Things start to go wrong if a user leaves Safari’s “Automatically open safe files” option checked.
If checked, it allows Safari to automatically download, unzip, and install a Dashboard widget on your computer.
But: widgets installed in this manner are put in your user widget directory, ~/Library/Widgets. The default widgets supplied by Apple are in the system widget directory, /Library/Widgets.
And: when Dashboard starts, it first loads up widgets in the system directory, then loads the ones in the user directory. There’s nothing to prevent one of the user widgets having the same bundle identifier as one of the default ones.
The upshot is that if someone were to ‘embed’ a malicious widget in a web page, it could be designed to call itself Stickies - over-riding the Apple-supplied Stickies widget with something else.
Simply by looking at the Dashboard widget bar, a user would have no way of telling the difference.
A series of screenshots on Aaron’s web page explains this very simply. It’s surprisingly easy for a potentially harmful widget to get into your computer, and for you to execute it regardless.
The Rixstep analysis goes one step further.
Imagine a mail message arrives from a friend, with an attached file. “I found this great Dashboard widget!” it says, “Try it out!”
User double-clicks. A widget is installed.
But: this widget has a plug-in. Which copies itself everywhere. Which delves into the Mail Delivery API and sends copies of itself to people in your Address Book.
Dashboard is supposed to ask the user if it’s OK to run a new widget for the first time. But that doesn’t always happen. Aaron puts it simply:
However — incredibly, amazingly, stupidly — Dashboard does not present a prompt before running a privileged widget that is one of the Library/Widgets folders, including our auto-installed widgets. So now your auto-installed replacement look-alike widget has complete access to your system, and could do nasty things like delete your home folder.
As I said a few days ago, I’ve been smugly telling every Windows user I know how much safer and secure my Mac is. Maybe I should just shut up.
Have Aaron and Rixstep found something we need to worry about? Or is this a storm in a teacup?