search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Apple Safari automatically installs Dashboard widgets

Vulnerability Note VU#775661

Original Release Date: 2005-06-08 | Last Revised: 2006-02-22

Overview

Apple Safari on Mac OS X Tiger automatically installs Dashboard widgets without user intervention or notice.

Description

Dashboard

Dashboard is a new feature introduced in Apple Mac OS X Tiger 10.4. Dashboard is a collection of applications called "widgets." The system-installed widgets are located in /Library/Widgets and user-installed widgets are located in ~/Library/Widgets.

Widgets

A widget is an application that is created using a combination of HTML, CSS, and JavaScript. Although the content of a widget is similar to a web page, a widget that executes within the context of Dashboard has additional privileges that are not available within a web browser. For example, a Dashboard widget can make system calls via widget.system() or execute a plug-in that contains native OS X code.

Execution warning

The first time a user runs a widget that requests certain privileges, such as those required to make system calls, a warning dialog is displayed. Note that this dialog is displayed for all widgets except those in /Library/Widgets (system-installed widgets) and ~/Library/Widgets (user-installed widgets). For example, if a user attempts to run a widget called "Stickies" for the first time, and that widget requests certain privileges, the following dialog will be displayed:



The problem

Apple Safari automatically opens certain files by default, including widgets. When Safari opens a widget it actually performs an installation of the widget. The installation of a widget involves extracting the widget archive and copying the contents to ~/Library/Widgets. Because Safari installs the widget to the user's widget directory, the execution warning dialog is not presented when the user runs the widget for the first time.

Impact

An attacker may be able to install arbitrary code on a vulnerable system. Since OS X executes user-installed widgets over system-installed widgets with the same bundle identifier (VU#983429), a user may be more likely to unknowingly execute the code.

Solution

Upgrade or patch

With the Mac OS X 10.4.1 Update, Safari will prompt the user before installing a widget, thus preventing automatic widget installation. Please note that the dialog used in this prompt is somwhat misleading. The dialog asks "Are you sure you want to download the application '<widgetname>'?" For example:



By the time the dialog is displayed, Safari has already downloaded, extracted, and examined the contents of the widget archive. If the user clicks "Download," the widget is not "downloaded" in the expected sense. It is installed into the user's widget directory.

Disable "Open 'safe' files after downloading"

By default, Safari will open "safe" files after downloading them. This includes movies, pictures, sounds, documents, disk images, and widgets. By disabling this option, Safari will not automatically install widgets. This appears to be a more effective solution than upgrading to 10.4.1 by itself. By not automatically opening files, Safari will not automatically execute other software to handle downloaded files. Other software may contain vulnerabilities, and some "safe" files may contain code, place content in a known location, or otherwise contribute to an attack. To disable this option, select "Preferences" from the Safari menu and uncheck the option "Open 'safe' files after downloading," as specified in the Securing Your Web Browser document.

Vendor Information

775661
 

Apple Computer, Inc. Affected

Notified:  June 08, 2005 Updated: June 08, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was publicly reported by stephan.com.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2005-1474
Severity Metric: 17.06
Date Public: 2005-05-08
Date First Published: 2005-06-08
Date Last Updated: 2006-02-22 15:22 UTC
Document Revision: 27

Sponsored by CISA.