Apple dashboard widget vulnerability published

Apple dashboard widget vulnerability published

Summary: An article (republished by the author here) in the Autumn 2008 issue of 2600 Magazine details a pretty serious vulnerability with Apple's dashboard widgets that could allow access to data on the user's hard drive.Since we may access the system with user privileges, we may edit/remove/create files within the user's home directory (this includes such sensitive data as ~/.

SHARE:
TOPICS: Security, Apple
18

An article (republished by the author here) in the Autumn 2008 issue of 2600 Magazine details a pretty serious vulnerability with Apple's dashboard widgets that could allow access to data on the user's hard drive.

Since we may access the system with user privileges, we may edit/remove/create files within the user's home directory (this includes such sensitive data as ~/.gnupg/secring.gpg [the place where the PGP private key is stored if the users uses PGP] and other such things, be creative).

The vulnerability exploits the fact that dashboard widgets are easily installed by a user and aren't generally thought of as a security threat. The problem stems from the fact that the user has to trust the widget's developer to set the proper access permissions for the widget.

The following scenario might be possible:

An attacker creates a widgets which is as simple as counting down the days until the olympic games in China start. The widget is small and downloaded by thousands of sports enthusiasts from around the world. The widget is always opened in the dashboard because it is so small and looks so innocent. In reality however, the attacker has granted the widget network access, file access and system access. Periodically (e.g. every time the widget updates the days until the event starts, or every time the user opens dashboard) the widget connects to a central or even distributed command and control server that sends new instructions to the widget which are downloaded and stored on the filesystem (maybe in the /tmp directory with some obscure name) and executed. In these instructions there may be anything, ranging from a local root exploit to really gain access to the system, or the instructions say that the system should forward any mail that the user has received to another account, or delete the content of the user's documents directory (see below for more ideas).

The article goes on to detail a proof of concept for the vulnerability in which a dashboard widget takes a screenshot of the active screen and uploads it to a server. But the author notes that the file could contain any type of commands.

Scary stuff, let's hope that Apple addresses this in their next round of security updates.

[poll id=161]

Topics: Security, Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

18 comments
Log in or register to join the discussion
  • Go sell crazy someplace else...

    If you download something off the Internet and run it,
    anything, on your computer it has access! It's not a flaw in
    the OS it's just the way it is!

    Here's a better story...AppeScript can be used to exploit
    user machines! Go into AppleScript Studio and create a
    fake looking installer UI for some cool free game or
    something where the attacker asks the user for their
    admin password as if to install the application. BUT instead
    it sends the password to a central server that returns with
    a payload to install at the admin level and turns the
    machine into a zombie!

    Wait....I have more!
    Jeffsters
    • But...

      Mac fanboys swear that can't happen. LOL. Once again an example that an OS is only as secure as its user.
      ShadowGIATL
      • Yep....

        As I always say no OS in the world is gonna stop a user from clicking yes, yes, yes. I think Apple users are gonna have to play just like windows users here shortly. But I am afraid that Mac users have this sense of invisibility where they will be more likely to trust anything because they think its software for a Mac and it must be safe. Just my thoughts.
        OhTheHumanity
        • Agreed

          I feel quite a few of them are so wrapped up in themselves and their "bulletproof" Mac that when the day comes, it will cause an unbalance and send their entire micro-universe to collapse into a black hole.

          But then again I probably watched to much sci-fi growing up...
          ShadowGIATL
    • Not true...

      The point of this article was that it allowed access to crucial data. On more secure systems this would require administrative permissions to be assigned to the application.
      Spiritusindomit@...
  • Translation

    you can phish someone into installing widget and gain control of their home directory. And this is a horrible security weakness because you can phish someone into clicking "yes" when asked if they really want to install the widget.

    This is way more serious than a phishing attack where you are tricked into typing your password when asked to install a program, because we are so damn desperate to have something rotten in an Apple.
    frgough
  • Not a vulnerability

    Widgets are meant to work like this, they are simply
    applications with HTML user interfaces. They have access to
    the same APIs those writing full applications do. The problem
    is with the distribution system of widgets, not the widgets
    themselves. Otherwise we should start panicking because any
    application you install on your computer can access your
    home folder!
    Martin Pilkington
  • Apple is the fastest to Patch

    So I wouldn't worry. Apple engineers are hands down
    the best Security guys out there. How else could they
    create such a secure and stable OS.

    This vulnerability will be patched soon unlike
    Microsoft or the Linux scene.
    Gnutella
    • Erm...

      Should we not count the still unpatched quicktime and safari code execution vulnerabilities? They're quick to patch the OS, but not a lot else.
      Spiritusindomit@...
      • Sorry

        I bet those are in the the Windoze versions. Safari is
        the safest, fastest and most revolutionarily
        innovative browser . Quicktime is faster than any
        player out there including VLC and Media Player.

        This widget issue is not a vulnerability in so much as
        it's an opportunity for Apple to perfect OS X. If you
        looked in Vista and their crappy gadgets I bet you'll
        find a lot more vulnerabilities.
        Gnutella
        • What do you know?

          Well, well, well--could it be that our dear Mike Cox has some
          decent competition, sort of in reverse?

          Cleverly done, Gnutella.
          frabjous
        • Come on, get real,

          You absolutelly suck at trolling.

          First, you make sure you call it [i]Windoze[/i], then next you claim [i]Safari is the safest, fastest and most revolutionarily innovative browser[/i], something many long time Mac users would never claim, then you go on say that [i]Quicktime is faster than any
          player out there including VLC and Media Player[/i], prasing a program many people on both sides wouldn't let get within 100 feet of their computer.

          You did manage to do one thing rather well.

          Make yourself look foolish.

          Please troll someplace else.
          AllKnowingAllSeeing
        • Oh wow....

          was that not a paid for advertisement?

          Brought to you by Steve Jobs, and the bit to save his job once again...

          Seriously... do you really buy the crap your selling or are you just that brainwashed or you hoping that sane people will really fall for it?
          ShadowGIATL
    • BWAHAHAAHAHAHAHAH

      BS. They don't understand blended threats until it bites them on the rear.

      The trojan enabler I sent to them got relabeled "Enhancement" when it allows easy hiding of malware. I pointed out to them EXACTLY how it can be exploited too.
      rpmyers1
  • Thanks for the "news"

    This is kind of sad. This has been known since dashboard widgets
    were added to OS X. Now some "researcher" showed his talent by
    publishing an article and Mr. O'Grady reports on it like it's news.

    Apple could add warnings during the install indicating what access
    level a widget requires, but that wouldn't make much sense without
    doing the same for all application installs. If you think it is a
    security flaw to not explicitly state that an application requires file
    access, network access, etc in order to operate, then every
    operating system is highly vulnerable right now, not just Apple's.
    themacolyte
  • Yeah, this is one page apple needs to take from microsoft.

    Vista might be annoying, but under the manual authentication methods, there is no random code execution or access to sensitive data. Thank god no one really writes viruses for os x yet.
    Spiritusindomit@...
    • There are problems on Vista too

      They don't close the "hole" because it allows you to use Office from within IE. It's as designed.
      rpmyers1
  • Common sense: the least common thing in the omniverse

    But seriously, folks...

    if you're not using a firewall at the router level, and a software package to match, you may or may not be vulnerable, but you can't know for sure. That's how (possible) FUD like this gets started.

    Rule 1: Educate yourself on how you and the apps you use connect to the Net (whatever your platform).

    Rule 2: Define sensible policy and use a software package like Little Snitch on Mac or ZoneAlarm on Windows to enforce that policy.

    Rule 3: Revisit Rules 1 and 2 regularly.

    The price of freedom is eternal vigilance....
    Jeff Dickey