Focus on Apple
Mac OS X Dashboard Widget Vulnerabilities? Dec 04 2007 07:21PM
Todd Woodward (todd_woodward symantec com) (1 replies)
Re: Mac OS X Dashboard Widget Vulnerabilities? Dec 05 2007 01:27PM
Don (drhodes mail colgate edu) (2 replies)
Re: Mac OS X Dashboard Widget Vulnerabilities? Dec 05 2007 08:48PM
Derek Chesterfield (dez mac com) (1 replies)
Re: Mac OS X Dashboard Widget Vulnerabilities? Dec 05 2007 11:27PM
Don (drhodes mail colgate edu) (1 replies)
As you and Mark stated the possibility of grabbing control of a widget that
is already installed is far more likely to be used, and a good target would
be the default weather widget that is on by default.

It would be nice if Apple made it easy to turn off dashboard, or even
require people to turn it on if they want to use it. This could be said for
a few other 'processes'/'features' that are on by default.

--
Don

On 12/5/07 2:48 PM, "Derek Chesterfield" <dez (at) mac (dot) com [email concealed]> wrote:

> Actually, it is worse than that. This is not just a problem because
> people download untrusted widgets.
>
> The real problem is that even a trusted widget can be compromised.
> Much like using 'trusted' software like Second Life, then getting
> hacked via Quicktime, you could use a 'trusted' widget that accesses
> web content. In the case of Twitter, or other Web 2.0 apps, the
> content being accessed by the widget could be anything an imaginative
> user can come up with. And that could compromise the widget much like
> the Quicktime bug compromises Second Life's client software.
>
> It should be possible to secure the widget by sanity-checking the web
> content it retrieves [which Second Life can't do in my not-completely-
> comparable comparison, because it is actually Quicktime getting
> hacked, not SL].
>
> On 5 Dec 2007, at 13:27, Don wrote:
>
>> That does sound bad. It relies on people downloading and installing
>> widgets
>> from an unknown source, which would probably be the biggest area
>> this would
>> be exploited; which is much easier than installing a programs since
>> it does
>> not even ask for a password to install widgets.
>>
>> Now if someone could take over a widget after it has been installed,
>> that
>> would be another issue, i.e. the any of the 'default' widgets. That
>> would
>> greatly increase the seriousness of this threat.
>>
>> All roads lead back to operating your Mac with an non-administrator
>> account.
>> If the attack was via hijacking an already installed widget and you
>> were
>> running under a non-privileged account that should 'protect' the
>> system
>> somewhat. However if it was through a bad widget that is going to be
>> installed only your fingers can truly stop that.
>>
>> Hopefully I am not too far off base on this.
>>
>> --
>> Don
>>
>>
>> On 12/4/07 1:21 PM, "Todd Woodward" <todd_woodward (at) symantec (dot) com [email concealed]>
>> wrote:
>>
>>> Over on bugtraq, there's an interesting new thread regarding
>>> vulnerabilities
>>> in Mac OSX widgets.
>>>
>>> http://www.securityfocus.com/archive/1/484542/30/0/threaded
>>> http://www.securityfocus.com/archive/1/484567/30/0/threaded
>>>
>>> Essentially, widgets can "relax the Dashboard's JavaScript sandbox
>>> to enable
>>> the widget.system() call, which indeed amounts to the equivalent of
>>> system(3);
>>> i.e., if an attacker can take over the widget, the attacker can
>>> take over the
>>> user's account
>>> (and, quite often, the system)."
>>>
>>>
>>> Security Response Researcher
>>> Focus-Apple Moderator
>>>
>>> ________________________________________
>>> Todd D. Woodward
>>> Technical Support Engineer
>>> NetBackup Support
>>> Symantec Corporation
>>> www.symantec.com
>>> Springfield, Oregon
>>> ________________________________________
>>> Office: 541-335-7441
>>> ________________________________________
>>>
>>>
>>
>>
>

[ reply ]
Re: Mac OS X Dashboard Widget Vulnerabilities? Dec 06 2007 09:21PM
Mark Senior (senatorfrog gmail com) (1 replies)
Re: Mac OS X Dashboard Widget Vulnerabilities? Dec 09 2007 10:59PM
Tyrel McMahan (tyrel mcmahan gmail com)
Re: Mac OS X Dashboard Widget Vulnerabilities? Dec 05 2007 06:34PM
Mark Senior (senatorfrog gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus