That does sound bad. It relies on people downloading and installing widgets
from an unknown source, which would probably be the biggest area this would
be exploited; which is much easier than installing a programs since it does
not even ask for a password to install widgets.
Now if someone could take over a widget after it has been installed, that
would be another issue, i.e. the any of the 'default' widgets. That would
greatly increase the seriousness of this threat.
All roads lead back to operating your Mac with an non-administrator account.
If the attack was via hijacking an already installed widget and you were
running under a non-privileged account that should 'protect' the system
somewhat. However if it was through a bad widget that is going to be
installed only your fingers can truly stop that.
Hopefully I am not too far off base on this.
--
Don
On 12/4/07 1:21 PM, "Todd Woodward" <todd_woodward (at) symantec (dot) com [email concealed]> wrote:
> Over on bugtraq, there's an interesting new thread regarding vulnerabilities
> in Mac OSX widgets.
>
> http://www.securityfocus.com/archive/1/484542/30/0/threaded
> http://www.securityfocus.com/archive/1/484567/30/0/threaded
>
> Essentially, widgets can "relax the Dashboard's JavaScript sandbox to enable
> the widget.system() call, which indeed amounts to the equivalent of system(3);
> i.e., if an attacker can take over the widget, the attacker can take over the
> user's account
> (and, quite often, the system)."
>
>
> Security Response Researcher
> Focus-Apple Moderator
>
> ________________________________________
> Todd D. Woodward
> Technical Support Engineer
> NetBackup Support
> Symantec Corporation
> www.symantec.com
> Springfield, Oregon
> ________________________________________
> Office: 541-335-7441
> ________________________________________
>
>
from an unknown source, which would probably be the biggest area this would
be exploited; which is much easier than installing a programs since it does
not even ask for a password to install widgets.
Now if someone could take over a widget after it has been installed, that
would be another issue, i.e. the any of the 'default' widgets. That would
greatly increase the seriousness of this threat.
All roads lead back to operating your Mac with an non-administrator account.
If the attack was via hijacking an already installed widget and you were
running under a non-privileged account that should 'protect' the system
somewhat. However if it was through a bad widget that is going to be
installed only your fingers can truly stop that.
Hopefully I am not too far off base on this.
--
Don
On 12/4/07 1:21 PM, "Todd Woodward" <todd_woodward (at) symantec (dot) com [email concealed]> wrote:
> Over on bugtraq, there's an interesting new thread regarding vulnerabilities
> in Mac OSX widgets.
>
> http://www.securityfocus.com/archive/1/484542/30/0/threaded
> http://www.securityfocus.com/archive/1/484567/30/0/threaded
>
> Essentially, widgets can "relax the Dashboard's JavaScript sandbox to enable
> the widget.system() call, which indeed amounts to the equivalent of system(3);
> i.e., if an attacker can take over the widget, the attacker can take over the
> user's account
> (and, quite often, the system)."
>
>
> Security Response Researcher
> Focus-Apple Moderator
>
> ________________________________________
> Todd D. Woodward
> Technical Support Engineer
> NetBackup Support
> Symantec Corporation
> www.symantec.com
> Springfield, Oregon
> ________________________________________
> Office: 541-335-7441
> ________________________________________
>
>
[ reply ]