A new Web page documents an issue with Mac OS X v10.4 “Tiger’s” new Dashboard feature that, left unchecked, could potentially be exploited by malware developers, according to the page’s author. The exploit is described and demonstrated on a page called Zaptastic: Blueprint for a widget of mass destruction . Going by the nom de plume of Stephan.com, the author has described how Safari 2.0’s default preference settings could lead users to unwittingly download and install a Dashboard widget.
Safari 2.0 includes a default preference called “Open safe files after downloading.” With that preference active and a meta tag on a Web page linked to a downloadable file, Stephan.com demonstrates that widgets can automatically be installed by Dashboard simply by visiting a Web page.
The page itself demonstrates the technique by downloading a ZIP file containing a simple widget called “Zaptastic.” And while Zaptastic doesn’t do much — it pushes users to a Web site for a PayPal competitor called GreenZap — Stephan.com explained that it could potentially be exploited by forcing you to visit a specific Web page every time you open Dashboard, or worse.
Apple hasn’t made it easy for Dashboard users to de-install widgets, either — there’s no built-in control panel or application for turning them on and off. Users must manually de-install widgets by removing them from the ~/Library/Widgets directory.
Users have noted several other workarounds, as well. Unchecking the “Open safe files after downloading” Safari preference is one; making the ~/Library/Widgets directory read-only is another, and killing the offending Widget process using a Terminal application is a third option.
MacCentral hasn’t linked to the Zaptastic Web page, but you can get there by visiting the Stephan.com Web site.