A new Web page documents an issue with Mac OS X v10.4 “Tiger’s” new Dashboard feature that, left unchecked, could potentially be exploited by malware developers, according to the page’s author. The exploit is described and demonstrated on a page called Zaptastic: Blueprint for a widget of mass destruction . Going by the nom de plume of Stephan.com, the author has described how Safari 2.0’s default preference settings could lead users to unwittingly download and install a Dashboard widget.
Safari 2.0 includes a default preference called “Open safe files after downloading.” With that preference active and a meta tag on a Web page linked to a downloadable file, Stephan.com demonstrates that widgets can automatically be installed by Dashboard simply by visiting a Web page.
The page itself demonstrates the technique by downloading a ZIP file containing a simple widget called “Zaptastic.” And while Zaptastic doesn’t do much — it pushes users to a Web site for a PayPal competitor called GreenZap — Stephan.com explained that it could potentially be exploited by forcing you to visit a specific Web page every time you open Dashboard, or worse.
Apple hasn’t made it easy for Dashboard users to de-install widgets, either — there’s no built-in control panel or application for turning them on and off. Users must manually de-install widgets by removing them from the ~/Library/Widgets directory.
Users have noted several other workarounds, as well. Unchecking the “Open safe files after downloading” Safari preference is one; making the ~/Library/Widgets directory read-only is another, and killing the offending Widget process using a Terminal application is a third option.
MacCentral hasn’t linked to the Zaptastic Web page, but you can get there by visiting the Stephan.com Web site.
This story, "'Zaptastic' widget demonstrates Dashboard exploit" was originally published by PCWorld.