bobrk
You kids get offa my lawn
Premium
join:2000-02-02
San Jose, CA
 ·SONIC.NET
| reply to shavano
Re: Widget Security
said by shavano  :I was hoping they might only be able to execute informational commands, not execute any arbitrary command like "rm -Rf". Can an adminstrator do an rm -Rf anywhere? Seems to me I have to use sudo just to edit the /etc/hosts file.
--
bobrk |
|
rjackson
Premium,Mod
join:2002-04-02
Ringgold, GA
clubs: | The most a widget could do without an admin password for sudo is wipe out your home directory, since it runs under your UID. |
|
bobrk
You kids get offa my lawn
Premium
join:2000-02-02
San Jose, CA | That's what I was thinking. |
|
shavano
Even in America -- I long for America
join:2003-06-08
Dallas, TX
| reply to rjackson
said by rjackson :The most a widget could do without an admin password for sudo is wipe out your home directory, since it runs under your UID. The most? Like that's not enough?
Even with daily backups, you probably would lose something. Like that priceless photo you just uploaded and deleted from the camera. This is making me rethink Dashboard AND backup strategy. (As in, "I need a backup strategy!"  )
Hmmmm....maybe an Automator action that does an incremental backup to separate disk, changing ownership before and after. Or is that just a folder action......sheesh, more stuff to go learn....;)
--
Seek truth, not validation of existing beliefs. |
|
bobbyzee
join:2001-02-15
Australia
| reply to rjackson
said by rjackson :The most a widget could do without an admin password for sudo is wipe out your home directory, since it runs under your UID. It's not that simple. Let's take the exploit with isync. Although fixed in Tiger, Dashboard could allow you to exploit this in a very user friendly way. Someone could author a widget that, for arguments sake, is some cool looking clock. You put some time delay feature in there so when it's, for example, August 31st at 11am it activates code which gains root through the isync exploit and from there, well, it's up to the hackers imagination. |
|
jtanner
To Add Speed, Add Lightness
Premium
join:2003-01-14
Cumming, GA
| reply to rjackson
said by rjackson :The most a widget could do without an admin password for sudo is wipe out your home directory, since it runs under your UID. Better check again: the contents of /Applications, /Library, and /Users can be altered or wiped out without any user prompting, at the very least.
This is absolutely as big a disaster as ActiveX, especially since a website can cause Safari to install a widget. If Apple doesn't fix both of these issues, it spells the end of the legendary Mac "invincibility", and we'll all have to begin the monthly tithe to Symantec...
Jim |
|
jDyno
Premium
join:2001-02-20
Washington, DC
clubs:
| Yep, and just think how annoying all the "na-na-na-na-nas" from Windows users will be.
C'mon, Apple! Hook us (and your reputation!) up with an update that at least applies a bit of a salve for this!
--
Smart Marketing |
|
VL-Tone
@mc.videotr
| For a widget to use any possibly harmful commands (system or local file access), it has to include some special -keys- in it's info.plist. So in theory, Safari would first warn you, then Dashboard would warn you when you try to run it the first time, that makes two warnings, which I think is enough. This is... in theory...
But...
Here is the problem, according to Apple's own documentation at:
»developer.apple.com/documentatio···n_1.html
"If any of these -keys- are present in your information property list file and it’s located outside of /Library/Widgets/, a dialog is presented to users upon your widget’s first load."
So in other words the warnings only appear if you run a Widget from outside the Library/Widget(s) folder.
Please note that widgets do not run automatically in any case, a newly installed widget must be dragged out of the widget bar first.
Actually the supposed "exploit" didn't even work for me as advertised, the "evil" widgets didn't appear in my widget bar, I had to manually double-click them in the Finder. Also note that Apple's standard widgets are installed in the root /Library/Widgets folder while Safari install them in the user ~/Library/Widgets folder.
I hope Apple will "fix" this, but in the mean time: Don't Panic |
|
