Re: [Full-disclosure] Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability

• Previous message: Daniel: "Re: [Full-disclosure] Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability"
• Maybe in reply to: Jonathan Zdziarski: "[Full-disclosure] Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability"
• Next in thread: Brian K.: "Re: [Full-disclosure] Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability"
• Reply: Brian K.: "Re: [Full-disclosure] Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.grok.org.uk
Date: Thu, 19 May 2005 10:34:41 -0400

> I don't understand why Safari has to open it at all.

It doesn't _have_ to, as there is a preference against it.

> It's none of Safari's business to execute applications after you
> download them.

Well, Safari really doesn't execute the widgets. It'll allow for the
install of the widget (which is just moving the file to ~/Library/
Widgets/), but the widget itself won't be executed until a user drags
it out.

*However*, this does bring up different issue, and that is that
someone could write a fake widget (e.g. a fake Tile Game) that uses
the same Bundle Identifier (e.g. com.apple.widget.tilegame), and
although the real Tile Game widget will be used if already dragged
out, if new Tile Game widgets are dragged out, they will be the fake
ones, as the ~/Library/Widgets content will be preferred in that
case. However, the widgets dragged out from the real Tile Game will
still reference the real widget. (Note: Stickies would probably be a
more likely target.)

>> The sudo issue is a different issue entirely, is a well known
>> issue, and goes beyond widgets. From a technical standpoint,
>> widgets are no more dangerous than any other application that a
>> user may download.
>
> Dashboard widgets also run in the background (invisible to the user),

So can normal applications.

> 1. Any kid could code up a malicious widget and stick it on a
> website. It takes a lot more to code an application someone would
> want to download and insert malware into it (I realize both are
> fairly trivial, but now you can do it with javascript).

Yes, I agree. On a social/practical-level, due to "availability" of
an "easier" programming language to make applications there is
increased statistical risk. At the technical-level, it's no more
dangerous than any other application (which can be dangerous). The
"cool" aspect of widgets only affects the likelyhood that a bit of
code will be run. The code is not any more or less dangerous than
other application code. Moreover, you still have to take action to
run a Widget, the Widget code is not executed without the user taking
action to do so.

> 2. People are likely to download and run several widgets without
> checking them out or evaluating their credibility (when was the
> last time you grep'd for sudo in a widget?)

Again, risky user behaviors.

> It's not like an application where, you boot it up and you notice
> there's some "funny" behavior,

It wouldn't need to seem "funny" in order to accomplish what it
needs. The application could seem perfectly fine, just the same.

> A widget could be sitting there, lost in obscurity, not even
> visible to a user and sending all your keychain passwords and other
> information somewhere.

And so could any application a user has executed taking advantage of
sudo.

> I think the bigger issue here is that widgets shouldn't have the
> ability to gain administrative control.

The issue is *any* application shouldn't have the ability to gain
administrative control (by waiting for sudo to be done).

> Javascript is supposed to be considered "safe". What concerns me
> more is that this is integrated with Safari, and since you can run
> widgets in a browser, I am starting to wonder if you could execute
> system commands remotely by visiting a website - e.g. instead of
> injecting the widget, whether you could run one or take advantage
> of the widget interfaces remotely.

Safari won't execute that stuff, though. All that "application"-
level access is not available to widgets while viewed in Safari.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Previous message: Daniel: "Re: [Full-disclosure] Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability"
• Maybe in reply to: Jonathan Zdziarski: "[Full-disclosure] Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability"
• Next in thread: Brian K.: "Re: [Full-disclosure] Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability"
• Reply: Brian K.: "Re: [Full-disclosure] Mac OSX 10.4 Dashboard Authentication Hijacking Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]