BlogFish

Somebody on Full-Disclosure posted that there is a new vulnerability with Dashboard. He describes a malicious Widget that waits until the user uses sudo and than the Widget uses sudo too to get superuser rights.

This is not a “first-class” vulnerability like a buffer overflow or format-string vulnerability. This could happen with any other application on any other Unix. Just remember that Widgets are (or can be) full-featured applications. They run as the local user and therefore have only his rights. But as any other application they can use sudo and the password grace period in /etc/sudoers to obtain root privileges (see timestamp_timeout in the man page).

The only thing that Apple can be “accused” of is that they enabled the password grace option. Disable it if you are paranoid. Do not load and install every Widget on the net just like you do not load and run every application out there.

With 10.4.1 Apple repaired the auto-install feature of Widgets. Now malicious Widgets cannot get on you computer without user-interaction.

If the user behaves stupid, it is not Apple’s fault. But they should remind the user of the possible evil of new downloaded files and they do it with 10.4.1.

It was only a matter of time until somebody found out how to misuse Dashboard Widgets.

If you download a Widget with Safari, Safari will install it automatically for you if you do not disable the “Open safe files after downloading” option. Safari will install it into ~/Library/Widgets.

Actually Widgets can get really nasty as there is no way to deinstall them other than deleting the Widget in ~/Library/Widgets. No way to do this out of DashBoard. You can do some bad with Widgets and one guy made a proof-of-concept. Imagine, porn Widgets that automatically load sites and log your password…

DO NOT CLICK ON THIS PAGE unless you have disabled the “Open safe files” feature or you do not use Safari. This page will autoinstall a Widget that can only be removed with deleting it and reboot.

Hopefully Apple will react and change the recent MS-like behaviour of “default-install-without-asking”.

Discussion and more on Slashdot