Widget security worries stalk Apple

Although Apple Computer updated its latest OS this week to solve a security problem with widgets, worries persist that the small applications still pose a potentially serious risk.

Widgets, or small programs that automatically install after downloading, were introduced in Tiger for the Dashboard, which overlays the desktop. An attacker could write a malicious widget for Mac OS X 10.4 Tiger that would run invisibly in the background and hijack a user's 'sudo' or administrative privileges on a system, according to an alert distributed on the Full Disclosure mailing lists late on Wednesday. With administrative privileges, the attacker would have full control over the targeted Mac.

On Monday, Apple published the Mac OS X 10.4.1 update to fix an earlier security issue related to the widgets. Before the patch, widgets would download and install without warning. Patched machines display a box that asks the user to confirm a download, but don't tell the user that the confirmation also triggers installation of the widget.

While the patch mitigates the risk, security issues remain with widgets, according to Jonathan Zdziarski, a software engineer and author of Wednesday's Full Disclosure posting.

"Those widgets should never be allowed to get administrative access on the system," Zdziarski said in an interview. "Apple has taken, sort of, the Microsoft stance with widgets, in that it is one of the few tools that is completely built into the operating system."

Zdziarski is also unhappy with how the Mac maker addressed the previous widget problem. It should be clear to users that a widget is not only being downloaded, but also installed, he said. "They terribly misworded that button. When I click 'download', I expect to just download it. In fact, the widget is installed."

A malicious widget, after it is installed, can run in the background and wait until a time when the user logs in as administrator. It can then hijack those credentials to deliver its payload, Zdziarski said. The action could be anything from wiping a hard drive to sending the attacker the victim's list of usernames and passwords on Apple's Keychain tool, he said.

For a user to fall victim to a malicious widget, the application first needs to be installed on a Mac. That required user interaction disqualifies it as a security vulnerability, according to several responses to Zdziarski's posting on Full Disclosure.

Apple is encouraging developers to create new widgets and its Web site already lists 209 of them. Widgets are also available elsewhere on the Web.

For protection, users should download widgets only from trusted Web sites, Zdziarski suggests.

Apple declined to comment for this story.