• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Zaptastic

SPeedY_B

I may actually be insane.
#1
Looks like someone has decided to abuse Apple's auto install feature in Dashboard. There's no real harm that can be done (I don't think widgets have the privileges to do damage... yet anyway :p) but it can be very annoying and effectively break dashboard:
You cannot get rid of zaptastic_evil without deleting it from ~/Library/Widgets/ and rebooting your computer. You cannot use your Dashboard until you delete it from ~/Library/Widgets/ and reboot your computer. Write that down if you're not clear on the concept, on a piece of paper, not a Dashboard sticky, because you won't be able to read it once you've installed this. Because Apple didn't actually give you a way to relaunch Dashboard without a reboot, though I suppose you could just kill the process. Certainly there is no user documentation for that.
Full information (and the download) are available from the following address, however - not that it should need saying - Don't visit in Safari :D

http://64.70.134.217/widgets/zaptastic/
 

muzikool

Act your wage.
Political User
#2
Yeah, I read about that earlier today myself. I definitely won't be visiting that site! :eek:

There's discussion now about Dashboard's security in general. Some think that Apple designed it so that it's impossible for widgets to affect the root of the OS, but there's no clear answer to that from what I've seen. What has been recommended is to turn off the option in Safari to automatically run "safe" applications... Dashboard widgets being of that type. Also, you're basically guaranteed security if you're only downloading widgets from Apple's site. Will be interesting to see if this is addressed in some way in 10.4.1.
 
#3
Since Mac OS X is Unix, unless the process is launched with root priviliges it cant do much if any damange to the OS - jst files onwed by the process user. However if it runs as root... go shoot apple :D
 

SPeedY_B

I may actually be insane.
#4
muzikool, I have that option off anyway, annoys me more than being helpful :D

Widgets run as the current user, and are only 'active' when you actually bring the dashboard into focus, however can automatically launch things as soon as focus is created, which can be extremely annoying. A simple delete of ~/Library/Widgets/widgetname.wdgt and your problem is solved.

Will be keeping an eye on this one though, see if anything malicious develops :D
 

X-Istence

*
Political User
#5
LordOfLA said:
Since Mac OS X is Unix, unless the process is launched with root priviliges it cant do much if any damange to the OS - jst files onwed by the process user. However if it runs as root... go shoot apple :D

Apple did a good job on this one actually. It does not run as root as far as i know.
 

SPeedY_B

I may actually be insane.
#6
DK:~ davidkerry$ ps ux | grep DashboardClient
davidker 358 0.0 0.9 135880 7468 ?? S Wed12AM 2:11.86 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.app/Contents/MacOS/Dashb
davidker 359 0.0 0.9 111336 7132 ?? S Wed12AM 0:03.22 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.app/Contents/MacOS/Dashb
davidker 360 0.0 2.5 118680 19532 ?? S Wed12AM 0:15.03 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.app/Contents/MacOS/Dashb
davidker 5729 0.0 0.1 27356 432 p2 S+ 10:20PM 0:00.01 grep DashboardClient
:)
 

Xie

- geek -
#7
Yeah widgets run in a "sandbox" from what I understand so no harm to your system really ... yet. I've also read that you will be warned if a widget your installing (or is being installed without your knowledge) is going to use Coca/be executable. Also you can restart dashboard by killing the dock and restart it as dashboard is just a dock extention really. ;)
 

Nick

OSNN Lurker
#9
There is a proof of concept out there that will install a widget that has system calls in it. This means they could use it to wipe out your home directory or to run an exploit to escalate local privileges, should one become known (if there isn't one already ;)).

This is widely being seen as a bug, rather than an undocumented feature. This is due to code in place that filters out cocoa calls, so if a widget contains any cocoa calls it prompts you, however it misses system calls which are equally as dangerous. I think there's an option to turn off automatic widget installs, which I would recommend to people until Apple have commented on it and, hopefully, produced a patch that checks for system calls as well.

There is an opportunity to create ad/spyware for MAC's as well, as a 1x1 transparent widget could get up to all sorts of mischief.
 
#10
Yeah this is going to be interesting to see what Apple does about all this. I hope they don't go the MS route and claim it as a "feature". I'm just glad I don't run Safari. :)
 

X-Istence

*
Political User
#12
Nick said:
There is a proof of concept out there that will install a widget that has system calls in it. This means they could use it to wipe out your home directory or to run an exploit to escalate local privileges, should one become known (if there isn't one already ;)).

This is widely being seen as a bug, rather than an undocumented feature. This is due to code in place that filters out cocoa calls, so if a widget contains any cocoa calls it prompts you, however it misses system calls which are equally as dangerous. I think there's an option to turn off automatic widget installs, which I would recommend to people until Apple have commented on it and, hopefully, produced a patch that checks for system calls as well.

There is an opportunity to create ad/spyware for MAC's as well, as a 1x1 transparent widget could get up to all sorts of mischief.
The answer to Mac's autoinstall from download:

muzikool said:
Safari won't do anything you don't ask it to if you turn off that open safe files feature.
Also, even then Nick, the lat line you got from the web page that has the zaptastic. What they fail to mention however is that you have to do several things to get it to install in the first place:

Download it (Automatic, unless the above feature is turned off)
Hit yes to install it (According to people on other forums)
Then enable it in dashboard.

So in theory a user has to do quite a bit to get it started in the first place.

System calls however are important, i hope it gets fixed in 10.4.1 so i can get that one when i buy my copy of Tiger.
 

SPeedY_B

I may actually be insane.
#13
Thought I'd mention, this will be patched in 10.4.1, even though there's really no harm in it, Apple would rather be safe :)

10.4.1's at Build 8B15, and it expected possibly some time next week.
 

Members online

No members online now.

Latest posts

Latest profile posts

Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,961
Messages
673,239
Members
89,013
Latest member
Pdawgintown