Software Engineering Institute

Dashboard

Dashboard is a new feature introduced in Apple Mac OS X Tiger 10.4. Dashboard is a collection of applications called "widgets." The system-installed widgets are located in /Library/Widgets and user-installed widgets are located in ~/Library/Widgets.

Widgets

A widget is an application that is created using a combination of HTML, CSS, and JavaScript. Although the content of a widget is similar to a web page, a widget that executes within the context of Dashboard has additional privileges that are not available within a web browser. For example, a Dashboard widget can make system calls via widget.system() or execute a plug-in that contains native OS X code.

Execution warning

The first time a user runs a widget that requests certain privileges, such as those required to make system calls, a warning dialog is displayed. Note that this dialog is displayed for all widgets except those in /Library/Widgets (system-installed widgets) and ~/Library/Widgets (user-installed widgets). For example, if a user attempts to run a widget called "Stickies" for the first time, and that widget requests certain privileges, the following dialog will be displayed:



The problem

Apple Safari automatically opens certain files by default, including widgets. When Safari opens a widget it actually performs an installation of the widget. The installation of a widget involves extracting the widget archive and copying the contents to ~/Library/Widgets. Because Safari installs the widget to the user's widget directory, the execution warning dialog is not presented when the user runs the widget for the first time.

An attacker may be able to install arbitrary code on a vulnerable system. Since OS X executes user-installed widgets over system-installed widgets with the same bundle identifier (VU#983429), a user may be more likely to unknowingly execute the code.

Upgrade or patch

With the Mac OS X 10.4.1 Update, Safari will prompt the user before installing a widget, thus preventing automatic widget installation. Please note that the dialog used in this prompt is somwhat misleading. The dialog asks "Are you sure you want to download the application '<widgetname>'?" For example:



By the time the dialog is displayed, Safari has already downloaded, extracted, and examined the contents of the widget archive. If the user clicks "Download," the widget is not "downloaded" in the expected sense. It is installed into the user's widget directory.

Disable "Open 'safe' files after downloading"

By default, Safari will open "safe" files after downloading them. This includes movies, pictures, sounds, documents, disk images, and widgets. By disabling this option, Safari will not automatically install widgets. This appears to be a more effective solution than upgrading to 10.4.1 by itself. By not automatically opening files, Safari will not automatically execute other software to handle downloaded files. Other software may contain vulnerabilities, and some "safe" files may contain code, place content in a known location, or otherwise contribute to an attack. To disable this option, select "Preferences" from the Safari menu and uncheck the option "Open 'safe' files after downloading," as specified in the Securing Your Web Browser document.