Dashboard Leaves Macs Vulnerable

Dashboard Leaves Macs Vulnerable

By Daniel Terdiman | Also by this reporter

02:00 AM May. 11, 2005 PT

A security hole in Dashboard could expose users of Apple Computer's new Tiger operating system to attack, and may put personal information like passwords and credit card data at risk.

A new feature of Mac OS X Tiger, Dashboard is a suite of simple programs called widgets that often access information on the internet. Tiger comes preloaded with 14 widgets, including a world clock, a dictionary and a weather station.

For the convenience of users, most widgets automatically install themselves. But experts fear any program that auto-installs is ripe for exploitation.

Dashboard allows any user with basic skills in HTML or JavaScript to build their own widgets. Dashboard widgets page, as well as third-party sites like Dashboard Widgets, maintain constantly updated databases, but it's not clear if the sites vet their offerings.

Further, there is no immediate way to delete a widget that has been installed. According to Tiger's own Help file, "You cannot remove widgets from the Widget Bar or change their order."

A growing number of Mac experts are sounding the alarm over the dangers of widgets -- which can carry Unix commands that could be run invisibly from within a widget.

"It's really just wrong and stupid of (Apple) to not give a regular user a way to take widgets out of Dashboard," said Stephan Meyers, an unemployed artist and developer who was one of the first to publicize the hole. "It just flat-out says you cannot remove a widget from Dashboard. That's just dumb."

Meyers felt so strongly that Apple erred by not giving Tiger users a way to delete widgets directly from Dashboard that he created two of the downloadable tools designed to demonstrate the vulnerability.

His Zaptastic widget (warning: following the link in Safari automatically downloads Zaptastic.wdgt) is benign, but when run, it loads a Safari browser and takes the user to a web page promoting the forthcoming launch of a new online payment system.

But on his website, Meyers argues that widgets can carry a dangerous payload. His Zaptastic Evil is a widget that, when run, forces a user's computer to open a Safari browser pointing at the online payment site every time Dashboard is booted.

Still, Meyers said he's not too concerned about what havoc widgets could wreak, and he said the problem is nothing new for downloadable software.

"You can't ... prevent bad programs from running on a computer," Meyers said. "You have to strike this balance between usability and security, and that's always the case. It's like human immune systems: You'd never get sick if you didn't take in air and food."

Widgets can be removed manually by deleting them from a user's /Library/Widgets/ folder. But that's something many novice Tiger owners may not know how to do.

"It does pose a certain security risk, because (widgets) can do all sorts of things web pages can't because they're loaded into the system all the time," said Dan Pourhadi, an administrator at Dashboard Widgets. "It's possible, if the developer knows what they're doing, and a user downloads widgets from places that don't check them."

J. Nicholas Tolson, a Mac fan who is building his own widgets, said auto-installation is the most dangerous feature of the simple programs.

"(Apple needs) to disable the auto-install feature of widgets," he said. "There should be some user interaction when installing things, either via an actual installer or via drag-and-drop installers that are popular on Macs."

Mark Charbonneau, who runs Downtown Software House, which developed a free application called Widget Manager that automates the process of manipulating widgets, agreed.

"I ... think that's something that may not have been the best move on their part," said Charbonneau. "I wouldn't be surprised if that's something that (Apple changes) in the future."

Apple did not return several requests for comment.

"Even though widgets can't access system files," said Charbonneau, "they can access personal files and things like that.... It can access basically anything in the Documents folder or the user's home folder."

And some say that includes personal passwords or even credit card numbers, all of which could be affected without a user even knowing it.

Of course, some feel the situation is a strong case of buyer beware and that Apple shouldn't necessarily be taken to task for inattentive users.

"If the user doesn't take a stand to protect themselves," said Dashboard Widgets' Pourhadi, "he is vulnerable to this kind of stuff."

Still, Mac fans want Apple to recognize that widgets pose potential problems, and for more than just users' safety.

"I hope they see the danger, if only for their marketing," said Tolson. "All it will take is one seriously nasty widget to completely wreck (Apple's) image of 'no viruses' or 'Macs are inherently more secure' message. And you better believe that would become news."

Fuente