
Use a Web Kit or standard browser plug-in
Access network resources
Run a Java applet
Run a command-line utility
Using a widget plug-in
?Declaring your intentions? means that before your widget is run, you specify in your widget?s information property list file which resources you want to use.
***(list of keys here)***
If any of these keys are present in your information property list file and it?s located outside of /Library/Widgets/, a dialog is presented to users upon your widget?s first load. The dialog asks them whether or not they want to use your widget. If the request is approved, your widget is loaded and granted access to the resources that it requested. The request is not repeated on subsequent loads if approved. If the request is denied, your widget is not allowed to load. If your widget is loaded again, the request is made to the user again.
If you attempt to use any of these resources without first specifying them in your widget?s information property list file, your attempt fails.
i still think it is pure idiocy to not allow a gui-method for deleting widgets from the dashboard, like option-dragging out or something. i also don't understand why you can't resize the widget dock or reorder the widgets, but that's a subject for another thread.
This security concern is completely in the hands of safari, not dashboard!
Dashboard kindly notifies users of a program's capabilities before the program is run for the first time. It actually has better security than what we're used to. What's different here is that safari is copying the executable into a folder that most users aren't familiar with.
Perhaps the library directories aren't the most logical place to store what are basically "programs" that users will want to install and uninstall.
I'm really surprised the Tiger beta testers didn't catch this and raise a stink to Apple. (Maybe they did and Apple ignored them?)
I believe I read elsewhere that Widgets auto-installed by Safari do NOT provide the security confirmation pop-up. Also, someone has an example of Widgets that look like some of Apple's standard Widgets and replace them via adding spaces to the front of the names. So now you have a case where standard Widgets could stealthily be replaced with imposters.
Why on Earth is Safari integrated with Widget installation this way? Hasn't Apple learned anything from MS when it comes to automagically installing things on users' machines? Safari is a web browser it should treat all content coming from the wild, wild, internet as potentially dangerous to the user.
Apple's been pretty good about security issues in the past. Lets hope they slam this door closed very quickly.
I'm shocked that Apple could let this giant security hole slip through. It's a disaster and I hope for ours, and not least Apple's, sake that they fix this VERY soon (within a week max!). Even if the security risk is overblown (which I fear it's not) it's also a PR nightmare. Tiger is supposed to be the safe and secure alternative to Windows XP. Apple better take this matter seriously, because they will be losing sales every day this is not fixed and the reputation of Mac OS X as the safest OS will go down the drain. Dammit!
BUT the widgets need to be opened to cause any damage and if something is there the user does not notice they'll be unlikely to open it. What should happen is the same as the application download in Safari - some widgets cause this dialogue to appear but it should be there for all. It should say "this download contains a widget do you wish to install it?" We also need a GUI in the system preferences for organising these widgets. Apple have the automatic downloading to help users - the library folder makes sense to me - it's where your preferences are. BUT users shouldn't need to go there - maybe they should be able to control-click or use a contextual menu to install the widget - or double click and a dialogue appears [open or install]
This appears to be a big non-issue. The downloads don't auto run, and if they need resources outside of their bundle they have to ask permission the first time. What's the big deal? So you don't have a slick GUI do delete a file out of ~/Library/Widgets ? Well you don't have a GUI to delete an app out of /Applications either. I must say I rather like not having to use an uninstaller to get rid of apps. Widgets also.
For what it's worth, Widgets (.wdgt files) can be dragged into the Dashboard hot corner (if you have it set) and merely dropping it into the Dashboard layer will make it run. No expando eye candy though.
That's for those of us that think click-drag-drop is easier than double-clicking.
Applications are in a user accessible area. BUT the average use doesn't dig around in the library. There need to be a GUI for deleting widgets as it's easy to unintsall but also because of the location.
An application uninstaller would be useful too - but isn't that work done by the developer - not Microsoft (on Windows)?
Downloading widgets is NOT more dangerous than downloading programs! Safari's automated installation does nothing other than move the downloaded file.
Users can download programs or widgets without fear of them doing anything. A user must first give that program or widget permission to run.
Everything is as it has always been. (Except some "programs" are automatically moved after download.)
Downloading widgets is equally as dangerous as downloading a program and they should be treated the same.
The problem here is as you say, "some 'programs' are automatically moved". Not only are they automatically moved, but they are automatically/invisibly downloaded. i.e. There is special hidden behavior occuring with widgets, unlike every other file type you download from the Net.
Sorry, but I don't want that behavior. I want Safari to act as a WEB BROWSER, not a special content distribution thingy for OS X widgets. The web browser is a giant infection vector for nasty things from the outside world. The OS should treat it as such.
Also, as to the widgets having to be run to cause damage, the sample exploit site has a widget that sets its icon to a big nasty picture. Do you want porn and/or ads secretly filling your Dashboard?
I suspect this will blow over soon and people will become familiar with whatever behavior Apple decides is "correct" (and people will release software to "fix" that behavior), but for now it does appear to be a security threat to me.
BUT the widgets need to be opened to cause any damage and if something is there the user does not notice they'll be unlikely to open it.
True, but what if a hidden download replaces an already installed widget?
You click "Yes" without hesitating, as this is an already "known" widget.
This type of exploit is already been tested. Widget is downloaded and installed by just visiting a website. Nothing downloaded at will. All in all, Safari and Dashboard open the door for easy social engineering. Great.
True, but what if a hidden download replaces an already installed widget?
You click "Yes" without hesitating, as this is an already "known" widget.
This type of exploit is already been tested. Widget is downloaded and installed by just visiting a website. Nothing downloaded at will. All in all, Safari and Dashboard open the door for easy social engineering. Great.
You need an administrator password to overwrite a widget in the main Library. Widgets will not be overwritten in your area and are added to the desktop instead.
TAll in all, Safari and Dashboard open the door for easy social engineering. Great.
So has Acquisition and pirating/greed.
What's to stop someone from making a padded 180MB destructive AppleScript or worse that is called Adobe Photoshop Installer and with an Adobe icon and uploading it to the file swapping services?
Nothing.
All boils down to 1. know your sources and 2. see 1.
What's to stop someone from making a padded 180MB destructive AppleScript or worse that is called Adobe Photoshop Installer and with an Adobe icon and uploading it to the file swapping services?
Nothing.
All boils down to 1. know your sources and 2. see 1.
BUT if you're browsing and it automatically downloads without you noticing (possible) your in the shit! That's why on your desktop is ok - you'll notice it.
A new Web page documents an issue with Mac OS X v10.4 Tiger?s new Dashboard feature that, left unchecked, could potentially be exploited by malware developers, according to the page?s author. The exploit is described and demonstrated on a page called Zaptastic: Blueprint for a widget of mass destruction. Going by the nom de plume of Stephan.com, the author has described how Safari 2.0?s default preference settings could lead users to unwittingly download and install a Dashboard widget.
There?s a common misconception that auto-install of widgets means that they?re automatically running, and that?s not the case. Just because a widget has downloaded and installed itself into your Widget Bar (aka Dashboard Bar) doesn?t mean that the widget is running. A widget that isn?t launched can?t do anything.
If you don?t want widgets to even auto-install into the Widget Bar, simply uncheck the open safe files after downloading preference in Safari. After that, downloads will stay in whatever downloads folder you?ve set in that same preference.
Dashboard is worse than you imagined
Your initial thought upon hearing about this situation may have been, ?It?s just JavaScript. How much damage can it do?? The answer is, a lot ? widgets aren?t just JavaScript, and for those parts that are, Apple has taught JavaScript a few new tricks that Web browsers never dreamt of.
Widgets are owned by the user, and can do anything that a user can do. For instance, they can remove files from your home directory without asking permission. They can run anything from the command line that a user can. They can call any AppleScript that a user can. If you?re now starting to get a little nervous, you?ve got the right idea.
What can you do to be careful?
? Set Safari not to open safe files, as mentioned above. Or, if you?re not running Safari, you?re fine. Not auto-installing widgets eliminates many of the problems.
? Be aware of where your widgets are located. Apple says that widgets are located in one of two areas: /Library/Widgets and ~/Library/Widgets ? but that?s not always the case. If you download a widget onto your desktop and double-click it, you?ll launch that widget directly from your desktop, and while you?ll see it in the Dashboard, it will never show up in the Widget Bar.
? Know what a widget is supposed to do when you download it. A widget that should just show a countdown to a particular date has no reason to contain anything besides HTML, CSS, and JavaScript ? so when you?re downloading a widget, if you see an alert that says that it contains an application, think twice before accepting it.
Getting Geeky
If you?re willing to spend a little time in a text editor (I recommend TextWrangler from Bare Bones), take a look inside your widgets before you launch them. Go to ~/Library/Widgets and pick a widget to inspect. Control-click on the widget, and from the contextual menu, choose Show Package Contents.
You?ll see that a widget is, basically, just a folder with a particular suffix. At a minimum, it will contain an HTML file, an Info.plist file, and a Default.png file. Widgets will almost always contain .js (JavaScript) and .css (Cascading Style Sheets) files, also.
? The Info.plist file contains information about the widget itself. You can view it in a text editor. Look for lines like
<key>AllowNetworkAccess</key> <true/>
That means that the widget is allowed access to your network. If you don?t think that the widget should be able to do that, something funny might be going on. Other keys to look for are AllowInternetPlugins, AllowJava, and AllowSystem. The first means that the widget is allowed to access WebKit and browser plug-ins such as QuickTime and Flash. The second means that the widget is allowed to access Java applets, and the last says that the widget can run command-line utilities. The one key that should really raise a red flag is AllowFullAccess; it says that the widget is allowed to do all of the above.
? Open any .js files and look for lines that include widget.openApplication, widget.system, or widget.openURL. None of these is a red flag by itself, depending on what the widget is supposed to do. But if your widget is only supposed to put a pretty picture on your Dashboard, it shouldn?t be launching applications, accessing your system or the Internet.
Apple knows about these issues, and is likely to make some changes in the near future to deal with them. In the meantime, be aware, and be careful out there.
I personally don't see this as a major threat, but improvements can be made and likely will be made.
What pleases me is the the response of the Mac community. Everyone's a hubub discussing this. I just checked and now its on CNet. Point is, everyone is discussing this one issue. If this is all there is and this is how fast the market responds, solutions and awareness will be fast as well.
Yes, there are likely low-level problems waiting to rear their head, but I'm pleased at the direction we're going and the fact that your average Mac users cares.
Comments
Originally posted by johnq
True. I'm not sure how that happens. Surely the "Are you sure" isn't in the widget code itself, right? If so, yeargh!
I'll have to take a look at that code...
I think it asks Are You Sure to the ones with cocoa code, and not for the purely HTML/JS ones.
Widget Security Model
Using certain resources within your widget may pose a security risk for users. In these circumstances, the widget security model provides a method for Dashboard to be aware that your widget may perform insecure tasks. If your widget is working with resources that pose a security threat to the user, the user must approve before access is granted.
Dashboard allows you to ?declare your intentions? when you:
Access files outside of your widget bundle
Use a Web Kit or standard browser plug-in
Access network resources
Run a Java applet
Run a command-line utility
Using a widget plug-in
?Declaring your intentions? means that before your widget is run, you specify in your widget?s information property list file which resources you want to use.
***(list of keys here)***
If any of these keys are present in your information property list file and it?s located outside of /Library/Widgets/, a dialog is presented to users upon your widget?s first load. The dialog asks them whether or not they want to use your widget. If the request is approved, your widget is loaded and granted access to the resources that it requested. The request is not repeated on subsequent loads if approved. If the request is denied, your widget is not allowed to load. If your widget is loaded again, the request is made to the user again.
If you attempt to use any of these resources without first specifying them in your widget?s information property list file, your attempt fails.
This security concern is completely in the hands of safari, not dashboard!
Dashboard kindly notifies users of a program's capabilities before the program is run for the first time. It actually has better security than what we're used to. What's different here is that safari is copying the executable into a folder that most users aren't familiar with.
Perhaps the library directories aren't the most logical place to store what are basically "programs" that users will want to install and uninstall.
I believe I read elsewhere that Widgets auto-installed by Safari do NOT provide the security confirmation pop-up. Also, someone has an example of Widgets that look like some of Apple's standard Widgets and replace them via adding spaces to the front of the names. So now you have a case where standard Widgets could stealthily be replaced with imposters.
Why on Earth is Safari integrated with Widget installation this way? Hasn't Apple learned anything from MS when it comes to automagically installing things on users' machines? Safari is a web browser it should treat all content coming from the wild, wild, internet as potentially dangerous to the user.
Apple's been pretty good about security issues in the past. Lets hope they slam this door closed very quickly.
- Jasen.
Users can download programs or widgets without fear of them doing anything. A user must first give that program or widget permission to run.
Everything is as it has always been. (Except some "programs" are automatically moved after download.)
Originally posted by Mr Beardsley
So you don't have a slick GUI do delete a file out of ~/Library/Widgets ? Well you don't have a GUI to delete an app out of /Applications either.
Nor is there an easy way to remove the actual applications/folders/files that you add to the Dock.
At best you need to command-click it in the Dock, drag the original to the Trash, then delete the trash, then drag the icon off the Dock.
Hardly a slick solution.
That's for those of us that think click-drag-drop is easier than double-clicking.
It's just nice that Apple thought to enable that.
An application uninstaller would be useful too - but isn't that work done by the developer - not Microsoft (on Windows)?
Originally posted by dfiler
Downloading widgets is NOT more dangerous than downloading programs! Safari's automated installation does nothing other than move the downloaded file.
Users can download programs or widgets without fear of them doing anything. A user must first give that program or widget permission to run.
Everything is as it has always been. (Except some "programs" are automatically moved after download.)
Downloading widgets is equally as dangerous as downloading a program and they should be treated the same.
The problem here is as you say, "some 'programs' are automatically moved". Not only are they automatically moved, but they are automatically/invisibly downloaded. i.e. There is special hidden behavior occuring with widgets, unlike every other file type you download from the Net.
Sorry, but I don't want that behavior. I want Safari to act as a WEB BROWSER, not a special content distribution thingy for OS X widgets. The web browser is a giant infection vector for nasty things from the outside world. The OS should treat it as such.
Also, as to the widgets having to be run to cause damage, the sample exploit site has a widget that sets its icon to a big nasty picture. Do you want porn and/or ads secretly filling your Dashboard?
I suspect this will blow over soon and people will become familiar with whatever behavior Apple decides is "correct" (and people will release software to "fix" that behavior), but for now it does appear to be a security threat to me.
- Jasen.
Originally posted by MacCrazy
BUT the widgets need to be opened to cause any damage and if something is there the user does not notice they'll be unlikely to open it.
True, but what if a hidden download replaces an already installed widget?
You click "Yes" without hesitating, as this is an already "known" widget.
This type of exploit is already been tested. Widget is downloaded and installed by just visiting a website. Nothing downloaded at will. All in all, Safari and Dashboard open the door for easy social engineering. Great.
Originally posted by sissyfuzz
True, but what if a hidden download replaces an already installed widget?
You click "Yes" without hesitating, as this is an already "known" widget.
This type of exploit is already been tested. Widget is downloaded and installed by just visiting a website. Nothing downloaded at will. All in all, Safari and Dashboard open the door for easy social engineering. Great.
You need an administrator password to overwrite a widget in the main Library. Widgets will not be overwritten in your area and are added to the desktop instead.
Originally posted by sissyfuzz
TAll in all, Safari and Dashboard open the door for easy social engineering. Great.
So has Acquisition and pirating/greed.
What's to stop someone from making a padded 180MB destructive AppleScript or worse that is called Adobe Photoshop Installer and with an Adobe icon and uploading it to the file swapping services?
Nothing.
All boils down to 1. know your sources and 2. see 1.
Originally posted by johnq
So has Acquisition and pirating/greed.
What's to stop someone from making a padded 180MB destructive AppleScript or worse that is called Adobe Photoshop Installer and with an Adobe icon and uploading it to the file swapping services?
Nothing.
All boils down to 1. know your sources and 2. see 1.
BUT if you're browsing and it automatically downloads without you noticing (possible) your in the shit! That's why on your desktop is ok - you'll notice it.
From macworld...
http://www.macworld.com/news/2005/05/09/dashboard/
++++++++++++
May 09, 2005 7:00 pm ET
MacCentral
Dashboard: Widget (In)Security
By Dori Smith
A new Web page documents an issue with Mac OS X v10.4 Tiger?s new Dashboard feature that, left unchecked, could potentially be exploited by malware developers, according to the page?s author. The exploit is described and demonstrated on a page called Zaptastic: Blueprint for a widget of mass destruction. Going by the nom de plume of Stephan.com, the author has described how Safari 2.0?s default preference settings could lead users to unwittingly download and install a Dashboard widget.
There?s a common misconception that auto-install of widgets means that they?re automatically running, and that?s not the case. Just because a widget has downloaded and installed itself into your Widget Bar (aka Dashboard Bar) doesn?t mean that the widget is running. A widget that isn?t launched can?t do anything.
If you don?t want widgets to even auto-install into the Widget Bar, simply uncheck the open safe files after downloading preference in Safari. After that, downloads will stay in whatever downloads folder you?ve set in that same preference.
Dashboard is worse than you imagined
Your initial thought upon hearing about this situation may have been, ?It?s just JavaScript. How much damage can it do?? The answer is, a lot ? widgets aren?t just JavaScript, and for those parts that are, Apple has taught JavaScript a few new tricks that Web browsers never dreamt of.
Widgets are owned by the user, and can do anything that a user can do. For instance, they can remove files from your home directory without asking permission. They can run anything from the command line that a user can. They can call any AppleScript that a user can. If you?re now starting to get a little nervous, you?ve got the right idea.
What can you do to be careful?
? Set Safari not to open safe files, as mentioned above. Or, if you?re not running Safari, you?re fine. Not auto-installing widgets eliminates many of the problems.
? Be aware of where your widgets are located. Apple says that widgets are located in one of two areas: /Library/Widgets and ~/Library/Widgets ? but that?s not always the case. If you download a widget onto your desktop and double-click it, you?ll launch that widget directly from your desktop, and while you?ll see it in the Dashboard, it will never show up in the Widget Bar.
? Know what a widget is supposed to do when you download it. A widget that should just show a countdown to a particular date has no reason to contain anything besides HTML, CSS, and JavaScript ? so when you?re downloading a widget, if you see an alert that says that it contains an application, think twice before accepting it.
Getting Geeky
If you?re willing to spend a little time in a text editor (I recommend TextWrangler from Bare Bones), take a look inside your widgets before you launch them. Go to ~/Library/Widgets and pick a widget to inspect. Control-click on the widget, and from the contextual menu, choose Show Package Contents.
You?ll see that a widget is, basically, just a folder with a particular suffix. At a minimum, it will contain an HTML file, an Info.plist file, and a Default.png file. Widgets will almost always contain .js (JavaScript) and .css (Cascading Style Sheets) files, also.
? The Info.plist file contains information about the widget itself. You can view it in a text editor. Look for lines like
<key>AllowNetworkAccess</key> <true/>
That means that the widget is allowed access to your network. If you don?t think that the widget should be able to do that, something funny might be going on. Other keys to look for are AllowInternetPlugins, AllowJava, and AllowSystem. The first means that the widget is allowed to access WebKit and browser plug-ins such as QuickTime and Flash. The second means that the widget is allowed to access Java applets, and the last says that the widget can run command-line utilities. The one key that should really raise a red flag is AllowFullAccess; it says that the widget is allowed to do all of the above.
? Open any .js files and look for lines that include widget.openApplication, widget.system, or widget.openURL. None of these is a red flag by itself, depending on what the widget is supposed to do. But if your widget is only supposed to put a pretty picture on your Dashboard, it shouldn?t be launching applications, accessing your system or the Internet.
Apple knows about these issues, and is likely to make some changes in the near future to deal with them. In the meantime, be aware, and be careful out there.
What pleases me is the the response of the Mac community. Everyone's a hubub discussing this. I just checked and now its on CNet. Point is, everyone is discussing this one issue. If this is all there is and this is how fast the market responds, solutions and awareness will be fast as well.
Yes, there are likely low-level problems waiting to rear their head, but I'm pleased at the direction we're going and the fact that your average Mac users cares.
Originally posted by TednDi
more dashboard trouble.
You mean the same dashboard trouble all over again? :P
Hopefully 10.4.1 will fix it so that you always get a warning.