Dashboard, Malware, and a Theory
Daniel Johnson
What I read is that websites can silently download and install widgets
and appear to replace system provided ones and, if they use the
system-provided bundle ids, they also get to run without any further
security checks. The next time you use a sticky-note (or whatever was
replaced), you get owned.
That's pretty grim. I trust, at least, we will hear no more about MacOS
X's "inherent" security for quite a while.
But, for advocacy newsgroups, this is also an opportunity, and not just
for flames!
I have long said that the lack of malware on the Mac is due, primarily,
to the scarcity of Macs. This makes them less inviting targets for any
malware producing villain. Is this, indeed, the main reason?
We will know soon. If there is a surge of malware for the Mac, this
will suggest that malware "vendors" desire to infect the Mac, but have
found it too hard. Now that it is easy, they will take the opportunity.
But if there is no such surge, this means that there is little interest
in attacking Macintoshes, even when it is easy to do.
Jim Polaski
Daniel Johnson <daniel...@vzavenue.net> wrote:
Turn off auto installing widgets. It's not that big a deal.
There's also WidgetManager if you need a utility.
--
Regards,
JP
"The measure of a man is what he will do while
expecting that he will get nothing in return!"
Snit
jpolaski-4A5B3B...@comcast.dca.giganews.com on 5/13/05 2:49 PM:
It is also largely suspected and rumored that Apple will be fixing this in
10.4.1. By the time the malware would be hitting, most users will likely
already have a fix.
It it true, though, that this is sometimes the case for XP malware. The
Dashboard in 10.4 does open security risks - software can be installed
without the user's knowledge and done so in a way where the software is at
least relatively likely to be run. While the software likely could not do
much outside the user's account, if running as admin it can do more - and
even if not as admin the software can still do plenty of damage.
The sooner Apple fixes this the better off the Mac will be as a platform -
having malware spring up around this weakness is not unlikely and something
that can hurt Apple. The media, I am sure, would jump on the first attacks
against OS X. With Apple doing so well these days, it makes them a target
not just for the malware writers, but the media looking for a story.
--
"If a million people believe a foolish thing, it is still a foolish thing."
- Anatole France
_________________________________________
Usenet Zone Free Binaries Usenet Server
More than 120,000 groups
Unlimited download
http://www.usenetzone.com to open account
Macslut
1) How do you get the recipient of the malware to download it without
their knowledge...Not how do you do a meta-refresh on a website and get
them to download it without their *approval*, but rather how do you do
it without their knowledge?
2) How do you get the widget to install when people aren't using
Safari, or have auto-open turned off?
3) How much incentive would one have to create such a widget when there
are already 3 party freeware apps to deal with this, and it's reported
to have already been patched in 10.4.1 which has been seeded to
developers for testing?
4) How do you get the widget to not only auto-install, but more
importantly auto-launch in the dashboard, when just sitting in the
Dashboard dock, it does nothing?
5) How "owned" can you be by a widget without privs?
6) How many brain cells does it take to be able to remove a widget from
its folder and relaunch dashboard (or restart)?
7) Not that malware is never spread through websites, but most come as
attachments and/or P2P networks...how likely are people to offer truly
malicious malware from their own websites given that there would be a
record of exactly where the widget came from?
While no doubt market share does play a huge role in all of this, I
really don't see this widget hole as being that big of a deal. Other
than the half-proof of concept, I don't see anyone else moving the
threat meter on this in any significant way.
Snit
1116021839....@f14g2000cwb.googlegroups.com on 5/13/05 3:03 PM:
> Some questions...
>
> 1) How do you get the recipient of the malware to download it without
> their knowledge...Not how do you do a meta-refresh on a website and get
> them to download it without their *approval*, but rather how do you do
> it without their knowledge?
This has been demo'd in a few places - if you want to see it I can likely
hunt it down for you.
>
> 2) How do you get the widget to install when people aren't using
> Safari, or have auto-open turned off?
Even if there are ways to prevent it, having this weakness "on" by default
is a bad thing. OS X has little or no malware, but that does not mean we
should sit back with out eyes closed to such holes.
>
> 3) How much incentive would one have to create such a widget when there
> are already 3 party freeware apps to deal with this, and it's reported
> to have already been patched in 10.4.1 which has been seeded to
> developers for testing?
This is a more reasonable question... assuming 10.4.1 is coming soon, it is
likely any malware would do little. This is, though, partly because of the
relative few numbers of Macs.
>
> 4) How do you get the widget to not only auto-install, but more
> importantly auto-launch in the dashboard, when just sitting in the
> Dashboard dock, it does nothing?
You can not - but many people would launch it.
>
> 5) How "owned" can you be by a widget without privs?
It can do anything you can do without getting asked for an admin password.
Scary, eh?
>
> 6) How many brain cells does it take to be able to remove a widget from
> its folder and relaunch dashboard (or restart)?
It is not a matter of intelligence, but technical competence. Look in
Apple's support site for removing Widgets:
http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh2037.html
You cannot remove widgets from the Widget Bar or change their order.
Ouch!
>
> 7) Not that malware is never spread through websites, but most come as
> attachments and/or P2P networks...how likely are people to offer truly
> malicious malware from their own websites given that there would be a
> record of exactly where the widget came from?
Malware does come from websites... it happens now. Widgets will not stop
that.
>
> While no doubt market share does play a huge role in all of this, I
> really don't see this widget hole as being that big of a deal. Other
> than the half-proof of concept, I don't see anyone else moving the
> threat meter on this in any significant way.
It could blow up on Apple... likely it will be fixed soon.
--
Picture of a tuna milkshake: http://snipurl.com/bh6q
Feel free to ask for the recipe.
Daniel Johnson
> Some questions...
>
> 1) How do you get the recipient of the malware to download it without
> their knowledge...Not how do you do a meta-refresh on a website and get
> them to download it without their *approval*, but rather how do you do
> it without their knowledge?
Keep it small, so it downloads quickly. Any user who has set Safari to
remove items from the download list after they successfully download
can easily miss it if it's fast enough. He might guess that something
downloaded, but he won't know what.
Further, there's no supported way to *remove* a widget. If he sees it
coming but doesn't cancel it it time, it is too late. You can remove
the file, but this confuses Dashboard no end, until you log out. Expect
users to be very reluctant to do such a thing, especially if they've
done it once and seen their Dashboard go nuts.
Finally, it is a bit much to expect users to know where that mysterious
unauthorized download went. Safari *does not remember*; if you click
the icon to show the widget file, it says *you* moved it, which is a
rather silly thing to say.
> 2) How do you get the widget to install when people aren't using
> Safari, or have auto-open turned off?
Users who don't use Safari or have turned off auto-open are safe. But
Safair is an excellent browser, is the default on a new Macintosh, and
it has auto-open turned *on* by default.
> 3) How much incentive would one have to create such a widget when there
> are already 3 party freeware apps to deal with this, and it's reported
> to have already been patched in 10.4.1 which has been seeded to
> developers for testing?
My theory is: not much. I doubt that everyone will patch, but there are
so few macs that even if nobody did there would still be little
incentive. There will be, I predict, no deluge of malware. Just not
worth it.
The freeware apps and other workarounds are, of course, irrelevant.
Your target is users who don't know about this little problem.
> 4) How do you get the widget to not only auto-install, but more
> importantly auto-launch in the dashboard, when just sitting in the
> Dashboard dock, it does nothing?
You give it the icon and bundle id as one of Apple's widgets. Give it
a similar name. The user thinks he's starting "Stickies", but it's
really your app, " Stickies ". Strategic space placement is key. :D
> 5) How "owned" can you be by a widget without privs?
If you use the bundle-id of one of Apple's widget, you are consider
"already authorized" and get whatever privs you ask for. At least
sometimes this is reported to happen; it's not clear just what the
complete triggering condition is, but some people have observed it.
There's a long ars-technica thread on this here:
http://episteme.arstechnica.com/eve/ubb.x/a/tpc/f/8300945231/m/200006323731
The sceenie on page 1 is priceless.
> 6) How many brain cells does it take to be able to remove a widget from
> its folder and relaunch dashboard (or restart)?
Well, I know about how to remove the widget and restart, but I don't
see how to restart dashboard short of a restart. There's no dashboard
process in the activity monitor, just one for each widget.
In any case the idea is that your victim does not know you've switched
his regular widget with Folger's crystals, so he doesn't remove the
widget- even if he knows how.
> 7) Not that malware is never spread through websites, but most come as
> attachments and/or P2P networks...how likely are people to offer truly
> malicious malware from their own websites given that there would be a
> record of exactly where the widget came from?
You are certainly right that email trojects and such are a bigger
problem on Windows that web-page-exploits like this, that may be
because they are much easier. And other sorts of malware do happen,
even ones that exploit tricky buffer overflows and the like.
As far as I can see the only way to tell where the thing came from is
if you catch it still in the downloads window and know to right click
and select "copy address", then paste it somewhere visible. This is
not, I think, a very dangerous scenario for your evil internet villains.
> While no doubt market share does play a huge role in all of this, I
> really don't see this widget hole as being that big of a deal. Other
> than the half-proof of concept, I don't see anyone else moving the
> threat meter on this in any significant way.
It is certainly a very large and very easily exploited vulnerablility.
This may, or may not, induce a resurgencence in MacOS malware. I think
not, so in that sense I agree with you.
I think the main signficance of it is advocacy fodder. :D
I do hope I'm right about this. Nobody wants a deluge of Mac malware.
Daniel Johnson
How are users supposed to discover they need to do either of these
things? It's not like the checkbox in Safari prefs says "Open safe
files after downloaded, *and install malware you just happened across*."
Daniel Johnson
> "Jim Polaski" <jpol...@NOSPMync.net> stated in post
> jpolaski-4A5B3B...@comcast.dca.giganews.com on 5/13/05 2:49 PM:
>>
>> Turn off auto installing widgets. It's not that big a deal.
>> There's also WidgetManager if you need a utility.
>
> It is also largely suspected and rumored that Apple will be fixing this in
> 10.4.1. By the time the malware would be hitting, most users will likely
> already have a fix.
This has not, historically, helped MS much. They frequently have the
patches out before the worms, trojans, etc are out there. Doesn't help-
too many people just don't patch.
That said, the sooner Apple patches this the better. This is serious
enought that they should have turned around a patch *first*, separately
from 10.4.1, even if it only fixed this (or just disabled the silly
feature outright!)
[snip]
The sooner Apple fixes this the better off the Mac will be as a platform -
> having malware spring up around this weakness is not unlikely and something
> that can hurt Apple. The media, I am sure, would jump on the first attacks
> against OS X. With Apple doing so well these days, it makes them a target
> not just for the malware writers, but the media looking for a story.
I think this may not be as true as you might think. Apple is still
pretty small compared to, say, Microsoft, and Apple is very good at PR
compared to most of its rivals. One of its great assets as a company,
really.
Apple will dodge this bullet. But will Apple's users do so?
Snit
2005051318512143658%danieljohnson@vzavenuenet on 5/13/05 3:51 PM:
> On 2005-05-13 17:57:27 -0400, Snit <SN...@CABLE0NE.NET.INVALID> said:
>
>> "Jim Polaski" <jpol...@NOSPMync.net> stated in post
>> jpolaski-4A5B3B...@comcast.dca.giganews.com on 5/13/05 2:49 PM:
>>>
>>> Turn off auto installing widgets. It's not that big a deal.
>>> There's also WidgetManager if you need a utility.
>>
>> It is also largely suspected and rumored that Apple will be fixing this in
>> 10.4.1. By the time the malware would be hitting, most users will likely
>> already have a fix.
>
> This has not, historically, helped MS much. They frequently have the
> patches out before the worms, trojans, etc are out there. Doesn't help-
> too many people just don't patch.
>
> That said, the sooner Apple patches this the better. This is serious
> enought that they should have turned around a patch *first*, separately
> from 10.4.1, even if it only fixed this (or just disabled the silly
> feature outright!)
Agreed. Many people are still using modems and even a small OS update patch
is just too much for them to download in way they are comfortable with..
that and other factors limit the number of folks who update.
>
> [snip]
>
>> The sooner Apple fixes this the better off the Mac will be as a platform -
>> having malware spring up around this weakness is not unlikely and something
>> that can hurt Apple. The media, I am sure, would jump on the first attacks
>> against OS X. With Apple doing so well these days, it makes them a target
>> not just for the malware writers, but the media looking for a story.
>
> I think this may not be as true as you might think. Apple is still
> pretty small compared to, say, Microsoft, and Apple is very good at PR
> compared to most of its rivals. One of its great assets as a company,
> really.
>
> Apple will dodge this bullet. But will Apple's users do so?
I doubt that their will be much if any significant malware based on this...
but if I am wrong, I do not think the media would have any problem "turning"
on Apple if they thought it would sell a few ads.
Lars Träger
Daniel Johnson wrote:
> On 2005-05-13 17:57:27 -0400, Snit <SN...@CABLE0NE.NET.INVALID> said:
>
> > It is also largely suspected and rumored that Apple will be fixing
this in
> > 10.4.1. By the time the malware would be hitting, most users will
likely
> > already have a fix.
>
> This has not, historically, helped MS much. They frequently have the
> patches out before the worms, trojans, etc are out there. Doesn't
help-
> too many people just don't patch.
Because A) their "automatic" update wasn't, and B) they don't allow
pirated copies. So what is the average Windows user to do?
Lars T.
MR ED
daniel...@vzavenue.net wrote on 5/13/05 3:45 PM:
You've done a great job of answering all of the questions individually. Now
take the market share...or actually the installed user base number of Tiger
users and start subtracting out numbers for people who aren't running
Safari, have auto-open turned off, have 3rd party apps to block the widgets,
wouldn't go to a site that would offer a bad widget, and as an *early*
adopter of Tiger, would be likely to upgrade to 10.4.1.
Then, given that pool of say *5* people, how much incentive is there to go
through the risks of developing and delivering a malware widget on your own
site?
See, market share (or technically, installed user base) numbers do make a
difference, but that doesn't answer whether there are significant hoops to
jump through on as a potential malware author for OS X that don't exist on
Windows.
Is there a hole? Yes.
Can the end user close the hole? Yes.
Has the hole been exploited? Not reported as yes yet.
Is there a patch on the way? Yes (estimated within 2-3 weeks of initial
report).
Are there 3rd party fixes? Yes, within days of initial report.
Daniel Johnson
>
> You've done a great job of answering all of the questions individually. Now
> take the market share...or actually the installed user base number of Tiger
> users and start subtracting out numbers for people who aren't running
> Safari, have auto-open turned off, have 3rd party apps to block the widgets,
> wouldn't go to a site that would offer a bad widget, and as an *early*
> adopter of Tiger, would be likely to upgrade to 10.4.1.
>
> Then, given that pool of say *5* people, how much incentive is there to go
> through the risks of developing and delivering a malware widget on your own
> site?
That's exactly what I'm saying. Even though there is no patch, a
malware program can still only expect to infect a *small* fraction of
the userbase. Only Tiger users who visit a particular page and have
default preferences, say.
A small fraction of the already small Macintosh userbase is just not
enough to bother with.
Maybe if Apple wrote in a hole that allowed malware to infect
*absolutely every Macintosh out there*, that would be worth it. But I
don't think even Apple could implement such a security hole.
> See, market share (or technically, installed user base) numbers do make a
> difference, but that doesn't answer whether there are significant hoops to
> jump through on as a potential malware author for OS X that don't exist on
> Windows.
This particular episode certainly demonstates that OS X is *not* harder
target. Tiger is an easier target; in addition to the ordinary
exploitable bugs that no doubt exist (it is kinda buggy, you know), it
has this gaping hole.
> Is there a hole? Yes.
> Can the end user close the hole? Yes.
> Has the hole been exploited? Not reported as yes yet.
The question is, will it be in future?
I think the answer is no, because MacOS X *real* protection is its very
small user base, not any technical quality that previous versions of
the OS (without Dashboard) may supposedly have had.
> Is there a patch on the way? Yes (estimated within 2-3 weeks of initial
> report).
I'm not terribly impressed by that timetable. If this happened to
Windows, it would surely be a "drop everything and patch it *right
now*" emergency. They'd even patch it before firing the development
team for "Dashboard XP" and Internet Explorer. :D
But of course, people *target* Windows. There's a lot of Windows users
out there, it's worth it even through you only get a very small
fraction of the user base. *That* is the difference. That is why Apple
can take the slow road to patching this.
> Are there 3rd party fixes? Yes, within days of initial report.
This is, shall we say, to laugh. The coverage of these "fixes" is
certain to be insignificant.
Daniel Johnson
Microsoft's automatic update *is* automatic, moreso than Apple's even.
MS's will download *and install* patches in the background, if you
like, and it will nag you to turn automatic updates on if they are off.
Microsoft has talked about blocking pirates from getting (most)
updates, but they haven't got round to it yet. It's supposed to happen
in the second half of this year. And they say they will let pirates
have security updates anyway. What will happen when Service Pack 3
comes out is a good question.
At any rate, automatic updates and patches for pirates hasn't done MS
too much good in the past.
Snit
> On 2005-05-13 18:03:59 -0400, "Macslut" <mac...@yahoo.com> said:
>
>> Some questions...
>>
>> 1) How do you get the recipient of the malware to download it without
>> their knowledge...Not how do you do a meta-refresh on a website and get
>> them to download it without their *approval*, but rather how do you do
>> it without their knowledge?
>
> Keep it small, so it downloads quickly. Any user who has set Safari to
> remove items from the download list after they successfully download
> can easily miss it if it's fast enough. He might guess that something
> downloaded, but he won't know what.
>
> Further, there's no supported way to *remove* a widget. If he sees it
> coming but doesn't cancel it it time, it is too late. You can remove
> the file, but this confuses Dashboard no end, until you log out. Expect
> users to be very reluctant to do such a thing, especially if they've
> done it once and seen their Dashboard go nuts.
While I agree there should be a better supported method (the Apple web site
says there is *no* method!) why would an expert use have any problem
removing a widget? It is easy, and what few problems it creates are solved
by rotating through the Dashboard launchers... no big deal (for the expert).
>
> Finally, it is a bit much to expect users to know where that mysterious
> unauthorized download went. Safari *does not remember*; if you click
> the icon to show the widget file, it says *you* moved it, which is a
> rather silly thing to say.
Agreed.
>
>> 2) How do you get the widget to install when people aren't using
>> Safari, or have auto-open turned off?
>
> Users who don't use Safari or have turned off auto-open are safe. But
> Safair is an excellent browser, is the default on a new Macintosh, and
> it has auto-open turned *on* by default.
This is similar to people saying that XP users can simply avoid IE. They
can, but most do not.
>
>> 3) How much incentive would one have to create such a widget when there
>> are already 3 party freeware apps to deal with this, and it's reported
>> to have already been patched in 10.4.1 which has been seeded to
>> developers for testing?
>
> My theory is: not much. I doubt that everyone will patch, but there are
> so few macs that even if nobody did there would still be little
> incentive. There will be, I predict, no deluge of malware. Just not
> worth it.
>
> The freeware apps and other workarounds are, of course, irrelevant.
> Your target is users who don't know about this little problem.
And likely would not have the technical knowledge to fully understand the
problem.
>
>> 4) How do you get the widget to not only auto-install, but more
>> importantly auto-launch in the dashboard, when just sitting in the
>> Dashboard dock, it does nothing?
>
> You give it the icon and bundle id as one of Apple's widgets. Give it
> a similar name. The user thinks he's starting "Stickies", but it's
> really your app, " Stickies ". Strategic space placement is key. :D
Good - and scary - thought.
>
>> 5) How "owned" can you be by a widget without privs?
>
> If you use the bundle-id of one of Apple's widget, you are consider
> "already authorized" and get whatever privs you ask for. At least
> sometimes this is reported to happen; it's not clear just what the
> complete triggering condition is, but some people have observed it.
>
> There's a long ars-technica thread on this here:
>
> http://episteme.arstechnica.com/eve/ubb.x/a/tpc/f/8300945231/m/200006323731
>
> The sceenie on page 1 is priceless.
>
>> 6) How many brain cells does it take to be able to remove a widget from
>> its folder and relaunch dashboard (or restart)?
>
> Well, I know about how to remove the widget and restart, but I don't
> see how to restart dashboard short of a restart. There's no dashboard
> process in the activity monitor, just one for each widget.
Restart the Dock.
>
> In any case the idea is that your victim does not know you've switched
> his regular widget with Folger's crystals, so he doesn't remove the
> widget- even if he knows how.
And keep in mind in general work you do not examine every icon you touch...
well, most people do not.
>
>> 7) Not that malware is never spread through websites, but most come as
>> attachments and/or P2P networks...how likely are people to offer truly
>> malicious malware from their own websites given that there would be a
>> record of exactly where the widget came from?
>
> You are certainly right that email trojects and such are a bigger
> problem on Windows that web-page-exploits like this, that may be
> because they are much easier. And other sorts of malware do happen,
> even ones that exploit tricky buffer overflows and the like.
>
> As far as I can see the only way to tell where the thing came from is
> if you catch it still in the downloads window and know to right click
> and select "copy address", then paste it somewhere visible. This is
> not, I think, a very dangerous scenario for your evil internet villains.
>
>> While no doubt market share does play a huge role in all of this, I
>> really don't see this widget hole as being that big of a deal. Other
>> than the half-proof of concept, I don't see anyone else moving the
>> threat meter on this in any significant way.
>
> It is certainly a very large and very easily exploited vulnerablility.
It is something that I hope Apple fixes... quickly.
>
> This may, or may not, induce a resurgencence in MacOS malware. I think
> not, so in that sense I agree with you.
>
> I think the main signficance of it is advocacy fodder. :D
>
> I do hope I'm right about this. Nobody wants a deluge of Mac malware.
Nobody?
--
If A = B and B = C, then A = C, except where void or prohibited by law.
Roy Santoro, Psycho Proverb Zone (http://snipurl.com/BurdenOfProof)
Wally
On 14/5/05 6:03 AM, in article
1116021839....@f14g2000cwb.googlegroups.com, "Macslut"
<mac...@yahoo.com> wrote:
> Some questions...
>
> 1) How do you get the recipient of the malware to download it without
> their knowledge...Not how do you do a meta-refresh on a website and get
> them to download it without their *approval*, but rather how do you do
> it without their knowledge?
Good point, especially as in my case I do not run with the 'Downloads'
window open, its pretty hard to ignore that window opening when a download
is initiated!
Snit
BEAB748F.E42F%wa...@wally.world.net on 5/13/05 6:27 PM:
>
>
>
> On 14/5/05 6:03 AM, in article
> 1116021839....@f14g2000cwb.googlegroups.com, "Macslut"
> <mac...@yahoo.com> wrote:
>
>> Some questions...
>>
>> 1) How do you get the recipient of the malware to download it without
>> their knowledge...Not how do you do a meta-refresh on a website and get
>> them to download it without their *approval*, but rather how do you do
>> it without their knowledge?
>
> Good point, especially as in my case I do not run with the 'Downloads'
> window open, its pretty hard to ignore that window opening when a download
> is initiated!
You sound like the folks who make excuses for MS's security holes. The
Dashboard hole is a big one, even if *you* are not likely to be hit by it.
It is something Apple should fix - and almost certainly is looking to do so
soon. I would be surprised to not see it in 10.4.1, and expect that to be
out likely by the end of the month.
--
"If a million people believe a foolish thing, it is still a foolish thing."
- Anatole France
_________________________________________
Nasht0n
How ironic. Apple screws one of its developers (Konfabulator) in order
to come up with its own a copy-cat version and it turns out to be a
security hole.
Spinnnnnn
ROTLMAO
Nicolas
ELVIS2000
<jpol...@NOSPMync.net> wrote:
>Turn off auto installing widgets. It's not that big a deal.
>There's also WidgetManager if you need a utility.
And turn off pop-ups in Internet Explorer and disable ActiveX. And
there's AntiSpyware if you need a utility.
JW
ELVIS2000
<daniel...@vzavenue.net> wrote:
>I think this may not be as true as you might think. Apple is still
>pretty small compared to, say, Microsoft, and Apple is very good at PR
>compared to most of its rivals. One of its great assets as a company,
>really.
PR, or marketing? Marketing - Yes. PR? Not exactly!
ELVIS2000
wrote:
>This is similar to people saying that XP users can simply avoid IE. They
>can, but most do not.
Fact is -- auto widget install is about as swiss-cheese as
swiss-cheese can get. And it is so obvious, so lame, you have to
wonder just what the hell is going on at Apple.
Snit
cara81lm2vukalc9s...@4ax.com on 5/13/05 8:16 PM:
Well, it is a pretty bizarre error - and it is disappointing to see some Mac
advocates try to minimize this. It is not, of course, the end of the Mac or
anything of that magnitude, but it is a clear entry point for malware that
Apple should not have created and should fix (and likely will by the end of
the month - for those who do updates, anyway).
Seems the right thing to do in a case like this is to have a small update
that fixes just this (and maybe other security risks). I hope Apple does
not tie it to a 20 MB download or something else that would limit the number
of people updating.
--
"Innovation is not about saying yes to everything. It's about saying NO to
all but the most crucial features." -- Steve Jobs
MR_ED_of_Course
daniel...@vzavenue.net wrote on 5/13/05 4:57 PM:
> On 2005-05-13 19:19:41 -0400, "Lars Träger" <Lars.T...@epost.de> said:
>
>>
>> Daniel Johnson wrote:
>>> On 2005-05-13 17:57:27 -0400, Snit <SN...@CABLE0NE.NET.INVALID> said:
>>>
>>> This has not, historically, helped MS much. They frequently have the
>>> patches out before the worms, trojans, etc are out there. Doesn't
>>> help- too many people just don't patch.
>>
>> Because A) their "automatic" update wasn't, and B) they don't allow
>> pirated copies. So what is the average Windows user to do?
>
> Microsoft's automatic update *is* automatic, moreso than Apple's even.
> MS's will download *and install* patches in the background, if you
> like, and it will nag you to turn automatic updates on if they are off.
SP2 is much better about updates, but part of the problem is getting people
to SP2. The other part, is that it can be so annoying that I've seen many
people disable it.
> Microsoft has talked about blocking pirates from getting (most)
> updates, but they haven't got round to it yet. It's supposed to happen
> in the second half of this year. And they say they will let pirates
> have security updates anyway. What will happen when Service Pack 3
> comes out is a good question.
Funny, I've seen several PCs with pirated versions of Windows that won't
allow SP2 to be installed. In one of the offices I go to the PC they give
me to use has a legit copy of Office that needs "critical updating", but the
company can't find the original CD which needs to be inserted for doing
this.
> At any rate, automatic updates and patches for pirates hasn't done MS
> too much good in the past.
I disagree.
The fact is, it's harder to get a pirated copy of Windows up to SP2. Either
SP2 is ineffective at reducing malware, or Microsoft's piracy policies are
exacerbating the malware problem.
Jim Polaski
ELVIS2000 <elvi...@ElvisLives.com> wrote:
macs don't have Active - X thank goodness. They don't have Spyware
either and come to think of it, new ones don't have IE either.
Your point here?
Nasht0n
Apple is good at marketing? How so?
Nicolas
Nasht0n
> In article <7iqa8152k90k6ut2q...@4ax.com>,
> ELVIS2000 <elvi...@ElvisLives.com> wrote:
>
>
>>On Fri, 13 May 2005 16:49:30 -0500, Jim Polaski
>><jpol...@NOSPMync.net> wrote:
>>
>>
>>>Turn off auto installing widgets. It's not that big a deal.
>>>There's also WidgetManager if you need a utility.
>>
>>And turn off pop-ups in Internet Explorer and disable ActiveX. And
>>there's AntiSpyware if you need a utility.
>>
>>JW
>
>
> macs don't have Active - X thank goodness. They don't have Spyware
> either and come to think of it, new ones don't have IE either.
>
> Your point here?
You're right. Macs are bullet proof. No security patches needed, no
apparent way to social engineer a virus attack and everything that comes
with the OS, dashboard included, is as tight as it can get.
Tell me, Polaski, with holes the size of the Panama canal, why do you
think the OS hasn't been compromised? Would obscurity have anything to
do with it?
Nicolas
Wally
On 14/5/05 9:33 AM, in article BEAAA37A.18618%SN...@CABLE0NE.NET.INVALID,
"Snit" <SN...@CABLE0NE.NET.INVALID> wrote:
> "Wally" <wa...@wally.world.net> stated in post
> BEAB748F.E42F%wa...@wally.world.net on 5/13/05 6:27 PM:
>
>>
>>
>>
>> On 14/5/05 6:03 AM, in article
>> 1116021839....@f14g2000cwb.googlegroups.com, "Macslut"
>> <mac...@yahoo.com> wrote:
>>
>>> Some questions...
>>>
>>> 1) How do you get the recipient of the malware to download it without
>>> their knowledge...Not how do you do a meta-refresh on a website and get
>>> them to download it without their *approval*, but rather how do you do
>>> it without their knowledge?
>>
>> Good point, especially as in my case I do not run with the 'Downloads'
>> window open, its pretty hard to ignore that window opening when a download
>> is initiated!
>
> You sound like the folks who make excuses for MS's security holes. The
> Dashboard hole is a big one,
And yet so easily defeated...one check box! And only then assuming Safari is
being used.
> even if *you* are not likely to be hit by it.
Hit or not, my point was that it could not be downloaded to my Mac without
my knowledge, that is not an excuse, it is a FACT!
> It is something Apple should fix - and almost certainly is looking to do so
> soon.
I do hope so, and have never indicated otherwise!
> I would be surprised to not see it in 10.4.1, and expect that to be
> out likely by the end of the month.
I wouldn't be surprised to see a fix prior to 10.4.1, so what? I will
remain unaffected either way!
C Lund
Daniel Johnson <daniel...@vzavenue.net> wrote:
> That's pretty grim. I trust, at least, we will hear no more about MacOS
> X's "inherent" security for quite a while.
Nah. While this was a stupid thing to do (and very MS-like), I don't
think it's as bad as it sounds (you have to use Safari and a single
checkbox click defeats it). I expect it to be fixed in the very near
future.
--
C Lund, www.notam02.no/~clund
Chad Irby
ELVIS2000 <elvi...@ElvisLives.com> wrote:
> Fact is -- auto widget install is about as swiss-cheese as
> swiss-cheese can get.
No, that would be something like letting a hole in the browser directly
access major parts of the operating system, instead of a virtual
"sandbox" that keeps offending widgets from doing anything seriously
annoying without direct user intervention.
--
I don't have a lifestyle.
I have a lifeCSS.
Peter Hayes
> Apple seems to have screwed the pooch on Safari/Dashboard seccurity.
> What I read is that websites can silently download and install widgets
> and appear to replace system provided ones and, if they use the
> system-provided bundle ids, they also get to run without any further
> security checks. The next time you use a sticky-note (or whatever was
> replaced), you get owned.
>
> That's pretty grim. I trust, at least, we will hear no more about MacOS
> X's "inherent" security for quite a while.
>
> But, for advocacy newsgroups, this is also an opportunity, and not just
> for flames!
>
> I have long said that the lack of malware on the Mac is due, primarily,
> to the scarcity of Macs. This makes them less inviting targets for any
> malware producing villain. Is this, indeed, the main reason?
>
> We will know soon. If there is a surge of malware for the Mac, this
> will suggest that malware "vendors" desire to infect the Mac, but have
> found it too hard. Now that it is easy, they will take the opportunity.
>
> But if there is no such surge, this means that there is little interest
> in attacking Macintoshes, even when it is easy to do.
Just never use v.0 of anything.
--
Peter
Tim Adams
Snit <SN...@CABLE0NE.NET.INVALID> wrote:
~snip
>
> http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh2037.html
>
> You cannot remove widgets from the Widget Bar or change their order.
>
> Ouch!
If you want to remove a widget from the Widget bar, open your hard
drive, open the folder called 'Library' then the folder called 'Widget'
and remove the item you no longer want to appear in the bar.
To change the order the items appear in, simply rename them or add a
space (first in list) or a tilde (last in list) to the beginning of
their name. As they currently show up in alphabetical order, changing
that order isn't really all that hard.
~snip
--
reguarding Snit "You are not flamed because you speak the truth,
you are flamed because you are a hideous troll and keep disrupting
the newsgroup." Andrew J. Brehm
Tim
Daniel Johnson
> in article 2005051319573743658%danieljohnson@vzavenuenet, Daniel Johnson at
> daniel...@vzavenue.net wrote on 5/13/05 4:57 PM:
>
>> On 2005-05-13 19:19:41 -0400, "Lars Träger" <Lars.T...@epost.de> said:
>>
>> Microsoft's automatic update *is* automatic, moreso than Apple's even.
>> MS's will download *and install* patches in the background, if you
>> like, and it will nag you to turn automatic updates on if they are off.
>
> SP2 is much better about updates, but part of the problem is getting people
> to SP2.
The earlier, less naggy Automatic Updates is very very close to Apple's
software update.
> The other part, is that it can be so annoying that I've seen many
> people disable it.
This is the problem. They were doing this before SP2 as well.
>
>> Microsoft has talked about blocking pirates from getting (most)
>> updates, but they haven't got round to it yet. It's supposed to happen
>> in the second half of this year. And they say they will let pirates
>> have security updates anyway. What will happen when Service Pack 3
>> comes out is a good question.
>
> Funny, I've seen several PCs with pirated versions of Windows that won't
> allow SP2 to be installed.
Most pirated versions of Windows *can* install SP2; they only block the
same serial numbers they blocked for SP1.
What MS is proposing for the future goes rather beyond that.
> In one of the offices I go to the PC they give
> me to use has a legit copy of Office that needs "critical updating", but the
> company can't find the original CD which needs to be inserted for doing
> this.
Office is very irritating about this, but Office is not Windows and
does not use the Windows Update mechanism.
Does Office for the Mac behave any differently?
>
>> At any rate, automatic updates and patches for pirates hasn't done MS
>> too much good in the past.
>
> I disagree.
> The fact is, it's harder to get a pirated copy of Windows up to SP2. Either
> SP2 is ineffective at reducing malware, or Microsoft's piracy policies are
> exacerbating the malware problem.
I doubt that MS's piracy polices are exacerbating the malware problem
significantly *yet*; they have done so little to this point. It may be
that this is about to change, of course.
Daniel Johnson
> In article <BEAA7A5D.185C3%SN...@CABLE0NE.NET.INVALID>,
> Snit <SN...@CABLE0NE.NET.INVALID> wrote:
>
> ~snip
>
>>
>> http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh2037.html
>>
>> You cannot remove widgets from the Widget Bar or change their order.
>>
>> Ouch!
>
> If you want to remove a widget from the Widget bar, open your hard
> drive, open the folder called 'Library' then the folder called 'Widget'
> and remove the item you no longer want to appear in the bar.
That's not where these auto-installed widgets go. You should open your
*home directory*, then Library, then Widgets.
Once you remove them dashboard gets very confused. You should log out
ot fix this; until you do so Dashboard will try to keep using the
widget set it had when it started, but the one you removed no longer
works and things get very odd. Try it and see.
> To change the order the items appear in, simply rename them or add a
> space (first in list) or a tilde (last in list) to the beginning of
> their name. As they currently show up in alphabetical order, changing
> that order isn't really all that hard.
Changing the order is of no important to this security hole, of course.
Daniel Johnson
> While I agree there should be a better supported method (the Apple web site
> says there is *no* method!) why would an expert use have any problem
> removing a widget? It is easy, and what few problems it creates are solved
> by rotating through the Dashboard launchers... no big deal (for the expert).
An expert is very much more likely to know about this issue and
discover one of the work arounds; but exper users on Windows are very
rarely infected for much the same reason. Knowledge is power and all
that.
Still, it is not entirely unreasonable even for an expert to read
Apple's documentation and believe it.
>> Finally, it is a bit much to expect users to know where that mysterious
>> unauthorized download went. Safari *does not remember*; if you click
>> the icon to show the widget file, it says *you* moved it, which is a
>> rather silly thing to say.
>
> Agreed.
This a really a pretty half baked feature all 'round. Does anyone know
when the beta Tiger builds started to do this? I bet this went in very
late.
[snip]
>>> 6) How many brain cells does it take to be able to remove a widget from
>>> its folder and relaunch dashboard (or restart)?
>>
>> Well, I know about how to remove the widget and restart, but I don't
>> see how to restart dashboard short of a restart. There's no dashboard
>> process in the activity monitor, just one for each widget.
>
> Restart the Dock.
Ah. This is, I think, highly non-obvious. I do not think naive users
that might be targeted with this can be expected to do this. The dock
does not even appear in the "Force Quit" dialog, after all.
[snip]
>>> While no doubt market share does play a huge role in all of this, I
>>> really don't see this widget hole as being that big of a deal. Other
>>> than the half-proof of concept, I don't see anyone else moving the
>>> threat meter on this in any significant way.
>>
>> It is certainly a very large and very easily exploited vulnerablility.
>
> It is something that I hope Apple fixes... quickly.
They seem to be rolling the fix into 10.4.1, which is not I think
giving it the priority it deserves on its merits. They are counting on
the obscurity of the Mac buying them several weeks.
>>
>> I do hope I'm right about this. Nobody wants a deluge of Mac malware.
>
> Nobody?
Well, that is my theory.
If anybody *does* want a deluge of mac malware, they now have the means
to engineer it.
Daniel Johnson
If I had to guess, I would guess that Apple is not very disciplined
about following their proccesses, whatever they are, and slipped this
in at the last minute with very little testing, and no security audit.
I would not be surprised if Apple had a very strong security audit
process *on paper*, and that they simply do not consistently follow it.
There is always a strong temptation to slip in "one more *teeny little
feature*", and this certainly qualifies as such. It's so simple, so
small, so trivial.. what could possibly go wrong? We don't *really*
need to put this little thing through audits, QA, beta testing, etc,
etc?
It's a good demonstration that there's no such thing as a "teeny little
feature". This feature interacts poorly with the Downloads Window
(which expects things to remain where it put them) and with the
auto-download thingy and with the Dashboard uninstall model (which is
that you can't.)
It takes the serious bugs in the Dashboard security implementation (it
can be tricked into giving authorizations to Widgets that don't deserve
them) and makes them about zillion times worse.
I take a very process-oriented view of software development, and what I
take away from this incident is that Apple's development process is
either worthless junk, or, as is more likely, is simply not being
followed.
Should Macintoshes ever become very popular, Apple will be in a whole
new world of pain. All the little mistakes and lapses that didn't
matter before will come back to haunt them with a vengeance.
Daniel Johnson
> In article <cara81lm2vukalc9s...@4ax.com>,
> ELVIS2000 <elvi...@ElvisLives.com> wrote:
>
>> Fact is -- auto widget install is about as swiss-cheese as
>> swiss-cheese can get.
>
> No, that would be something like letting a hole in the browser directly
> access major parts of the operating system, instead of a virtual
> "sandbox" that keeps offending widgets from doing anything seriously
> annoying without direct user intervention.
Don't look now, but that's what this is. The dashboard can be tricked
into giving authorization to these widgets without asking the user.
They need only impersonate a harmless widget, and when the user starts
them up, it's all over.
This is if anything *worse* that the buffer-overflow exploits of yore:
it's really really easy to exploit this. No subtle machine language
coding required; no careful analysis of stack frames is involved.
Daniel Johnson
> On 14/5/05 9:33 AM, in article BEAAA37A.18618%SN...@CABLE0NE.NET.INVALID,
> "Snit" <SN...@CABLE0NE.NET.INVALID> wrote:
>> You sound like the folks who make excuses for MS's security holes. The
>> Dashboard hole is a big one,
>
> And yet so easily defeated...one check box! And only then assuming Safari is
> being used.
Nearly all exploits can be blocked as easily, on any platform. Just
turn off the thing to be exploited, and there you are. This is why
having things turned off by default is considered a good security
practice.
The thing is, very few users will know that this check box should be unchecked.
>> even if *you* are not likely to be hit by it.
>
> Hit or not, my point was that it could not be downloaded to my Mac without
> my knowledge, that is not an excuse, it is a FACT!
Well, not quite. If you have the downloads window set to remove items
as soon as they download, and the downloads window is already open,
you may never notice. The download is there only during the short time
it is downloading, and the window may be obscured by another window. It
looks exactly the same after the download as before.
In any case it doesn't really matter much if you notice that something
happened, if you don't understand what it was that happened. There's no
way to tell where the downloaded file went to, unless you know all
about this security hole already.
[snip]
-hh
Daniel Johnson wrote:
>
>
> > 2) How do you get the widget to install when people aren't using
> > Safari, or have auto-open turned off?
>
> Safair is an excellent browser, is the default on a new Macintosh,
and
> it has auto-open turned *on* by default.
FWIW, I find this extremely reminiscient of the "AutoStart-9805" Worm
(aka "Hong Kong" virus) that was a Macintosh worm discovered on 4 May
1998 after ~3 years of Mac's being essentially virus-free.
The security vulnerability flaw was in Quicktime 2.0, which had a
default AutoStart feature that would execute whatever app was on a CD
whenever said CD was mounted.
FWIW, I have my boxed copy of Tiger, but I'm not going to even install
it until this vulnerability is patched in 10.4.1 (which reportedly is
expected by the end of this month; time will tell).
-hh
Daniel Johnson
Nearly all exploits are easily defeated by turning off the exploitable
bit of code. If this gets Apple off, MS can get off of nearly all of
its bugs in the same way.
This is generally not considered a good excuse. Turning off the
feature means losing functionality, and anyway few users will know that
they need to do this, so as a practical matter is does not work too
well.
I also expect this problem will be fixed soon, but I also expect the
fix will be 10.4.1, will come out on schedule (at best) and that it
will be a multi-tens-of-megabytes download. Users who do not have fast
internet connections (and do not know about this problem) may be
reluctant to install it.
It really should be a separate patch, as small as may be, and it should
be expedited.
Snit
>>>> Some questions...
>>>>
>>>> 1) How do you get the recipient of the malware to download it without
>>>> their knowledge...Not how do you do a meta-refresh on a website and get
>>>> them to download it without their *approval*, but rather how do you do
>>>> it without their knowledge?
>>>
>>> Good point, especially as in my case I do not run with the 'Downloads'
>>> window open, its pretty hard to ignore that window opening when a download
>>> is initiated!
>>
>> You sound like the folks who make excuses for MS's security holes. The
>> Dashboard hole is a big one,
>
> And yet so easily defeated...one check box! And only then assuming Safari is
> being used.
As is the case with many security holes. Most people will not know to go to
that one check box and check it.
>
>> even if *you* are not likely to be hit by it.
>
> Hit or not, my point was that it could not be downloaded to my Mac without
> my knowledge, that is not an excuse, it is a FACT!
Who cares, Wally? This is not about *you*, this is about the security hole.
It has already been established that *you* and some others may know how to
prevent it.
>
>> It is something Apple should fix - and almost certainly is looking to do so
>> soon.
>
> I do hope so, and have never indicated otherwise!
Then we are in agreement. Why argue over something we agree about?
>
>> I would be surprised to not see it in 10.4.1, and expect that to be
>> out likely by the end of the month.
>
> I wouldn't be surprised to see a fix prior to 10.4.1, so what? I will
> remain unaffected either way!
Good for you! Are you looking for a Computer Security Merit Badge or
something?
--
Picture of a tuna milkshake: http://snipurl.com/bh6q
Feel free to ask for the recipe.
Snit
teadams$2$0$0$3-E97540.07...@news1.east.earthlink.net on 5/14/05
4:15 AM:
> In article <BEAA7A5D.185C3%SN...@CABLE0NE.NET.INVALID>,
> Snit <SN...@CABLE0NE.NET.INVALID> wrote:
>
> ~snip
>
>>
>> http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh2037.html
>>
>> You cannot remove widgets from the Widget Bar or change their order.
>>
>> Ouch!
>
> If you want to remove a widget from the Widget bar, open your hard
> drive, open the folder called 'Library' then the folder called 'Widget'
> and remove the item you no longer want to appear in the bar.
>
> To change the order the items appear in, simply rename them or add a
> space (first in list) or a tilde (last in list) to the beginning of
> their name. As they currently show up in alphabetical order, changing
> that order isn't really all that hard.
In case you are actually trying to be helpful and educate those who do not
know that, I will say thanks... but keep in mind that the comment was not a
question about how to remove it, but a comment about what Apple says about
it. Still, some may not have known the details of how to remove a Widget,
so I will give you the benefit of the doubt.
---------
> 6) How many brain cells does it take to be able to remove a widget from
> its folder and relaunch dashboard (or restart)?
It is not a matter of intelligence, but technical competence. Look in
Apple's support site for removing Widgets:
http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh2037.html
You cannot remove widgets from the Widget Bar or change their order.
Ouch!
---------
Snit
2005051407585550073%danieljohnson@vzavenuenet on 5/14/05 4:58 AM:
> On 2005-05-13 20:39:37 -0400, Snit <SN...@CABLE0NE.NET.INVALID> said:
>> While I agree there should be a better supported method (the Apple web site
>> says there is *no* method!) why would an expert use have any problem
>> removing a widget? It is easy, and what few problems it creates are solved
>> by rotating through the Dashboard launchers... no big deal (for the expert).
>
> An expert is very much more likely to know about this issue and
> discover one of the work arounds; but exper users on Windows are very
> rarely infected for much the same reason. Knowledge is power and all
> that.
Oh, I am not trying to defend Apple on this... which is why I made sure I
emphasized I was talking about how an expert could do things. A novice
would never be able to... and the folks in between may or may not...
>
> Still, it is not entirely unreasonable even for an expert to read
> Apple's documentation and believe it.
While I think most people one could call an expert would look in the
/Library and ~/Library, it is absurd of Apple to post that there is no way
to remove them.
>
>>> Finally, it is a bit much to expect users to know where that mysterious
>>> unauthorized download went. Safari *does not remember*; if you click
>>> the icon to show the widget file, it says *you* moved it, which is a
>>> rather silly thing to say.
>>
>> Agreed.
>
> This a really a pretty half baked feature all 'round. Does anyone know
> when the beta Tiger builds started to do this? I bet this went in very
> late.
>
> [snip]
>>>> 6) How many brain cells does it take to be able to remove a widget from
>>>> its folder and relaunch dashboard (or restart)?
>>>
>>> Well, I know about how to remove the widget and restart, but I don't
>>> see how to restart dashboard short of a restart. There's no dashboard
>>> process in the activity monitor, just one for each widget.
>>
>> Restart the Dock.
>
> Ah. This is, I think, highly non-obvious. I do not think naive users
> that might be targeted with this can be expected to do this. The dock
> does not even appear in the "Force Quit" dialog, after all.
No doubt - most users would never figure this out. The vast majority.
>
> [snip]
>>>> While no doubt market share does play a huge role in all of this, I
>>>> really don't see this widget hole as being that big of a deal. Other
>>>> than the half-proof of concept, I don't see anyone else moving the
>>>> threat meter on this in any significant way.
>>>
>>> It is certainly a very large and very easily exploited vulnerablility.
>>
>> It is something that I hope Apple fixes... quickly.
>
> They seem to be rolling the fix into 10.4.1, which is not I think
> giving it the priority it deserves on its merits. They are counting on
> the obscurity of the Mac buying them several weeks.
>
>>>
>>> I do hope I'm right about this. Nobody wants a deluge of Mac malware.
>>
>> Nobody?
>
> Well, that is my theory.
>
> If anybody *does* want a deluge of mac malware, they now have the means
> to engineer it.
Means, but perhaps not ability. Look at several of the Mac haters in
CSMA... likely they are simply not knowledgeable enough to do so... though
that is not a challenge to them!
--
Picture of a tuna soda: http://snipurl.com/bid1
Wally
On 14/5/05 11:09 PM, in article BEAB62B7.18773%SN...@CABLE0NE.NET.INVALID,
"Snit" <SN...@CABLE0NE.NET.INVALID> wrote:
> "Wally" <wa...@wally.world.net> stated in post
> BEABDB04.E477%wa...@wally.world.net on 5/14/05 1:44 AM:
>
>>>>> Some questions...
>>>>>
>>>>> 1) How do you get the recipient of the malware to download it without
>>>>> their knowledge...Not how do you do a meta-refresh on a website and get
>>>>> them to download it without their *approval*, but rather how do you do
>>>>> it without their knowledge?
>>>>
>>>> Good point, especially as in my case I do not run with the 'Downloads'
>>>> window open, its pretty hard to ignore that window opening when a download
>>>> is initiated!
>>>
>>> You sound like the folks who make excuses for MS's security holes. The
>>> Dashboard hole is a big one,
>>
>> And yet so easily defeated...one check box! And only then assuming Safari is
>> being used.
>
> As is the case with many security holes. Most people will not know to go to
> that one check box and check it.
I don't pretend to speak for most people!
>>> even if *you* are not likely to be hit by it.
>>
>> Hit or not, my point was that it could not be downloaded to my Mac without
>> my knowledge, that is not an excuse, it is a FACT!
>
> Who cares, Wally? This is not about *you*, this is about the security hole.
You are wrong! I can only answer as to how this 'security hole' effects me,
I leave the putting of words into peoples mouths to you!
> It has already been established that *you* and some others may know how to
> prevent it.
That's nice! The more times we mention it the more chance that others will
know how to also!
>>> It is something Apple should fix - and almost certainly is looking to do so
>>> soon.
>>
>> I do hope so, and have never indicated otherwise!
>
> Then we are in agreement. Why argue over something we agree about?
Because we agree over the obvious, you think we agree in general? Dream on!
>>> I would be surprised to not see it in 10.4.1, and expect that to be
>>> out likely by the end of the month.
>>
>> I wouldn't be surprised to see a fix prior to 10.4.1, so what? I will
>> remain unaffected either way!
>
> Good for you! Are you looking for a Computer Security Merit Badge or
> something?
No! I haven't lost one, but thanks for asking.
Snit
> On 2005-05-14 07:15:58 -0400, Tim Adams <teadams$2$0$0$3...@earthlink.net> said:
>
>> In article <BEAA7A5D.185C3%SN...@CABLE0NE.NET.INVALID>,
>> Snit <SN...@CABLE0NE.NET.INVALID> wrote:
>>
>> ~snip
>>
>>>
>>> http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh2037.html
>>>
>>> You cannot remove widgets from the Widget Bar or change their order.
>>>
>>> Ouch!
>>
>> If you want to remove a widget from the Widget bar, open your hard
>> drive, open the folder called 'Library' then the folder called 'Widget'
>> and remove the item you no longer want to appear in the bar.
>
> That's not where these auto-installed widgets go. You should open your
> *home directory*, then Library, then Widgets.
Ouch... good catch. I missed that in my response to him.
>
> Once you remove them dashboard gets very confused. You should log out
> ot fix this; until you do so Dashboard will try to keep using the
> widget set it had when it started, but the one you removed no longer
> works and things get very odd. Try it and see.
Actually it is not hard to fix.
1) Close any Widget that is not in the Widgets folder
2) Cycle through screens on the Dashboard dock thingy
If you have only one screen full and can not cycle, then things can get
weird. Even then, merely kill the Dock... this can be done via the Activity
Monitor or, for CLUI fans, "killall Dock". No need to log out... though
that is not a bad way either...
>
>> To change the order the items appear in, simply rename them or add a
>> space (first in list) or a tilde (last in list) to the beginning of
>> their name. As they currently show up in alphabetical order, changing
>> that order isn't really all that hard.
>
> Changing the order is of no important to this security hole, of course.
Still, good info. I have all the ones I do not want to use often but did not
want to disable with a "€" in front of their names. It moves them to the
back of the queue.
--
God made me an atheist - who are you to question his authority?
Chad Irby
Daniel Johnson <daniel...@vzavenue.net> wrote:
> On 2005-05-14 05:49:39 -0400, Chad Irby <ci...@cfl.rr.com> said:
>
> > In article <cara81lm2vukalc9s...@4ax.com>,
> > ELVIS2000 <elvi...@ElvisLives.com> wrote:
> >
> >> Fact is -- auto widget install is about as swiss-cheese as
> >> swiss-cheese can get.
> >
> > No, that would be something like letting a hole in the browser directly
> > access major parts of the operating system, instead of a virtual
> > "sandbox" that keeps offending widgets from doing anything seriously
> > annoying without direct user intervention.
>
> Don't look now, but that's what this is. The dashboard can be tricked
> into giving authorization to these widgets without asking the user.
> They need only impersonate a harmless widget, and when the user starts
> them up, it's all over.
Except, of course, they're still in that virtual sandbox, which means
that they're going to ask the user for a password when they try to do
anything outside of that sandbox.
> This is if anything *worse* that the buffer-overflow exploits of yore:
> it's really really easy to exploit this. No subtle machine language
> coding required; no careful analysis of stack frames is involved.
...and a lot of user intervention, once they manage to get the silly
thing into their machine.
It's nowhere *near* the trouble that we've come to expect from a typical
Explorer security disaster.
Daniel Johnson
> In article <200505140817548930%danieljohnson@vzavenuenet>,
> Daniel Johnson <daniel...@vzavenue.net> wrote:
>>
>> Don't look now, but that's what this is. The dashboard can be tricked
>> into giving authorization to these widgets without asking the user.
>> They need only impersonate a harmless widget, and when the user starts
>> them up, it's all over.
>
> Except, of course, they're still in that virtual sandbox, which means
> that they're going to ask the user for a password when they try to do
> anything outside of that sandbox.
This is simply not so. No password is ever involved.
The security check is done at widget startup only. If the widget starts
running arbitrary programs, those programs are free to do whatever they
want, just as if you had run them. The "sandbox" only applies to the
web-page part of the widget.
Even this security check does not always work; it can be tricked into
authorizing widgets that it shouldn't.
>> This is if anything *worse* that the buffer-overflow exploits of yore:
>> it's really really easy to exploit this. No subtle machine language
>> coding required; no careful analysis of stack frames is involved.
>
> ...and a lot of user intervention, once they manage to get the silly
> thing into their machine.
They must start the widget. One click. That's not "a lot of user intervention".
> It's nowhere *near* the trouble that we've come to expect from a
> typical Explorer security disaster.
I'm afraid you are simply overestimating how solid Dashboard's security is.
Dashboard is not like a Java VM; it is like a web page. If you want
more than a web page, a widget can be made to run a conventional
program but once this is allowed, there is no protection at all.
Snit
Wow, Wally. We agree that:
* the Widget setup on OS X is a security hole
* Apple should fix this hole
* it likely will be fixed in 10.4.1
* you, and I, know how to protect ourselves from the this hole
And yet you troll over it.
* Wally has admitting now that he will be heading back to CSMA
to cause trouble there, though he does not word it that way.
--
"'You and I have agreed' means that no such thing has ever been said or
inferred" -- Wally
_________________________________________
Daniel Johnson
> "Daniel Johnson" <daniel...@vzavenue.net> stated in post
> 2005051407585550073%danieljohnson@vzavenuenet on 5/14/05 4:58 AM:
>> Still, it is not entirely unreasonable even for an expert to read
>> Apple's documentation and believe it.
>
> While I think most people one could call an expert would look in the
> /Library and ~/Library, it is absurd of Apple to post that there is no way
> to remove them.
If they say you can remove the widgets by dragging the file out, then
the behavior that the Dashboard exhibits after that becomes an obvious
bug. I bet they'll document how to remove widgets when they have a way
to do it that does not confuse the dashboard.
[snip]
>>>> I do hope I'm right about this. Nobody wants a deluge of Mac malware.
>>>
>>> Nobody?
>>
>> Well, that is my theory.
>>
>> If anybody *does* want a deluge of mac malware, they now have the means
>> to engineer it.
>
> Means, but perhaps not ability. Look at several of the Mac haters in
> CSMA... likely they are simply not knowledgeable enough to do so... though
> that is not a challenge to them!
This requires very little knowledge or skill to exploit.
And I assure you that we WinTrolls would never consider doing such a
thing! I'm mortified you'd even suggest it. :D
Snit
> On 2005-05-14 11:22:38 -0400, Snit <SN...@CABLE0NE.NET.INVALID> said:
>
>> "Daniel Johnson" <daniel...@vzavenue.net> stated in post
>> 2005051407585550073%danieljohnson@vzavenuenet on 5/14/05 4:58 AM:
>>> Still, it is not entirely unreasonable even for an expert to read
>>> Apple's documentation and believe it.
>>
>> While I think most people one could call an expert would look in the
>> /Library and ~/Library, it is absurd of Apple to post that there is no way
>> to remove them.
>
> If they say you can remove the widgets by dragging the file out, then
> the behavior that the Dashboard exhibits after that becomes an obvious
> bug. I bet they'll document how to remove widgets when they have a way
> to do it that does not confuse the dashboard.
I bet they update Dashboard to let you right click on a Widget and click
remove - or something of that nature. The challenge is what to do with all
the shared ones... do you force non-Admin users to always have access to
them? Maybe they will have it where Dashboard only looks at your local
Widgets folder but there are aliases to the shared ones there by default.
To me that would make more sense... unless there is a reason to force people
to use some...
>
> [snip]
>>>>> I do hope I'm right about this. Nobody wants a deluge of Mac malware.
>>>>
>>>> Nobody?
>>>
>>> Well, that is my theory.
>>>
>>> If anybody *does* want a deluge of mac malware, they now have the means
>>> to engineer it.
>>
>> Means, but perhaps not ability. Look at several of the Mac haters in
>> CSMA... likely they are simply not knowledgeable enough to do so... though
>> that is not a challenge to them!
>
> This requires very little knowledge or skill to exploit.
Agreed. Still, many in CSMA probably could not, even though they might want
such malware to exist.
>
> And I assure you that we WinTrolls would never consider doing such a
> thing! I'm mortified you'd even suggest it. :D
>
Not just WinTrolls... but also some of the evil ones. They know who they
are. :)
--
God made me an atheist - who are you to question his authority?
Snit
cirby-826A57....@news-server1.tampabay.rr.com on 5/14/05 9:56 AM:
>> Don't look now, but that's what this is. The dashboard can be tricked
>> into giving authorization to these widgets without asking the user.
>> They need only impersonate a harmless widget, and when the user starts
>> them up, it's all over.
>
> Except, of course, they're still in that virtual sandbox, which means
> that they're going to ask the user for a password when they try to do
> anything outside of that sandbox.
Is there any thing from stopping a Widget from deleting your Documents
folder? How about looking into your Address Book and sending the data out
your Internet connection? How about scanning your user folder for CC#'s...
and then sending that?
Chad Irby
Snit <SN...@CABLE0NE.NET.INVALID> wrote:
> "Chad Irby" <ci...@cfl.rr.com> stated in post
> cirby-826A57....@news-server1.tampabay.rr.com on 5/14/05 9:56 AM:
>
> >> Don't look now, but that's what this is. The dashboard can be tricked
> >> into giving authorization to these widgets without asking the user.
> >> They need only impersonate a harmless widget, and when the user starts
> >> them up, it's all over.
> >
> > Except, of course, they're still in that virtual sandbox, which means
> > that they're going to ask the user for a password when they try to do
> > anything outside of that sandbox.
>
> Is there any thing from stopping a Widget from deleting your Documents
> folder? How about looking into your Address Book and sending the data out
> your Internet connection? How about scanning your user folder for CC#'s...
> and then sending that?
Actually, they're barred from doing those things without getting express
permission from the user.
Chad Irby
Daniel Johnson <daniel...@vzavenue.net> wrote:
> On 2005-05-14 12:56:27 -0400, Chad Irby <ci...@cfl.rr.com> said:
>
> > In article <200505140817548930%danieljohnson@vzavenuenet>,
> > Daniel Johnson <daniel...@vzavenue.net> wrote:
> >>
> >> Don't look now, but that's what this is. The dashboard can be tricked
> >> into giving authorization to these widgets without asking the user.
> >> They need only impersonate a harmless widget, and when the user starts
> >> them up, it's all over.
> >
> > Except, of course, they're still in that virtual sandbox, which means
> > that they're going to ask the user for a password when they try to do
> > anything outside of that sandbox.
>
> This is simply not so. No password is ever involved.
>
> The security check is done at widget startup only. If the widget starts
> running arbitrary programs, those programs are free to do whatever they
> want, just as if you had run them. The "sandbox" only applies to the
> web-page part of the widget.
You *really* need to go back and read the advisories about this. You're
assuming things that are exactly the opposite of how the thing works.
The only thing the widgets can do is to install themselves into the
Dashboard - they can't do anything outside of that without direct user
intervention.
Snit
AM:
But is it very likely many people would click on an auto-installed Widget,
esp. if it used some clever tricks to look like a default one.
Snit
AM:
Do you have support for this? If this is the case, then their danger is less
than I believed.
--
"If a million people believe a foolish thing, it is still a foolish thing."
- Anatole France
Chad Irby
Snit <SN...@CABLE0NE.NET.INVALID> wrote:
> "Chad Irby" <ci...@cfl.rr.com> stated in post
> cirby-272236....@news-server1.tampabay.rr.com on 5/14/05 11:55
> AM:
>
> > In article <BEAB8DC8.187B6%SN...@CABLE0NE.NET.INVALID>,
> > Snit <SN...@CABLE0NE.NET.INVALID> wrote:
> >
> >> "Chad Irby" <ci...@cfl.rr.com> stated in post
> >> cirby-826A57....@news-server1.tampabay.rr.com on 5/14/05 9:56
> >> AM:
> >>
> >>>> Don't look now, but that's what this is. The dashboard can be tricked
> >>>> into giving authorization to these widgets without asking the user.
> >>>> They need only impersonate a harmless widget, and when the user starts
> >>>> them up, it's all over.
> >>>
> >>> Except, of course, they're still in that virtual sandbox, which means
> >>> that they're going to ask the user for a password when they try to do
> >>> anything outside of that sandbox.
> >>
> >> Is there any thing from stopping a Widget from deleting your Documents
> >> folder? How about looking into your Address Book and sending the data out
> >> your Internet connection? How about scanning your user folder for
> >> CC#'s...
> >> and then sending that?
> >
> > Actually, they're barred from doing those things without getting express
> > permission from the user.
>
> Do you have support for this?
*All* of the direct writeups about the hole, including the guy who
discovered it.
> If this is the case, then their danger is less than I believed.
That's about it.
Chad Irby
Snit <SN...@CABLE0NE.NET.INVALID> wrote:
> "Chad Irby" <ci...@cfl.rr.com> stated in post
> cirby-2568D1....@news-server1.tampabay.rr.com on 5/14/05 11:54
> AM:
> >
> > You *really* need to go back and read the advisories about this. You're
> > assuming things that are exactly the opposite of how the thing works.
> > The only thing the widgets can do is to install themselves into the
> > Dashboard - they can't do anything outside of that without direct user
> > intervention.
>
> But is it very likely many people would click on an auto-installed Widget,
> esp. if it used some clever tricks to look like a default one.
...and it would do no more damage than any annoying Web page or
misbehaving Java applet.
It's a pretty minimal hole.
MR_ED_of_Course
daniel...@vzavenue.net wrote on 5/14/05 4:47 AM:
> On 2005-05-14 00:39:02 -0400, MR_ED_of_Course <OhNo...@pacbell.net> said:
>
>> in article 2005051319573743658%danieljohnson@vzavenuenet, Daniel Johnson at
>> daniel...@vzavenue.net wrote on 5/13/05 4:57 PM:
>>
>>> On 2005-05-13 19:19:41 -0400, "Lars Träger" <Lars.T...@epost.de> said:
>>>
>>> Microsoft's automatic update *is* automatic, moreso than Apple's even.
>>> MS's will download *and install* patches in the background, if you
>>> like, and it will nag you to turn automatic updates on if they are off.
>>
>> SP2 is much better about updates, but part of the problem is getting people
>> to SP2.
>
> The earlier, less naggy Automatic Updates is very very close to Apple's
> software update.
>
>> The other part, is that it can be so annoying that I've seen many
>> people disable it.
>
> This is the problem. They were doing this before SP2 as well.
Hmm...I don't know a single person who has disabled, or has had problems
with Apple's SU. I have friends who I support on the side who are about as
novice as you can get, and they have no problems with Apple's SU, either in
terms of usage or being "nagged" by it.
Bringing his back to point...
I don't see that the *early* adopters of Tiger are going to be *not*
upgrading to 10.4.1 within 2-3 weeks or *less*.
Whereas you have significant numbers of people who can't upgrade to SP1,
SP2, or *really* don't want to, or when they do upgrade to SP2, they disable
the auto-updating.
>>> Microsoft has talked about blocking pirates from getting (most)
>>> updates, but they haven't got round to it yet. It's supposed to happen
>>> in the second half of this year. And they say they will let pirates
>>> have security updates anyway. What will happen when Service Pack 3
>>> comes out is a good question.
>>
>> Funny, I've seen several PCs with pirated versions of Windows that won't
>> allow SP2 to be installed.
>
> Most pirated versions of Windows *can* install SP2; they only block the
> same serial numbers they blocked for SP1.
There are no published accurate numbers for that...in terms of using the
word "most". What I do know is that if you search the Warez sites you'll
see how there's a wall to get past for SP1 and another wall to get past for
SP2. I know several people who *foolishly* purchased PCs with pirated
Windows or somehow obtained pirated Windows who are *stuck* without being
able to update.
It happens.
Again, we're debating individual points, when the whole is what has the
impact.
Any one of the individual points of the Widget hole is a valid argument and
points to why Apple should fix it ASAP. However as a whole, it's not
something I have any worry about whatsoever, and doubt the hole will *ever*
be significantly exploited.
On the other hand...
In Windowsland, you have things like Sober...mother fucking SOBER.
> What MS is proposing for the future goes rather beyond that.
No doubt it does, and that's a shame. The way I look at it is like this...
Microsoft messed up and created a situation where people will pirate their
software. No big deal, it happens and is a cost of doing business...I'm
*well* aware of that. Microsoft also messed up and created an OS and
applications that are easily exploitable...again, nobody is perfect, and
while it took them forever, they are finally getting serious about
security...good for them.
The problem is that every mistake or poor judgment they made affecting
security impacts everyone in the world either directly or indirectly. Take
a look at Sober alone and how much it's cost people...even people who are
100% Microsoft free.
What pisses me off about Microsoft is that a decision has been made wherein
they think they can *reduce* losses due to piracy but the trade-off will be
on how flaws in their software affect the entire world.
Microsoft needs to give pirates patches. ISPs need to ban non-patched PCs
or at least zombied PCs.
>> In one of the offices I go to the PC they give
>> me to use has a legit copy of Office that needs "critical updating", but the
>> company can't find the original CD which needs to be inserted for doing
>> this.
>
> Office is very irritating about this, but Office is not Windows and
> does not use the Windows Update mechanism.
No, but both are Microsoft. And here in this case, Microsoft would rather
force legitimate customers to jump through hoops of tracking down discs in
an effort to combat piracy rather than help reduce the impact of flaws in
their software has on the entire world.
Me tracking down discs is annoying. Me being sent countless amounts of
infectious waste from Microsoft Office users who didn't update because they
couldn't find the discs is an outrage.
> Does Office for the Mac behave any differently?
Actually it does. The past Office for the Mac updates that I've done have
never required the original discs. Certainly Apple apps such as
ClarisWorks, Mail.app, iWork, Pages, iLife, etc... do not as well.
>>> At any rate, automatic updates and patches for pirates hasn't done MS
>>> too much good in the past.
>>
>> I disagree.
>> The fact is, it's harder to get a pirated copy of Windows up to SP2. Either
>> SP2 is ineffective at reducing malware, or Microsoft's piracy policies are
>> exacerbating the malware problem.
>
> I doubt that MS's piracy polices are exacerbating the malware problem
> significantly *yet*; they have done so little to this point. It may be
> that this is about to change, of course.
Again, I totally disagree. Almost every single infected PC that I've been
able to track down has been the result of either the PC not being upgraded
because it was pirated or because the user didn't feel like jumping through
the hoops.
Likewise when I ran a rather large computer service center, the majority of
infected machines were based on lack of updates due to piracy.
MR_ED_of_Course
recscub...@huntzinger.com wrote on 5/14/05 5:27 AM:
>
> FWIW, I have my boxed copy of Tiger, but I'm not going to even install
> it until this vulnerability is patched in 10.4.1 (which reportedly is
> expected by the end of this month; time will tell).
Why?
So far there have been no reported exploits, but be that as it may, as
you've gotten this far in the thread, certainly you know all the umpteen
ways you could prevent, spot or remove a potential malware widget.
My point is that why would you not trust any of this, but say you will trust
10.4.1?
MR_ED_of_Course
SN...@CABLE0NE.NET.INVALID wrote on 5/14/05 11:56 AM:
But what default Widget would ask for an admin password?
Lars Träger
> >> On 2005-05-13 17:57:27 -0400, Snit <SN...@CABLE0NE.NET.INVALID>
said:
> >>
> >> This has not, historically, helped MS much. They frequently have
the
> >> patches out before the worms, trojans, etc are out there. Doesn't
> >> help- too many people just don't patch.
> >
> > Because A) their "automatic" update wasn't, and B) they don't allow
> > pirated copies. So what is the average Windows user to do?
>
> Microsoft's automatic update *is* automatic, moreso than Apple's
even.
If the computer is online at the time it checks (once a week at 2 AM or
something like that). My Mom's PC never got any updates until I went to
MS's update website.
It did catch Blaster within 5 minutes after going online for the first
time however.
Lars T.
Tim Adams
Daniel Johnson <daniel...@vzavenue.net> wrote:
> On 2005-05-14 07:15:58 -0400, Tim Adams <teadams$2$0$0$3...@earthlink.net> said:
>
> > In article <BEAA7A5D.185C3%SN...@CABLE0NE.NET.INVALID>,
> > Snit <SN...@CABLE0NE.NET.INVALID> wrote:
> >
> > ~snip
> >
> >>
> >> http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh2037.html
> >>
> >> You cannot remove widgets from the Widget Bar or change their order.
> >>
> >> Ouch!
> >
> > If you want to remove a widget from the Widget bar, open your hard
> > drive, open the folder called 'Library' then the folder called 'Widget'
> > and remove the item you no longer want to appear in the bar.
>
> That's not where these auto-installed widgets go. You should open your
> *home directory*, then Library, then Widgets.
Except I'm not talking about these 'auto-installed widgets' but the
statement, from Apple, posted by snit that you couldn't remove widgets
from the widget bar. You can do so real easy.
>
> Once you remove them dashboard gets very confused. You should log out
> ot fix this; until you do so Dashboard will try to keep using the
> widget set it had when it started, but the one you removed no longer
> works and things get very odd. Try it and see.
>
> > To change the order the items appear in, simply rename them or add a
> > space (first in list) or a tilde (last in list) to the beginning of
> > their name. As they currently show up in alphabetical order, changing
> > that order isn't really all that hard.
>
> Changing the order is of no important to this security hole, of course.
Again, I'm just addressing the line posted by snit. Not everybody is so
clueless as he is. If he know how to do it, he wouldn't have posted his
'Ouch!'
--
reguarding Snit "You are not flamed because you speak the truth,
you are flamed because you are a hideous troll and keep disrupting
the newsgroup." Andrew J. Brehm
Tim
Tim Adams
Snit <SN...@CABLE0NE.NET.INVALID> wrote:
> "Tim Adams" <teadams$2$0$0$3...@earthlink.net> stated in post
> teadams$2$0$0$3-E97540.07...@news1.east.earthlink.net on 5/14/05
> 4:15 AM:
>
> > In article <BEAA7A5D.185C3%SN...@CABLE0NE.NET.INVALID>,
> > Snit <SN...@CABLE0NE.NET.INVALID> wrote:
> >
> > ~snip
> >
> >>
> >> http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh2037.html
> >>
> >> You cannot remove widgets from the Widget Bar or change their order.
> >>
> >> Ouch!
> >
> > If you want to remove a widget from the Widget bar, open your hard
> > drive, open the folder called 'Library' then the folder called 'Widget'
> > and remove the item you no longer want to appear in the bar.
> >
> > To change the order the items appear in, simply rename them or add a
> > space (first in list) or a tilde (last in list) to the beginning of
> > their name. As they currently show up in alphabetical order, changing
> > that order isn't really all that hard.
>
> In case you are actually trying to be helpful and educate those who do not
> know that, I will say thanks... but keep in mind that the comment was not a
> question about how to remove it, but a comment about what Apple says about
> it. Still, some may not have known the details of how to remove a Widget,
> so I will give you the benefit of the doubt.
Which is why you included your 'Ouch!' no doubt.
~snip
Lars Träger
Peter Hayes wrote:
> Just never use v.0 of anything.
So when will Windows reach v.1?
Lars T.
Daniel Johnson
>
> Daniel Johnson wrote:
>> On 2005-05-13 19:19:41 -0400, "Lars Träger" <Lars.T...@epost.de>
> said:
>>
>>> Because A) their "automatic" update wasn't, and B) they don't allow
>>> pirated copies. So what is the average Windows user to do?
>>
>> Microsoft's automatic update *is* automatic, moreso than Apple's
> even.
>
> If the computer is online at the time it checks (once a week at 2 AM or
> something like that). My Mom's PC never got any updates until I went to
> MS's update website.
Automatic updates checks whenever its online; that 2 am thing is when
it installs patches and reboots, if you configure it that way.
If your mom leaves the computer off when she's not using it, then this
auto-intallation of updates isn't going to work for her. It can still
download and install updates in the background, but it will have to
interrupt her for reboots.
That's pretty much the same story as with Apple's Software Update, I believe.
> It did catch Blaster within 5 minutes after going online for the first
> time however.
Lots of infected computer out there trying to get you. You really need
a firewall.
The Mac has an advantage here: there cannot be lots of infected
Macintoshes trying to infect you, because there are just not a lot of
Macintoshes, full stop.
That's also why this Dashboard thing isn't going to result in a deluge
of malware.
Daniel Johnson
No password is ever involved in the installation process either.
It is not the Widget that installs itself. *Safari* installs widgets it
downloads. Other browsers do not do this.
Dashboard's security features, such as they are, kick in when the user
starts the widget. The widget can't start itself. What it can do is
impersonate an Apple widget, so the user will start it without
realizing it.
Daniel Johnson
> In article <BEAB97FC.188EF%SN...@CABLE0NE.NET.INVALID>,
> Snit <SN...@CABLE0NE.NET.INVALID> wrote:
>
>> "Chad Irby" <ci...@cfl.rr.com> stated in post
>> cirby-2568D1....@news-server1.tampabay.rr.com on 5/14/05 11:54
>> AM:
>>
>> But is it very likely many people would click on an auto-installed Widget,
>> esp. if it used some clever tricks to look like a default one.
>
> ...and it would do no more damage than any annoying Web page or
> misbehaving Java applet.
> It's a pretty minimal hole.
No. The widget can run arbitrary code; it is possible to defeat the
Dashboard check that is supposed to ask before running a dangerous
widget the first time.
Frankly even if the security model wasn't buggy, it would still be
inadequate. If it worked, what you would see is a widget that looks
like, say, Stickies, but when you click it asks if you really want to
use it. A lot users will think the computer is just stupid and say
"yes, of *course* I do, just like the last five hundred times I did
this."
Who is going to understand that this is not really "Stickies" they are using?
Chad Irby
Daniel Johnson <daniel...@vzavenue.net> wrote:
> On 2005-05-14 15:15:03 -0400, Chad Irby <ci...@cfl.rr.com> said:
>
> > In article <BEAB97FC.188EF%SN...@CABLE0NE.NET.INVALID>,
> > Snit <SN...@CABLE0NE.NET.INVALID> wrote:
> >
> >> "Chad Irby" <ci...@cfl.rr.com> stated in post
> >> cirby-2568D1....@news-server1.tampabay.rr.com on 5/14/05 11:54
> >> AM:
> >>
> >> But is it very likely many people would click on an auto-installed Widget,
> >> esp. if it used some clever tricks to look like a default one.
> >
> > ...and it would do no more damage than any annoying Web page or
> > misbehaving Java applet.
> > It's a pretty minimal hole.
>
> No. The widget can run arbitrary code; it is possible to defeat the
> Dashboard check that is supposed to ask before running a dangerous
> widget the first time.
It sounds like you confused the "check before download" issue with the
more serious (and nonexistent) "run arbitrary code outside the virtual
machine" idea.
So, until you have a definite and informed update from a good source,
you need to back off this claim a lot.
Daniel Johnson
> in article BEAB97FC.188EF%SN...@CABLE0NE.NET.INVALID, Snit at
> SN...@CABLE0NE.NET.INVALID wrote on 5/14/05 11:56 AM:
>>
>> But is it very likely many people would click on an auto-installed Widget,
>> esp. if it used some clever tricks to look like a default one.
>
> But what default Widget would ask for an admin password?
It does not need to. A lot of malware does not need admin passwords or
root access. You can do things like send emails without it. You can
read the user's address book. You can do lots of stuff.
One thing you can do is wait for the user (or a program) to use 'sudo'.
Once this happens there is a period during which 'sudo' works without a
password- and any process for the same user can do it, too.
Another thing you can do is replace a program that *does* ask for an
admin password with a compromised version.
Another thing you can do is just ask for the admin passwords. Lots of
users would just give it to you out of habit. :D
Chad Irby
Daniel Johnson <daniel...@vzavenue.net> wrote:
> The Mac has an advantage here: there cannot be lots of infected
> Macintoshes trying to infect you, because there are just not a lot of
> Macintoshes, full stop.
Aside from the, you know, *MILLIONS* of them.
Chad Irby
Daniel Johnson <daniel...@vzavenue.net> wrote:
> On 2005-05-14 14:54:19 -0400, Chad Irby <ci...@cfl.rr.com> said:
>
> > In article <2005051413184016807%danieljohnson@vzavenuenet>,
> > Daniel Johnson <daniel...@vzavenue.net> wrote:
> >>>
> >>> Except, of course, they're still in that virtual sandbox, which means
> >>> that they're going to ask the user for a password when they try to do
> >>> anything outside of that sandbox.
> >>
> >> This is simply not so. No password is ever involved.
> >>
> >> The security check is done at widget startup only. If the widget starts
> >> running arbitrary programs, those programs are free to do whatever they
> >> want, just as if you had run them. The "sandbox" only applies to the
> >> web-page part of the widget.
> >
> > You *really* need to go back and read the advisories about this.
> > You're assuming things that are exactly the opposite of how the thing
> > works. The only thing the widgets can do is to install themselves into
> > the Dashboard - they can't do anything outside of that without direct
> > user intervention.
>
> No password is ever involved in the installation process either.
...inside the virtual machine "sandbox," which is isolated from the rest
of the OS, and which requires permission to do anything nasty, as I've
pointed out two or three times. All this hole does is let someone put a
minor Java-type app into a very restricted space with no real access to
the OS.
> It is not the Widget that installs itself. *Safari* installs widgets it
> downloads. Other browsers do not do this.
Aside from Explorer, you mean. Except, of course, the sorts of things
Explorer lets in are a *lot* more dangerous (unless you disable ActiveX).
> Dashboard's security features, such as they are, kick in when the user
> starts the widget. The widget can't start itself. What it can do is
> impersonate an Apple widget, so the user will start it without
> realizing it.
...and it will do something minor, and not be able to touch anything
outside of the confined space that Widgets are stuck in.
As you note above, all this hole can do is install a Widget, which has a
lot of restrictions on its power in the OS. it can't delete files
(without direct permission from the user), it can't do much of
*anything* except the sorts of things *any* Java-type app can do.
Daniel Johnson
> "Chad Irby" <ci...@cfl.rr.com> stated in post
> cirby-272236....@news-server1.tampabay.rr.com on 5/14/05 11:55
> AM:
>>
>> Actually, they're barred from doing those things without getting express
>> permission from the user.
>
> Do you have support for this? If this is the case, then their danger is less
> than I believed.
The way it is supposed to work is this: A generic widget is just a web
page and can't do those things. A widget that wants to do more must be
marked as such, and when it runs it gets access to additional commands
it can use to do them. But before it runs for the first time, the
Dashboard pops up an alert asking the user if he really wants to run
whatever it is.
There is an obvious problem with this: users just always hit "yes" if
asked "are you sure you want to run this widget?" The warning does
*not* tell them that "this widget is malicious" or "Isn't from Apple"
or anything like that.
There is another problem: it does not work reliably. If you create a
widget with the same bundle id as an Apple widget, the Dashboard
sometimes gets them confused and lets your widget run with no warning.
Chad Irby
Daniel Johnson <daniel...@vzavenue.net> wrote:
> On 2005-05-14 15:39:40 -0400, MR_ED_of_Course <OhNo...@pacbell.net> said:
>
> > in article BEAB97FC.188EF%SN...@CABLE0NE.NET.INVALID, Snit at
> > SN...@CABLE0NE.NET.INVALID wrote on 5/14/05 11:56 AM:
> >>
> >> But is it very likely many people would click on an auto-installed Widget,
> >> esp. if it used some clever tricks to look like a default one.
> >
> > But what default Widget would ask for an admin password?
>
> It does not need to. A lot of malware does not need admin passwords or
> root access. You can do things like send emails without it. You can
> read the user's address book. You can do lots of stuff.
Not in this case. It's *really* restricted. It can't even read or
delete files without express permission. It's not a regular program by
any stretch.
> One thing you can do is wait for the user (or a program) to use 'sudo'.
> Once this happens there is a period during which 'sudo' works without a
> password- and any process for the same user can do it, too.
...and it can't do this, either.
> Another thing you can do is replace a program that *does* ask for an
> admin password with a compromised version.
...or this.
Daniel Johnson
> "Daniel Johnson" <daniel...@vzavenue.net> stated in post
> 2005051413224375249%danieljohnson@vzavenuenet on 5/14/05 10:22 AM:
> I bet they update Dashboard to let you right click on a Widget and click
> remove - or something of that nature. The challenge is what to do with all
> the shared ones... do you force non-Admin users to always have access to
> them? Maybe they will have it where Dashboard only looks at your local
> Widgets folder but there are aliases to the shared ones there by default.
> To me that would make more sense... unless there is a reason to force people
> to use some...
All of these ideas would make more sense than where we are now, but
Apple usually aspires to a higher UI standard that what you've
describes.
I hope they do not insist upon waiting to fix this until they have a
nice UI. :D
It would be *something* if you could just drag the widget file to the
trash in the Finder, and have the dashboard notice when you next bring
it up, and adjust.
There needs to be some way to do this, even if unlovely.
[snip]
>>> Means, but perhaps not ability. Look at several of the Mac haters in
>>> CSMA... likely they are simply not knowledgeable enough to do so... though
>>> that is not a challenge to them!
>>
>> This requires very little knowledge or skill to exploit.
>
> Agreed. Still, many in CSMA probably could not, even though they might want
> such malware to exist.
The very thought that today's upright, community-oriented WinTrolls
would want such a thing is a blasphemy.
:D
Seriously. 'Taint WinTrolls that would be doing this. It's not like
Windows malware is written by Macaholics, right?
[snip]
Chad Irby
Daniel Johnson <daniel...@vzavenue.net> wrote:
> On 2005-05-14 14:57:57 -0400, Snit <SN...@CABLE0NE.NET.INVALID> said:
>
> > "Chad Irby" <ci...@cfl.rr.com> stated in post
> > cirby-272236....@news-server1.tampabay.rr.com on 5/14/05 11:55
> > AM:
> >>
> >> Actually, they're barred from doing those things without getting express
> >> permission from the user.
> >
> > Do you have support for this? If this is the case, then their danger is less
> > than I believed.
>
> The way it is supposed to work is this: A generic widget is just a web
> page and can't do those things. A widget that wants to do more must be
> marked as such, and when it runs it gets access to additional commands
> it can use to do them. But before it runs for the first time, the
> Dashboard pops up an alert asking the user if he really wants to run
> whatever it is.
...and that's correct, as far as that goes, but you assumed some more in
there that's not right.
The security hole installs the *Widget*, and you just described the bit
where the Widget gets installed into the Dashboard, but that's where the
whole thing breaks down. If the Widget tries to (for example) access
other user files, the OS pops up a message telling you that the Widget
is trying to do that, and is it okay?
At this point, it's no worse than any Trojan anyone might mail you.
Daniel Johnson
> In article <2005051417082650073%danieljohnson@vzavenuenet>,
> Daniel Johnson <daniel...@vzavenue.net> wrote:
>
>> On 2005-05-14 15:15:03 -0400, Chad Irby <ci...@cfl.rr.com> said:
>>>
>> No. The widget can run arbitrary code; it is possible to defeat the
>> Dashboard check that is supposed to ask before running a dangerous
>> widget the first time.
>
> It sounds like you confused the "check before download" issue with the
> more serious (and nonexistent) "run arbitrary code outside the virtual
> machine" idea.
Widgets do not run in a virtual machine. They are web pages, which may
hava JavaScript attached.
That would fine, but Apple added JavaScript commands to run arbitrary
code, like widget.system() for one. This lets a widget use any ordinary
program. Such programs are not confined to a sandbox or anything like
that.
The way dashboard security works (or is meant to work) is explained here:
So,
> until you have a definite and informed update from a good source, you
> need to back off this claim a lot.
Apple's developer docs count as a good source in my book.
Interestingly, the version of the docs that comes with XCode contains
an extra sentence on that page, which is not (right now) at the link I
gave. It is:
"If your widget is working with resources that pose a security threat
to the user, the user must approve before access is granted."
This does not appear to be always true, but it seems clear that it was
intended to be true. Perhaps in 10.4.1, it will be true.
Daniel Johnson
> In article <2005051417035175249%danieljohnson@vzavenuenet>,
> Daniel Johnson <daniel...@vzavenue.net> wrote:
>>> You *really* need to go back and read the advisories about this.
>>> You're assuming things that are exactly the opposite of how the thing
>>> works. The only thing the widgets can do is to install themselves into
>>> the Dashboard - they can't do anything outside of that without direct
>>> user intervention.
>>
>> No password is ever involved in the installation process either.
>
> ...inside the virtual machine "sandbox," which is isolated from the
> rest of the OS, and which requires permission to do anything nasty, as
> I've pointed out two or three times. All this hole does is let someone
> put a minor Java-type app into a very restricted space with no real
> access to the OS.
There is no sandbox.
There is no password.
There is just a little alert that asks you if you really want to run
this widget, and if you say "yes", it is home free.
>> It is not the Widget that installs itself. *Safari* installs widgets it
>> downloads. Other browsers do not do this.
>
> Aside from Explorer, you mean. Except, of course, the sorts of things
> Explorer lets in are a *lot* more dangerous (unless you disable
> ActiveX).
Internet Explorer does not do this. Neither does OmniWeb. This is a
Safari-specific problem.
>> Dashboard's security features, such as they are, kick in when the user
>> starts the widget. The widget can't start itself. What it can do is
>> impersonate an Apple widget, so the user will start it without
>> realizing it.
>
> ...and it will do something minor, and not be able to touch anything
> outside of the confined space that Widgets are stuck in.
No. Once the user has authorized it to run, it can do anything it wants
to. It is *not* in a sandbox.
And even that feeble user-authorization step doesn't always happen.
> As you note above, all this hole can do is install a Widget, which has
> a lot of restrictions on its power in the OS. it can't delete files
> (without direct permission from the user), it can't do much of
> *anything* except the sorts of things *any* Java-type app can do.
Widgets are not like Java applets. They are like web pages, but with
some extensions. Read the docs, man, Apple explains all of this quite
clearly.
Daniel Johnson
It does no such thing.
It asks if the widget should be allowed to run when the widget starts
(or it is to be hoped that it does).
This is not a Java applet. There is no fine grained security. If you
need more than JavaScript gives you, you can include a "Widget plugin",
which is a bundle containing an Objective-C class. This is loaded with
your widget and as soon as it is initialized, it is free to do whatever
the heck it wants. Shades of Active-X, really, except without the
digital signatures.
If that is not sneaky enough, you can also use facilities like
widget.system() to launch executable code.
>
> At this point, it's no worse than any Trojan anyone might mail you.
It's worse because it can impersonate an Apple provided widget.
Otherwise it is your standard Trojan, yes.
Chad Irby
Daniel Johnson <daniel...@vzavenue.net> wrote:
> Widgets do not run in a virtual machine. They are web pages, which may
> hava JavaScript attached.
...which is the part that could cause problems, not the page itself.
> That would fine, but Apple added JavaScript commands to run arbitrary
> code, like widget.system() for one. This lets a widget use any ordinary
> program. Such programs are not confined to a sandbox or anything like
> that.
...and you have to *specifically* allow them to run, as I told you
several times before, and as all of the variations on the security alert
on this one has mentioned.
Your conclusions about Widgets go contrary to everything that's been
said about them.
Daniel Johnson
> In article <2005051417533227544%danieljohnson@vzavenuenet>,
> Daniel Johnson <daniel...@vzavenue.net> wrote:
>
>> Widgets do not run in a virtual machine. They are web pages, which may
>> hava JavaScript attached.
>
> ...which is the part that could cause problems, not the page itself.
It's all one widget to the user. It's one of those bundle things, you know.
And while the JavaScript could cause problems, the widget plug-in could
also do so. There's more than one way to outside of WebKit.
>> That would fine, but Apple added JavaScript commands to run arbitrary
>> code, like widget.system() for one. This lets a widget use any ordinary
>> program. Such programs are not confined to a sandbox or anything like
>> that.
>
> ...and you have to *specifically* allow them to run, as I told you
> several times before, and as all of the variations on the security
> alert on this one has mentioned.
If the security system worked, you would have to give permission for
them to run. There is an alert that is supposed to appear the first
time you run a new widget that uses any of these unsafe techniques.
That is in itself really quite inadequate. And it does not always work.
> Your conclusions about Widgets go contrary to everything that's been
> said about them.
They do not go contrary to what is in Apple's developer docs, except in
one detail: I say that the alert dialog does not always appear when it
should.
MR_ED_of_Course
daniel...@vzavenue.net wrote on 5/14/05 4:33 PM:
How about a little proof of concept? I have a test Mac that I'd be happy to
download any widget on and confirm that some of the malicious things that
you say are possible could happen.
Snit
12:45 PM:
> In article <2005051407512075249%danieljohnson@vzavenuenet>,
> Daniel Johnson <daniel...@vzavenue.net> wrote:
>
>> On 2005-05-14 07:15:58 -0400, Tim Adams <teadams$2$0$0$3...@earthlink.net> said:
>>
>>> In article <BEAA7A5D.185C3%SN...@CABLE0NE.NET.INVALID>,
>>> Snit <SN...@CABLE0NE.NET.INVALID> wrote:
>>>
>>> ~snip
>>>
>>>>
>>>> http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh2037.html
>>>>
>>>> You cannot remove widgets from the Widget Bar or change their order.
>>>>
>>>> Ouch!
>>>
>>> If you want to remove a widget from the Widget bar, open your hard
>>> drive, open the folder called 'Library' then the folder called 'Widget'
>>> and remove the item you no longer want to appear in the bar.
>>
>> That's not where these auto-installed widgets go. You should open your
>> *home directory*, then Library, then Widgets.
>
> Except I'm not talking about these 'auto-installed widgets' but the
> statement, from Apple, posted by snit that you couldn't remove widgets
> from the widget bar. You can do so real easy.
Where you pointed me to would not let me remove all Widgets - and none of
the ones in question, the auto-installed ones.
Still, easy enough mistake for you to make... not a big deal.
>
>>
>> Once you remove them dashboard gets very confused. You should log out
>> ot fix this; until you do so Dashboard will try to keep using the
>> widget set it had when it started, but the one you removed no longer
>> works and things get very odd. Try it and see.
>>
>>> To change the order the items appear in, simply rename them or add a
>>> space (first in list) or a tilde (last in list) to the beginning of
>>> their name. As they currently show up in alphabetical order, changing
>>> that order isn't really all that hard.
>>
>> Changing the order is of no important to this security hole, of course.
>
> Again, I'm just addressing the line posted by snit. Not everybody is so
> clueless as he is. If he know how to do it, he wouldn't have posted his
> 'Ouch!'
Er? I was in reference to the fact that Apple *states* that... not that it
could not be done. Did you really miss that? Do you need me to point you
to my earlier posts where I talk about Widgets? Are you just spewing BS
trying to start another flame war? What is your goal here, Tim?
--
If A = B and B = C, then A = C, except where void or prohibited by law.
Roy Santoro, Psycho Proverb Zone (http://snipurl.com/BurdenOfProof)
Snit
12:48 PM:
> In article <BEAB63AA.1877A%SN...@CABLE0NE.NET.INVALID>,
> Snit <SN...@CABLE0NE.NET.INVALID> wrote:
>
>> "Tim Adams" <teadams$2$0$0$3...@earthlink.net> stated in post
>> teadams$2$0$0$3-E97540.07...@news1.east.earthlink.net on 5/14/05
>> 4:15 AM:
>>
>>> In article <BEAA7A5D.185C3%SN...@CABLE0NE.NET.INVALID>,
>>> Snit <SN...@CABLE0NE.NET.INVALID> wrote:
>>>
>>> ~snip
>>>
>>>>
>>>> http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh2037.html
>>>>
>>>> You cannot remove widgets from the Widget Bar or change their order.
>>>>
>>>> Ouch!
>>>
>>> If you want to remove a widget from the Widget bar, open your hard
>>> drive, open the folder called 'Library' then the folder called 'Widget'
>>> and remove the item you no longer want to appear in the bar.
>>>
>>> To change the order the items appear in, simply rename them or add a
>>> space (first in list) or a tilde (last in list) to the beginning of
>>> their name. As they currently show up in alphabetical order, changing
>>> that order isn't really all that hard.
>>
>> In case you are actually trying to be helpful and educate those who do not
>> know that, I will say thanks... but keep in mind that the comment was not a
>> question about how to remove it, but a comment about what Apple says about
>> it. Still, some may not have known the details of how to remove a Widget,
>> so I will give you the benefit of the doubt.
>
> Which is why you included your 'Ouch!' no doubt.
Um, no - but I will let you believe whatever your poor reading comprehension
leads you to believe.
>
> ~snip
--
Snit: Thank you, Tim, for proving me right that you will not back up your
accusations. You almost never do... if ever.
Tim Adam's reply: Your welcome.
Nasht0n
> In article <2005051413184016807%danieljohnson@vzavenuenet>,
> Daniel Johnson <daniel...@vzavenue.net> wrote:
>
>
>>On 2005-05-14 12:56:27 -0400, Chad Irby <ci...@cfl.rr.com> said:
>>
>>
>>>In article <200505140817548930%danieljohnson@vzavenuenet>,
>>> Daniel Johnson <daniel...@vzavenue.net> wrote:
>>>
>>>>Don't look now, but that's what this is. The dashboard can be tricked
>>>>into giving authorization to these widgets without asking the user.
>>>>They need only impersonate a harmless widget, and when the user starts
>>>>them up, it's all over.
>>>
>>>Except, of course, they're still in that virtual sandbox, which means
>>>that they're going to ask the user for a password when they try to do
>>>anything outside of that sandbox.
>>
>>This is simply not so. No password is ever involved.
>>
>>The security check is done at widget startup only. If the widget starts
>>running arbitrary programs, those programs are free to do whatever they
>>want, just as if you had run them. The "sandbox" only applies to the
>>web-page part of the widget.
>
>
> You *really* need to go back and read the advisories about this. You're
> assuming things that are exactly the opposite of how the thing works.
> The only thing the widgets can do is to install themselves into the
> Dashboard - they can't do anything outside of that without direct user
> intervention.
>
Is denial a river in Tampa Bay?
Nicolas
Nasht0n
You are losing your time.
Can't you tell it's like trying to explain multiplication to a hamster?
Nicolas
Tim Adams
> "Tim Adams" <teadams$2$0$0$3...@earthlink.net> stated in post
> teadams$2$0$0$3-EA9BD3.15...@news1.east.earthlink.net on 5/14/05
> 12:45 PM:
>
> > In article <2005051407512075249%danieljohnson@vzavenuenet>,
> > Daniel Johnson <daniel...@vzavenue.net> wrote:
> >
> >> On 2005-05-14 07:15:58 -0400, Tim Adams <teadams$2$0$0$3...@earthlink.net>
> >> said:
> >>
> >>> In article <BEAA7A5D.185C3%SN...@CABLE0NE.NET.INVALID>,
> >>> Snit <SN...@CABLE0NE.NET.INVALID> wrote:
> >>>
> >>> ~snip
> >>>
> >>>>
> >>>> http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh2037.html
> >>>>
> >>>> You cannot remove widgets from the Widget Bar or change their order.
> >>>>
> >>>> Ouch!
> >>>
> >>> If you want to remove a widget from the Widget bar, open your hard
> >>> drive, open the folder called 'Library' then the folder called 'Widget'
> >>> and remove the item you no longer want to appear in the bar.
> >>
> >> That's not where these auto-installed widgets go. You should open your
> >> *home directory*, then Library, then Widgets.
> >
> > Except I'm not talking about these 'auto-installed widgets' but the
> > statement, from Apple, posted by snit that you couldn't remove widgets
> > from the widget bar. You can do so real easy.
>
> Where you pointed me to would not let me remove all Widgets - and none of
> the ones in question, the auto-installed ones.
Well; I was able to remove every single widget on my system without any problem at all. Including
auto-installed ones. Perhaps you need to learn a bit about computers - when doing something like
that, a re-boot often helps. I thought you taught computers and wouldn't need that simple step.
>
> Still, easy enough mistake for you to make... not a big deal.
To bad it's YOU making the mistakes isn't it?
> >
> >>
> >> Once you remove them dashboard gets very confused. You should log out
> >> ot fix this; until you do so Dashboard will try to keep using the
> >> widget set it had when it started, but the one you removed no longer
> >> works and things get very odd. Try it and see.
> >>
> >>> To change the order the items appear in, simply rename them or add a
> >>> space (first in list) or a tilde (last in list) to the beginning of
> >>> their name. As they currently show up in alphabetical order, changing
> >>> that order isn't really all that hard.
> >>
> >> Changing the order is of no important to this security hole, of course.
> >
> > Again, I'm just addressing the line posted by snit. Not everybody is so
> > clueless as he is. If he know how to do it, he wouldn't have posted his
> > 'Ouch!'
>
> Er? I was in reference to the fact that Apple *states* that... not that it
> could not be done. Did you really miss that? Do you need me to point you
> to my earlier posts where I talk about Widgets? Are you just spewing BS
> trying to start another flame war? What is your goal here, Tim?
Liar! IF you know it could be done you would have posted that info when you posted the link to
Apple's statement OR just out and out said it was wrong. Your 'Ouch!' clearly showed you had no
clue, and your followup further proves that point.
Tim Adams
Liar - in both this statement and your now deleted tag line.
Snit
6:18 PM:
>>>> If you want to remove a widget from the Widget bar, open your hard drive,
>>>> open the folder called 'Library' then the folder called 'Widget' and remove
>>>> the item you no longer want to appear in the bar.
>>>>
>>>> That's not where these auto-installed widgets go. You should open your
>>>> *home directory*, then Library, then Widgets.
>>>>
>>> Except I'm not talking about these 'auto-installed widgets' but the
>>> statement, from Apple, posted by snit that you couldn't remove widgets from
>>> the widget bar. You can do so real easy.
>>>
>> Where you pointed me to would not let me remove all Widgets - and none of the
>> ones in question, the auto-installed ones.
>>
> Well; I was able to remove every single widget on my system without any
> problem at all. Including auto-installed ones.
In reference to:
If you want to remove a widget from the Widget bar, open your hard
drive, open the folder called 'Library' then the folder called 'Widget'
and remove the item you no longer want to appear in the bar.
You are claiming:
I was able to remove every single widget on my system without any
problem at all. Including auto-installed ones.
It will be fun to watch you back peddle on that one. Maybe you are playing
one of your Carrollesque semantic games.
In any case, it will be interesting to watch as you try to defend your
circus acts here...
Oh, and since I am a nice guy and sometimes help even cretins such as
yourself who are following me around lying, trolling, and flaming - here are
some sources which will tell you where Widgets get installed by default
(~/Library/Widgets):
http://www.oreillynet.com/pub/wlg/7039
http://www.dashboardwidgets.com/
http://wired-vig.wired.com/news/mac/0,2125,67484,00.html?tw=wn_story_top5
And if you can not find the folder yourself:
http://www.downtownsoftwarehouse.com/WidgetManager/index.php
Somehow I bet you forget to thank me for educating you on this relatively
well known point. Your embarrassment will prevent you from doing so.
> Perhaps you need to learn a bit about computers - when doing something like
> that, a re-boot often helps. I thought you taught computers and wouldn't need
> that simple step.
You really should at least try to get your facts right before flaming
someone else... not very bright of you.
>> Still, easy enough mistake for you to make... not a big deal.
>
> To bad it's YOU making the mistakes isn't it?
How long until you admit to your mistake. Everyone makes mistakes, Tim, I
have no problem with that - the funny thing here is you are trolling and
flaming *me* based on *your* error.
>>>> Once you remove them dashboard gets very confused. You should log out
>>>> ot fix this; until you do so Dashboard will try to keep using the
>>>> widget set it had when it started, but the one you removed no longer
>>>> works and things get very odd. Try it and see.
>>>>
>>>>> To change the order the items appear in, simply rename them or add a
>>>>> space (first in list) or a tilde (last in list) to the beginning of
>>>>> their name. As they currently show up in alphabetical order, changing
>>>>> that order isn't really all that hard.
>>>>
>>>> Changing the order is of no important to this security hole, of course.
>>>
>>> Again, I'm just addressing the line posted by snit. Not everybody is so
>>> clueless as he is. If he know how to do it, he wouldn't have posted his
>>> 'Ouch!'
>>
>> Er? I was in reference to the fact that Apple *states* that... not that it
>> could not be done. Did you really miss that? Do you need me to point you
>> to my earlier posts where I talk about Widgets? Are you just spewing BS
>> trying to start another flame war? What is your goal here, Tim?
>
> Liar! IF you know it could be done you would have posted that info when you
> posted the link to Apple's statement OR just out and out said it was wrong.
> Your 'Ouch!' clearly showed you had no clue, and your followup further proves
> that point.
Do you wish to keep showing off your lack of comprehension? I was in
reference to the fact that Apple *states* that... not that it could not be
done. Did you really miss that? Do you need me to point you to my earlier
posts where I talk about Widgets? Are you just spewing BS trying to start
another flame war? What is your goal here, Tim?
--
Snit: Going through a house is just outright wrong...
Tim Adams' Reply: Yet it's on a public forum.
_________________________________________
Usenet Zone Free Binaries Usenet Server
More than 120,000 groups
Unlimited download
http://www.usenetzone.com to open account
Snit
6:19 PM:
>>>> In case you are actually trying to be helpful and educate those who do not
>>>> know that, I will say thanks... but keep in mind that the comment was not a
>>>> question about how to remove it, but a comment about what Apple says about
>>>> it. Still, some may not have known the details of how to remove a Widget,
>>>> so I will give you the benefit of the doubt.
>>>
>>> Which is why you included your 'Ouch!' no doubt.
>>
>> Um, no - but I will let you believe whatever your poor reading comprehension
>> leads you to believe.
>
> Liar - in both this statement and your now deleted tag line.
Do you wish to keep showing off your lack of comprehension? I was in
reference to the fact that Apple *states* that... not that it could not be
done. Did you really miss that?
--
"If you have integrity, nothing else matters." - Alan Simpson
Wally
On 15/5/05 1:25 AM, in article BEAB8288.1879E%SN...@CABLE0NE.NET.INVALID,
"Snit" <SN...@CABLE0NE.NET.INVALID> wrote:
> "Wally" <wa...@wally.world.net> stated in post
> BEAC3924.E4DE%wa...@wally.world.net on 5/14/05 8:26 AM:
>
> Wow, Wally. We agree that:
>
> * the Widget setup on OS X is a security hole
> * Apple should fix this hole
> * it likely will be fixed in 10.4.1
> * you, and I, know how to protect ourselves from the this hole
>
> And yet you troll over it.
So for me to give MY opinion, and describe MY experience, in your chemically
induced state is a troll!
But for you to do exactly the same, is fine!
Are you sure you read the label on that bottle correctly?
>
> * Wally has admitting now that he will be heading back to CSMA
> to cause trouble there, though he does not word it that way.
So in other words its all in the Snit method of translation.....Oh dear!
"Snap back to reality......."
Snit
We *still* agree on these issues:
* the Widget setup on OS X is a security hole
* Apple should fix this hole
* it likely will be fixed in 10.4.1
* you, and I, know how to protect ourselves from the this hole
And we can now add:
* It is ok to express personal opinions and describe experiences... though
I will state that such rights do not extend to lying about others
(something you have shown you do *not* agree with... look at your
dishonest comments/accusations about drugs, above).
And yet, even though we are largely in agreement you lie, flame, troll, and
spew BS... can you imagine what horrid trolling and flaming you would do if
we *disagreed* about the above list!
--
"'You and I have agreed' means that no such thing has ever been said or
inferred" -- Wally
Wally
On 15/5/05 3:45 AM, in article
teadams$2$0$0$3-EA9BD3.15...@news1.east.earthlink.net, "Tim Adams"
<teadams$2$0$0$3...@earthlink.net> wrote:
>
> Again, I'm just addressing the line posted by snit. Not everybody is so
> clueless as he is. If he know how to do it, he wouldn't have posted his
> 'Ouch!'
Snit forgot about 'Library Widgets' as opposed to '~ Library Widgets', it's
logical that auto install Widgets would go local but don't expect 'The
Teacher' to admit it any time soon! ;=)
Snit
>> Again, I'm just addressing the line posted by snit. Not everybody is so
>> clueless as he is. If he know how to do it, he wouldn't have posted his
>> 'Ouch!'
>
> Snit forgot about 'Library Widgets' as opposed to '~ Library Widgets', it's
> logical that auto install Widgets would go local but don't expect 'The
> Teacher' to admit it any time soon! ;=)
>
I would love to see how my commenting that Apple's web page that says there
is no way to remove widgets (ouch!) is in any way related the the BS that
you and Tim are babbling about.
Keep in mind, Tim is the one that denied that auto-installed widgets are
placed in the ~/Library/Widgets folder. He is trying to hide his
embarrassment by making up stories about me.
Then again, Wally, even when you and I largely agree you feel the need to
flame and troll. You two make a great pair... just not sure why you try so
hard to emulate Steve Carroll.
--
I wrote:
It has become so easy to point out Steve's lies...
Tim Adams replied:
if you read what snit posts, you'll see all the proof you need.
Wally
On 15/5/05 2:31 PM, in article BEAC3ACD.18C11%SN...@CABLE0NE.NET.INVALID,
"Snit" <SN...@CABLE0NE.NET.INVALID> wrote:
> "Wally" <wa...@wally.world.net> stated in post
> BEAD055A.E5BA%wa...@wally.world.net on 5/14/05 10:57 PM:
>
>>
>>
>>
>> On 15/5/05 1:25 AM, in article BEAB8288.1879E%SN...@CABLE0NE.NET.INVALID,
>> "Snit" <SN...@CABLE0NE.NET.INVALID> wrote:
>>
>>> "Wally" <wa...@wally.world.net> stated in post
>>> BEAC3924.E4DE%wa...@wally.world.net on 5/14/05 8:26 AM:
>>>
>>> Wow, Wally. We agree that:
>>>
>>> * the Widget setup on OS X is a security hole
>>> * Apple should fix this hole
>>> * it likely will be fixed in 10.4.1
>>> * you, and I, know how to protect ourselves from the this hole
>>>
>>> And yet you troll over it.
>>
>> So for me to give MY opinion, and describe MY experience, in your chemically
>> induced state is a troll!
>> But for you to do exactly the same, is fine!
>> Are you sure you read the label on that bottle correctly?
>>
>>>
>>> * Wally has admitting now that he will be heading back to CSMA
>>> to cause trouble there, though he does not word it that way.
>>
>> So in other words its all in the Snit method of translation.....Oh dear!
>> "Snap back to reality......."
>>
> We *still* agree on these issues:
>
> * the Widget setup on OS X is a security hole
It is the 'degree' we disagree on!
> * Apple should fix this hole
Yup!
> * it likely will be fixed in 10.4.1
I stated IMO that it will likely be fixed prior to 10.4.1!
> * you, and I, know how to protect ourselves from the this hole
Yup! And I understand that you have finally found out where the auto install
Widgets are stored....well done!
> And we can now add:
>
> * It is ok to express personal opinions and describe experiences...
It was only you that needed to realize this...I always knew it!
> though
> I will state that such rights do not extend to lying about others
Does this apply to accurate quoting also, this will be a pleasant change to
your behavior!
> (something you have shown you do *not* agree with... look at your
> dishonest comments/accusations about drugs, above).
Do you deny recently commenting to another poster about your current
medication? Not forgetting that I asked...
"Are you sure you read the label on that bottle correctly?"
> And yet, even though we are largely in agreement you lie, flame, troll, and
> spew BS... can you imagine what horrid trolling and flaming you would do if
> we *disagreed* about the above list!
Easily! As my imagination is not clouded my any outside influences!
Snit
>> We *still* agree on these issues:
>>
>> * the Widget setup on OS X is a security hole
>
> It is the 'degree' we disagree on!
Sure, we may disagree on some details, but that is not what you are trolling
and flaming about.
>
>> * Apple should fix this hole
>
> Yup!
>
>> * it likely will be fixed in 10.4.1
>
> I stated IMO that it will likely be fixed prior to 10.4.1!
Ok, I can accept this... it is likely to be fixed soon, either in 10.4.1 or
before. Again, if you want to nit pick that is your choice...
>
>> * you, and I, know how to protect ourselves from the this hole
>
> Yup! And I understand that you have finally found out where the auto install
> Widgets are stored....well done!
Er? Oh, you are in reference to Tim Adam's trolling... the same thread
where he jumped to bizarre and inaccurate conclusions based on my saying
"ouch!" ... and then showed he did not know where auto installed Widgets
were stored (he claimed they were in /System/Widgets, not
~/System/Widgets... and then denied the correction when given a chance!)
And yet you take his side for the sole purpose to troll and flame. Why do
you do that?
>
>> And we can now add:
>>
>> * It is ok to express personal opinions and describe experiences...
>
> It was only you that needed to realize this...I always knew it!
Again you are trolling and flaming. What leads you to mistakenly believe I
ever disagreed with this?
>
>> though
>> I will state that such rights do not extend to lying about others
>
> Does this apply to accurate quoting also, this will be a pleasant change to
> your behavior!
I would love to see your support for this ... which you and I know you will
never provide. In any case, I can easily point to many examples of your
dishonest snipping - so do not pretend to be honest - you clearly are not.
>
>> (something you have shown you do *not* agree with... look at your
>> dishonest comments/accusations about drugs, above).
>
> Do you deny recently commenting to another poster about your current
> medication? Not forgetting that I asked...
>
> "Are you sure you read the label on that bottle correctly?"
Bottle of what? What comments are you in reference to? Again, Wally, you
are merely trolling and flaming... and keep in mind, this is in a thread
where we agree, at least for the most part, on the main issues.
>
>> And yet, even though we are largely in agreement you lie, flame, troll, and
>> spew BS... can you imagine what horrid trolling and flaming you would do if
>> we *disagreed* about the above list!
>
> Easily!
Yes... sadly so can I... being that I have been the recipient of your
flaming and trolling when you did disagree with me.
> As my imagination is not clouded my any outside influences!
Ahhh... you are trying to sink to Carrollesque stupidity. Does it make you
feel better to do so?
Wally
On 15/5/05 2:41 PM, in article BEAC3D36.18C17%SN...@CABLE0NE.NET.INVALID,
"Snit" <SN...@CABLE0NE.NET.INVALID> wrote:
> "Wally" <wa...@wally.world.net> stated in post
> BEAD0D99.E5BC%wa...@wally.world.net on 5/14/05 11:32 PM:
>
>>> Again, I'm just addressing the line posted by snit. Not everybody is so
>>> clueless as he is. If he know how to do it, he wouldn't have posted his
>>> 'Ouch!'
>>
>> Snit forgot about 'Library Widgets' as opposed to '~ Library Widgets', it's
>> logical that auto install Widgets would go local but don't expect 'The
>> Teacher' to admit it any time soon! ;=)
>>
> I would love to see how my commenting that Apple's web page that says there
> is no way to remove widgets (ouch!) is in any way related the the BS that
> you and Tim are babbling about.
Why do you not indicate that the next couple of lines are quotes from Daniel
Johnson? You really are unable to be honest wrt quotes! Why is that?
<Daniel Johnson quote>
> That's not where these auto-installed widgets go. You should open your
> *home directory*, then Library, then Widgets.
<end of quote>
In response to Daniel you went on to say....
"Ouch... good catch. I missed that in my response to him."
You clearly didn't know where the auto installed Widgets were installed
therefore you didn't know how to remove them!
> Keep in mind, Tim is the one that denied that auto-installed widgets are
> placed in the ~/Library/Widgets folder.
Where did he deny that?....I can feel one of your Snit interpretations
coming on!
> He is trying to hide his embarrassment by making up stories about me.
Where?
> Then again, Wally, even when you and I largely agree you feel the need to
> flame and troll. You two make a great pair... just not sure why you try so
> hard to emulate Steve Carroll.
So if I understand you..I am supposed to be the troll, and yet you again for
no reason at all mention Steve Carroll! Hhhhhhmmmmm!
Snit
>>>> Again, I'm just addressing the line posted by snit. Not everybody is so
>>>> clueless as he is. If he know how to do it, he wouldn't have posted his
>>>> 'Ouch!'
>>>
>>> Snit forgot about 'Library Widgets' as opposed to '~ Library Widgets', it's
>>> logical that auto install Widgets would go local but don't expect 'The
>>> Teacher' to admit it any time soon! ;=)
>>>
>> I would love to see how my commenting that Apple's web page that says there
>> is no way to remove widgets (ouch!) is in any way related the the BS that
>> you and Tim are babbling about.
>
> Why do you not indicate that the next couple of lines are quotes from Daniel
> Johnson?
I made a mistake. I am sure you will use that against me for quite some
time being that you are looking to troll and flame and not have a real
conversation. I hope you prove me wrong on this, but I doubt it.
> You really are unable to be honest wrt quotes! Why is that?
>
> <Daniel Johnson quote>
>
>> That's not where these auto-installed widgets go. You should open your
>> *home directory*, then Library, then Widgets.
>
> <end of quote>
>
> In response to Daniel you went on to say....
>
> "Ouch... good catch. I missed that in my response to him."
>
> You clearly didn't know where the auto installed Widgets were installed
> therefore you didn't know how to remove them!
Incorrect... I did not catch *Tim's* error... it was a good catch that
someone else caught the error that I did not. I skimmed Tim's comments
there ... as he has generally just been trolling recently...
As is my norm, though, when I made a mistake, as I did there, I admit to it
quickly and honestly. You, on the other hand, have failed to do so on
multiple occasions. Do you need me to point you to examples?
>
>> Keep in mind, Tim is the one that denied that auto-installed widgets are
>> placed in the ~/Library/Widgets folder.
>
> Where did he deny that?
In CSMA. Where else do you think he would do it?
OK, from:
teadams$2$0$0$3-97DEF1.21...@news1.east.earthlink.net
----------
In reference to:
If you want to remove a widget from the Widget bar, open your hard
drive, open the folder called 'Library' then the folder called 'Widget'
and remove the item you no longer want to appear in the bar.
Tim Adams claimed:
I was able to remove every single widget on my system without any
problem at all. Including auto-installed ones.
---------
Let's see if you have any "creative" interpretations of Tim Adams comments
that would not make it easy to see he is simply wrong. Completely wrong.
Not only is he wrong, he flames *me* over his error! When I told him:
Still, easy enough mistake for you to make... not a big deal.
He responded with:
To bad it's YOU making the mistakes isn't it?
Care to defend him and make yourself wrong about one more thing? You know
Carroll would jump in to defend Tim Adams, even though this is so clearly a
case of Tim being 100% wrong as to make it laughable...
> ....I can feel one of your Snit interpretations coming on!
Perhaps you can learn from my "interpretations"... they are called honest
comprehension... and it is something you are showing a lacking of.
>
>> He is trying to hide his embarrassment by making up stories about me.
>
> Where?
CSMA.
>> Then again, Wally, even when you and I largely agree you feel the need to
>> flame and troll. You two make a great pair... just not sure why you try so
>> hard to emulate Steve Carroll.
>
> So if I understand you..I am supposed to be the troll
I see no reason why you are *supposed* to be the troll... I am merely
pointing out that even when you and I largely agree on something you elect
to troll and flame. I see nothing to indicate it is *supposed* to be that
way, and I would prefer if you would stop.
What about my comments lead you to the misunderstanding that you are
*supposed* to be a the troll? Is that why you are trolling - because you
think you are supposed to be "the troll"?
> , and yet you again for no reason at all mention Steve Carroll! Hhhhhhmmmmm!
You are clearly trying to emulate his level of stupidity. It does not come
as natural for you as it does for him. I will admit, this is merely my
opinion... maybe you really are as stupid as he is, I just seriously doubt
it.
--
Look, this is silly. It's not an argument, it's an armor plated walrus with
walnut paneling and an all leather interior.
Tim Adams
Gee, they all support me and the location. Hard drive (or in their case ~) /library/widget. NOT the
~/users/username/library/widget as at least one other person said, and you agreed with a day or so
ago.
>
> And if you can not find the folder yourself:
>
> http://www.downtownsoftwarehouse.com/WidgetManager/index.php
You appear to be the one having problems finding the folder, not me.
>
> Somehow I bet you forget to thank me for educating you on this relatively
> well known point. Your embarrassment will prevent you from doing so.
Thank you for what? Verifying what I've been saying all along?
>
> > Perhaps you need to learn a bit about computers - when doing something like
> > that, a re-boot often helps. I thought you taught computers and wouldn't
> > need
> > that simple step.
>
> You really should at least try to get your facts right before flaming
> someone else... not very bright of you.
Yes you really should. You should also try to learn to READ and comprehend just what you read. It
would reduce a lot of your trolling.
~snip
Snit
1:38 AM:
>> It will be fun to watch you back peddle on that one. Maybe you are playing
>> one of your Carrollesque semantic games.
>>
>> In any case, it will be interesting to watch as you try to defend your
>> circus acts here...
>>
>> Oh, and since I am a nice guy and sometimes help even cretins such as
>> yourself who are following me around lying, trolling, and flaming - here are
>> some sources which will tell you where Widgets get installed by default
>> (~/Library/Widgets):
>>
>> http://www.oreillynet.com/pub/wlg/7039
>> http://www.dashboardwidgets.com/
>> http://wired-vig.wired.com/news/mac/0,2125,67484,00.html?tw=wn_story_top5
>
> Gee, they all support me and the location. Hard drive (or in their case ~)
Hard drive or in their case ~? What do you mean? Do you not know that ~
means the user's folder?
~/Library/Widget
/Users/<name>/Library/Widget
Both refer to the same thing... not to
/Library/Widget
> /library/widget. NOT the
> ~/users/username/library/widget
Who pointed to some folder that does not exist? There is no default:
/Users/<name>/users/username/library/widget
I would love to see you try to point to *anyone* making the mistake you just
referenced. My guess is you simply have no idea what the tilde in a path
means. See if this helps you:
http://tmml.sourceforge.net/doc/tcl/filename.html#SECTid1208
Does that help you to understand your errors?
> as at least one other person said, and you agreed with a day or so ago.
Please quote your reference. I am in reference to the following
conversation:
You stated the following error:
If you want to remove a widget from the Widget bar, open your hard
drive, open the folder called 'Library' then the folder called 'Widget'
and remove the item you no longer want to appear in the bar.
Daniel Johnson replied:
That's not where these auto-installed widgets go. You should open your
*home directory*, then Library, then Widgets.
I responded:
Ouch... good catch. I missed that in my response to him.
And, as I stated later:
It will be fun to watch you back peddle on that one. Maybe you are
playing one of your Carrollesque semantic games.
In any case, it will be interesting to watch as you try to defend your
circus acts here...
And, of course, that is *exactly* what you are doing. In so doing, however,
you are not only showing you have no idea where user files are stored, you
do not know how to follow a path!
How much trolling and flaming will you do against me now that I have pointed
out this weakness of yours! You know, Tim, if you would just not be an ass,
when I educate you on such matters I would be much more kind. :)
--
"I'm a troll that pisses off many CSMA regulars" - Tim Adams
Daniel Johnson
> in article 2005051419331416807%danieljohnson@vzavenuenet, Daniel Johnson at
> daniel...@vzavenue.net wrote on 5/14/05 4:33 PM:
>>> Your conclusions about Widgets go contrary to everything that's been
>>> said about them.
>>
>> They do not go contrary to what is in Apple's developer docs, except in
>> one detail: I say that the alert dialog does not always appear when it
>> should.
>>
>
> How about a little proof of concept? I have a test Mac that I'd be happy to
> download any widget on and confirm that some of the malicious things that
> you say are possible could happen.
Go to the web page I linked to at the start. This discussion covers all
these details and has links to pages with examples. Plus a priceless
"widgets of EVIL" screenie.
Or, if it's too long for you, take this shortcut:
http://www1.cs.columbia.edu/~aaron/files/widgets/
This page is one of the examples. It links to an example page which
downloads an "Evil Stickies" widget that looks likes the real Stickies
(bar a slightly different name) until you open it. This widget demands
access to the System command so it should provoke the alert, but for me
it did not do so. This is clearly a bug, and I won't swear it will
occur for every user (bugs are rarely so reliable!) but it happens for
some users. The thread I linked to at the start has various reports
from other people about this, so it is not just me.
The author of this page keeps revising the widget, and it has at times
failed to install the widget. But this morning (5/15/05) it did install
for me and did demonstrate the issue I've described.
Daniel Johnson
[snip - explaining Dashboard security to Chad]
> You are losing your time.
> Can't you tell it's like trying to explain multiplication to a hamster?
Oh, that's priceless!
But not accurate. Hamsters aren't in denial. They just want to run
around in their little wheel.
Now, in this case, I'm the one running around in the little wheel. Or
so it seems... :D
Chad Irby
Daniel Johnson <daniel...@vzavenue.net> wrote:
Well, you got Nasty to agree with you, that's a sure sign you went off
track somewhere.