Dashboard: Widget (In)Security

A new Web page documents an issue with Mac OS X v10.4 Tiger’s new Dashboard feature that, left unchecked, could potentially be exploited by malware developers, according to the page’s author. The exploit is described and demonstrated on a page called Zaptastic: Blueprint for a widget of mass destruction. Going by the nom de plume of Stephan.com, the author has described how Safari 2.0’s default preference settings could lead users to unwittingly download and install a Dashboard widget.

There’s a common misconception that auto-install of widgets means that they’re automatically running, and that’s not the case. Just because a widget has downloaded and installed itself into your Widget Bar (aka Dashboard Bar) doesn’t mean that the widget is running. A widget that isn’t launched can’t do anything.

If you don’t want widgets to even auto-install into the Widget Bar, simply uncheck the open safe files after downloading preference in Safari. After that, downloads will stay in whatever downloads folder you’ve set in that same preference.

Dashboard is worse than you imagined

Your initial thought upon hearing about this situation may have been, “It’s just JavaScript. How much damage can it do?” The answer is, a lot – widgets aren’t just JavaScript, and for those parts that are, Apple has taught JavaScript a few new tricks that Web browsers never dreamt of.

Widgets are owned by the user, and can do anything that a user can do. For instance, they can remove files from your home directory without asking permission. They can run anything from the command line that a user can. They can call any AppleScript that a user can. If you’re now starting to get a little nervous, you’ve got the right idea.

What can you do to be careful?

• Set Safari not to open safe files, as mentioned above. Or, if you’re not running Safari, you’re fine. Not auto-installing widgets eliminates many of the problems.

• Be aware of where your widgets are located. Apple says that widgets are located in one of two areas: /Library/Widgets and ~/Library/Widgets – but that’s not always the case. If you download a widget onto your desktop and double-click it, you’ll launch that widget directly from your desktop, and while you’ll see it in the Dashboard, it will never show up in the Widget Bar.

• Know what a widget is supposed to do when you download it. A widget that should just show a countdown to a particular date has no reason to contain anything besides HTML, CSS, and JavaScript – so when you’re downloading a widget, if you see an alert that says that it contains an application, think twice before accepting it.

Getting Geeky

If you’re willing to spend a little time in a text editor (I recommend TextWrangler from Bare Bones), take a look inside your widgets before you launch them. Go to ~/Library/Widgets and pick a widget to inspect. Control-click on the widget, and from the contextual menu, choose Show Package Contents.

You’ll see that a widget is, basically, just a folder with a particular suffix. At a minimum, it will contain an HTML file, an Info.plist file, and a Default.png file. Widgets will almost always contain .js (JavaScript) and .css (Cascading Style Sheets) files, also.

• The Info.plist file contains information about the widget itself. You can view it in a text editor. Look for lines like

<key>AllowNetworkAccess</key> <true/>

That means that the widget is allowed access to your network. If you don’t think that the widget should be able to do that, something funny might be going on. Other keys to look for are AllowInternetPlugins, AllowJava, and AllowSystem. The first means that the widget is allowed to access WebKit and browser plug-ins such as QuickTime and Flash. The second means that the widget is allowed to access Java applets, and the last says that the widget can run command-line utilities. The one key that should really raise a red flag is AllowFullAccess; it says that the widget is allowed to do all of the above.

• Open any .js files and look for lines that include widget.openApplication, widget.system, or widget.openURL. None of these is a red flag by itself, depending on what the widget is supposed to do. But if your widget is only supposed to put a pretty picture on your Dashboard, it shouldn’t be launching applications, accessing your system or the Internet.

Apple knows about these issues, and is likely to make some changes in the near future to deal with them. In the meantime, be aware, and be careful out there.

[ Dori Smith is author of the upcoming Dashboard Widgets for Mac OS X Tiger: Visual QuickStart Guide (Peachpit Press, 2005). ]

This story, "Dashboard: Widget (In)Security" was originally published by PCWorld.

Shop Tech Products at Amazon