Zaptastic

Discussion in 'Macintosh' started by SPeedY_B, May 9, 2005.

  1. SPeedY_B

    SPeedY_B I may actually be insane.

    Messages:
    15,800
    Location:
    Midlands, England
    Looks like someone has decided to abuse Apple's auto install feature in Dashboard. There's no real harm that can be done (I don't think widgets have the privileges to do damage... yet anyway :p) but it can be very annoying and effectively break dashboard:
    Full information (and the download) are available from the following address, however - not that it should need saying - Don't visit in Safari :D

    http://64.70.134.217/widgets/zaptastic/
     
  2. muzikool

    muzikool Act your wage. Political User

    Yeah, I read about that earlier today myself. I definitely won't be visiting that site! :eek:

    There's discussion now about Dashboard's security in general. Some think that Apple designed it so that it's impossible for widgets to affect the root of the OS, but there's no clear answer to that from what I've seen. What has been recommended is to turn off the option in Safari to automatically run "safe" applications... Dashboard widgets being of that type. Also, you're basically guaranteed security if you're only downloading widgets from Apple's site. Will be interesting to see if this is addressed in some way in 10.4.1.
     
  3. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    Since Mac OS X is Unix, unless the process is launched with root priviliges it cant do much if any damange to the OS - jst files onwed by the process user. However if it runs as root... go shoot apple :D
     
  4. SPeedY_B

    SPeedY_B I may actually be insane.

    Messages:
    15,800
    Location:
    Midlands, England
    muzikool, I have that option off anyway, annoys me more than being helpful :D

    Widgets run as the current user, and are only 'active' when you actually bring the dashboard into focus, however can automatically launch things as soon as focus is created, which can be extremely annoying. A simple delete of ~/Library/Widgets/widgetname.wdgt and your problem is solved.

    Will be keeping an eye on this one though, see if anything malicious develops :D
     
  5. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA

    Apple did a good job on this one actually. It does not run as root as far as i know.
     
  6. SPeedY_B

    SPeedY_B I may actually be insane.

    Messages:
    15,800
    Location:
    Midlands, England
    :)
     
  7. Xie

    Xie - geek - Subscribed User Folding Team

    Messages:
    5,275
    Location:
    NY, USA
    Yeah widgets run in a "sandbox" from what I understand so no harm to your system really ... yet. I've also read that you will be warned if a widget your installing (or is being installed without your knowledge) is going to use Coca/be executable. Also you can restart dashboard by killing the dock and restart it as dashboard is just a dock extention really. ;)
     
  8. muzikool

    muzikool Act your wage. Political User

    On a related note, here is a preference pane that provides a nice administrative feature for Dashboard.

    WidgetManager
    [​IMG]
     
  9. Nick

    Nick OSNN Lurker

    Messages:
    147
    Location:
    North West, UK
    There is a proof of concept out there that will install a widget that has system calls in it. This means they could use it to wipe out your home directory or to run an exploit to escalate local privileges, should one become known (if there isn't one already ;)).

    This is widely being seen as a bug, rather than an undocumented feature. This is due to code in place that filters out cocoa calls, so if a widget contains any cocoa calls it prompts you, however it misses system calls which are equally as dangerous. I think there's an option to turn off automatic widget installs, which I would recommend to people until Apple have commented on it and, hopefully, produced a patch that checks for system calls as well.

    There is an opportunity to create ad/spyware for MAC's as well, as a 1x1 transparent widget could get up to all sorts of mischief.
     
  10. Xie

    Xie - geek - Subscribed User Folding Team

    Messages:
    5,275
    Location:
    NY, USA
    Yeah this is going to be interesting to see what Apple does about all this. I hope they don't go the MS route and claim it as a "feature". I'm just glad I don't run Safari. :)
     
  11. muzikool

    muzikool Act your wage. Political User

    Safari won't do anything you don't ask it to if you turn off that open safe files feature.
     
  12. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    The answer to Mac's autoinstall from download:

    Also, even then Nick, the lat line you got from the web page that has the zaptastic. What they fail to mention however is that you have to do several things to get it to install in the first place:

    Download it (Automatic, unless the above feature is turned off)
    Hit yes to install it (According to people on other forums)
    Then enable it in dashboard.

    So in theory a user has to do quite a bit to get it started in the first place.

    System calls however are important, i hope it gets fixed in 10.4.1 so i can get that one when i buy my copy of Tiger.
     
  13. SPeedY_B

    SPeedY_B I may actually be insane.

    Messages:
    15,800
    Location:
    Midlands, England
    Thought I'd mention, this will be patched in 10.4.1, even though there's really no harm in it, Apple would rather be safe :)

    10.4.1's at Build 8B15, and it expected possibly some time next week.
     
  14. muzikool

    muzikool Act your wage. Political User