Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability
From: Jonathan Zdziarski <jonathan () nuclearelephant com>
Date: Thu, 19 May 2005 08:49:29 -0400

Except, it won't truly auto-install without user confirmation first.

How many newbie users are going to know what that warning means? It doesn't warn that someone could run malicious software by downloading and installing this...and the wording even fooled me. I thought I was clicking the 'Download' button, but really I was clicking a 'Download, then Auto-Install' button. Big difference. The confirmation is misleading at best. But alas, this is a different bug which I still feel is unaddressed.

The real issue is the dialog in that sheet should be more along the lines of warning that it'll be "opened" as well... it's not enough of a warning, but it does block against the non-user- intervention issue.


However, you CAN download it without wanting to auto-install it. Even with the "open safe files" preference checked, a user can option+click the widget download link and it will ONLY download it and not attempt to open it. At which point, you can double click on the ZIP archive to expand it, and then safely analyze the widget package. (And, as already established, if "open safe files" isn't checked, then it won't install itself either.)

I don't understand why Safari has to open it at all. It's none of Safari's business to execute applications after you download them. There's a big difference between unzipping it for you (which I'm cool with) and executing it. Although I am an avid Windows-hater, the one thing I like about XP SP2 is that it prompts you to download OR open the file.

The sudo issue is a different issue entirely, is a well known issue, and goes beyond widgets. From a technical standpoint, widgets are no more dangerous than any other application that a user may download.

I have to disagree with you there. The Dashboard has a specific interface for allowing javascript applications to execute system commands. This opens up a big can of worms. Dashboard widgets also run in the background (invisible to the user), unless they are viewing their dashboard, and people on average run several. This suggests that:

1. Any kid could code up a malicious widget and stick it on a website. It takes a lot more to code an application someone would want to download and insert malware into it (I realize both are fairly trivial, but now you can do it with javascript). 2. People are likely to download and run several widgets without checking them out or evaluating their credibility (when was the last time you grep'd for sudo in a widget?) 3. People are likely to let a malicious widget run on their system 24x7 in the background without even knowing it

It's not like an application where, you boot it up and you notice there's some "funny" behavior, so you get rid of it. A widget could be sitting there, lost in obscurity, not even visible to a user and sending all your keychain passwords and other information somewhere.

I think the bigger issue here is that widgets shouldn't have the ability to gain administrative control. Javascript is supposed to be considered "safe". What concerns me more is that this is integrated with Safari, and since you can run widgets in a browser, I am starting to wonder if you could execute system commands remotely by visiting a website - e.g. instead of injecting the widget, whether you could run one or take advantage of the widget interfaces remotely.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]