Zaptastic

SPeedY_B

I may actually be insane.
Joined
31 Mar 2002
Messages
15,807
Looks like someone has decided to abuse Apple's auto install feature in Dashboard. There's no real harm that can be done (I don't think widgets have the privileges to do damage... yet anyway :p) but it can be very annoying and effectively break dashboard:
You cannot get rid of zaptastic_evil without deleting it from ~/Library/Widgets/ and rebooting your computer. You cannot use your Dashboard until you delete it from ~/Library/Widgets/ and reboot your computer. Write that down if you're not clear on the concept, on a piece of paper, not a Dashboard sticky, because you won't be able to read it once you've installed this. Because Apple didn't actually give you a way to relaunch Dashboard without a reboot, though I suppose you could just kill the process. Certainly there is no user documentation for that.
Full information (and the download) are available from the following address, however - not that it should need saying - Don't visit in Safari :D

http://64.70.134.217/widgets/zaptastic/
 
Yeah, I read about that earlier today myself. I definitely won't be visiting that site! :eek:

There's discussion now about Dashboard's security in general. Some think that Apple designed it so that it's impossible for widgets to affect the root of the OS, but there's no clear answer to that from what I've seen. What has been recommended is to turn off the option in Safari to automatically run "safe" applications... Dashboard widgets being of that type. Also, you're basically guaranteed security if you're only downloading widgets from Apple's site. Will be interesting to see if this is addressed in some way in 10.4.1.
 
Since Mac OS X is Unix, unless the process is launched with root priviliges it cant do much if any damange to the OS - jst files onwed by the process user. However if it runs as root... go shoot apple :D
 
muzikool, I have that option off anyway, annoys me more than being helpful :D

Widgets run as the current user, and are only 'active' when you actually bring the dashboard into focus, however can automatically launch things as soon as focus is created, which can be extremely annoying. A simple delete of ~/Library/Widgets/widgetname.wdgt and your problem is solved.

Will be keeping an eye on this one though, see if anything malicious develops :D
 
LordOfLA said:
Since Mac OS X is Unix, unless the process is launched with root priviliges it cant do much if any damange to the OS - jst files onwed by the process user. However if it runs as root... go shoot apple :D


Apple did a good job on this one actually. It does not run as root as far as i know.
 
DK:~ davidkerry$ ps ux | grep DashboardClient
davidker 358 0.0 0.9 135880 7468 ?? S Wed12AM 2:11.86 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.app/Contents/MacOS/Dashb
davidker 359 0.0 0.9 111336 7132 ?? S Wed12AM 0:03.22 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.app/Contents/MacOS/Dashb
davidker 360 0.0 2.5 118680 19532 ?? S Wed12AM 0:15.03 /System/Library/CoreServices/Dock.app/Contents/Resources/DashboardClient.app/Contents/MacOS/Dashb
davidker 5729 0.0 0.1 27356 432 p2 S+ 10:20PM 0:00.01 grep DashboardClient
:)
 
Yeah widgets run in a "sandbox" from what I understand so no harm to your system really ... yet. I've also read that you will be warned if a widget your installing (or is being installed without your knowledge) is going to use Coca/be executable. Also you can restart dashboard by killing the dock and restart it as dashboard is just a dock extention really. ;)
 
On a related note, here is a preference pane that provides a nice administrative feature for Dashboard.

WidgetManager
WidgetManager-small.png
 
There is a proof of concept out there that will install a widget that has system calls in it. This means they could use it to wipe out your home directory or to run an exploit to escalate local privileges, should one become known (if there isn't one already ;)).

This is widely being seen as a bug, rather than an undocumented feature. This is due to code in place that filters out cocoa calls, so if a widget contains any cocoa calls it prompts you, however it misses system calls which are equally as dangerous. I think there's an option to turn off automatic widget installs, which I would recommend to people until Apple have commented on it and, hopefully, produced a patch that checks for system calls as well.

There is an opportunity to create ad/spyware for MAC's as well, as a 1x1 transparent widget could get up to all sorts of mischief.
 
Yeah this is going to be interesting to see what Apple does about all this. I hope they don't go the MS route and claim it as a "feature". I'm just glad I don't run Safari. :)
 
Safari won't do anything you don't ask it to if you turn off that open safe files feature.
 
Nick said:
There is a proof of concept out there that will install a widget that has system calls in it. This means they could use it to wipe out your home directory or to run an exploit to escalate local privileges, should one become known (if there isn't one already ;)).

This is widely being seen as a bug, rather than an undocumented feature. This is due to code in place that filters out cocoa calls, so if a widget contains any cocoa calls it prompts you, however it misses system calls which are equally as dangerous. I think there's an option to turn off automatic widget installs, which I would recommend to people until Apple have commented on it and, hopefully, produced a patch that checks for system calls as well.

There is an opportunity to create ad/spyware for MAC's as well, as a 1x1 transparent widget could get up to all sorts of mischief.

The answer to Mac's autoinstall from download:

muzikool said:
Safari won't do anything you don't ask it to if you turn off that open safe files feature.

Also, even then Nick, the lat line you got from the web page that has the zaptastic. What they fail to mention however is that you have to do several things to get it to install in the first place:

Download it (Automatic, unless the above feature is turned off)
Hit yes to install it (According to people on other forums)
Then enable it in dashboard.

So in theory a user has to do quite a bit to get it started in the first place.

System calls however are important, i hope it gets fixed in 10.4.1 so i can get that one when i buy my copy of Tiger.
 
Thought I'd mention, this will be patched in 10.4.1, even though there's really no harm in it, Apple would rather be safe :)

10.4.1's at Build 8B15, and it expected possibly some time next week.
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back