• On CHOW: Why is ginger ale so popular on planes?
advertisement
May 16, 2005 12:12 AM PDT

Mac OS X 10.4: Widgets: Possible security exploit; Excessive memory usage; more

by CNET staff

Possible security exploit, vulnerability to malicious widgets Mac OS X 10.4.0, installed and run in its default state, contains a vulnerability based on a number of factors -- including Safari's method for handling automatic Widget installation -- where malicious, or at least annoying Dashboard Widgets could be installed, without the user's knowledge to be activated the next time Dashboard is accessed.

The scenario goes like this:

You click on a seemingly innocuous link, and view the resulting page's content. Meanwhile, a meta tag embedded in the page (META HTTP-EQUIV="Refresh") downloads a Widget in the background, and Safari -- which is, by default, set to automatically open "trusted" files, including Widgets -- quietly places the newly downloaded Widget in the ~/Library/Widgets folder. The next time you access Dashboard, the Widget is loaded in the Dashboard storage bar, and accessed when you click it or drag it out of the bar. The only indication you will receive in Safari indicating that this process is happening is a generally unnoticeable refresh of the URL address bar.

There has been some debate about how much damage Widgets installed in this fashion can actually do to your system. Theoretically, any Widget that request system access will require a user prompt ("Are you sure...") before gaining access -- in itself not a tremendous security measure for average users. However, some reports have suggested that there are Widgets with means to system access that don't require administrator or individual user authentication.

There is also another threat that doesn't involve damage of data, but can result in hogging of system resources. Widgets have been known to be extremely memory intensive in some cases (see section below on Widget memory usage), and the presence of many extra Widgets installed without the user's knowledge can result in an otherwise inexplicable system slow-down.

There are some quick measures you can enact that will seal out this vulnerability.

Turn off "Open 'safe' files after downloading" First and foremost, turn off the option to "Open 'safe' files after downloading" in Safari's preferences (under the "General" tab).

After unchecking this option (which is turned on by default, a potential security lapse on Apple's part), Widgets adhering to the aforementioned "exploit" will simply be downloaded to the location designated in Safari's preferences, requiring the user to double click them or drag them to the ~/Library/Widgets folder for installation.

It goes without saying that you should not manually install any Widget that is not from a trusted source.

Use Little Snitch In order to check for potentially malicious activity from Widgets that have already been installed, use a utility like Little Snitch. After installing this utility, when a Widget tries to establish a network connection, Little Snitch intercepts the attempt and brings up an alert panel giving you all the connection details including the name of the application, which initiated the connection. You either choose to allow the connection, to deny it or to add a permanent rule for similar future connections.

Use Folder Spy A small utility called Folder Spy can alert you when changes are made to a specific folder in Mac OS X. Set this utility to monitor your ~/Library/Widgets folder. Then, when an alert appears, check the folder and remove the added Widget(s) if necessary before launching Dashboard again. Remember, for a Widget to take any malicious action, you must access Dashboard after it is placed in the ~/Library/Widgets folder (the root /Library/Widgets folder is for Apple-installed Widgets only).

Delete Widgets from the ~/Library/Widgets folder As noted above, any user-installed Widgets should be located in the ~/Library/Widgets folder. Therefore, any files in this location can be deleted without affecting any default Apple Widgets, which are located in the /Library/Widgets folder at the root level of your Mac OS X startup volume.

Alternatively, you can use the freeware utility Widget Manager to inspect, remove, and disable Dashboard Widgets.

You can also monitor any additions to this folder (introduction of new Widgets) through the use of Mac OS X's built-in Folder Actions via the following process:

  1. Control-click (accessing the contextual menu) anywhere in a Mac OS X Finder window or on any folder and select "Enable Folder Actions."
  2. Navigate to the ~/Library folder and select the "Widgets" folder.
  3. Control-click on the "Widgets" folder and select "Attach a folder action."
  4. Select the script "add - new item alert.scpt" (located in the folder /Library/Scripts/Folder Action Scripts/ which should appear immediately by default) and press the "Choose..." button.

You will now be presented with an alert whenever a new Widget is added to the ~/Library/Widgets folder. If this happens when visiting a new Web page, do not access Dashboard again until verifying the Widgets trustworthiness, and removing it (if necessary) from the ~/Library/Widgets folder manually or using a utility like Widget Manager.

Widget memory usage Widgets, though generally limited in functionality and presented as periphery applications, can use surprisingly high amounts of RAM.

For instance, a recent check of Activity Monitor on an in-house test Mac OS X 10.4 system with 640 MB of RAM installed revealed the following real memory usage for some of Apple's default Widgets:

  • Stocks DashboardClient: 19.23 MB
  • Weather DashboardClient: 18.55 MB
  • Calendar DashboardClient: 13.11 MB

These figures do not change significantly when the Widgets are in active use (fluctuating by 2-3 MB), indicating that the drain on system resources takes place consistently, as long as Dashboard is an active item in the Dock.

At least initially, this should not be a cause for major concern. Mac OS X has advanced methods of dealing with memory usage from such applications, and the figure reported by Activity Monitor merely represents the requested memory for a specific process, which can be lessened when other process request memory.

If, however, you are experiencing significant system slow-down that can be realistically attributed to Widgets, you can end all Widget processes by temporarily killing the Dock. This can be accomplished by opening Activity Monitor (located in Applications/Utilities) and looking for the "Dock" process, then clicking the "Quit Process" button.

This will end all currently running Widget processes, which will not be re-activated until you again click the Dashboard icon and re-display active Widgets.

This process can also be accomplished with the Widget Manager freeware utility.

Resources

  • Little Snitch
  • Folder Spy
  • Widget Manager
  • More from Late-Breakers
    • Topics:

    News,

    Troubleshooting

    Tags:

    Late-Breakers

    Recent posts from MacFixIt
    iTunes 10 user interface sees some minor changes
    Apple seeds iOS 4.1 Gold Master to developers
    Possible fix for Harman Kardon iSub problems with PowerPC Macs
    Precautions to take before installing iTunes 10
    A reminder on how to reset your Mac's system password
    Mail messages appearing blank
    Adobe Lightroom update brings direct Facebook publishing; Camera Raw 6.2 released
    Weekly troubleshooting utilities update
    Reviews & advice
    Site map
    Editorial policies
    Meet the editors
    How we test
    Forums
    Internet speed test
    Popular topics
    Apple iPhone
    Apple iPod
    Cell phones
    CES 2010
    GPS
    LCD TV
    CNET sites
    CNET Site map
    Video
    Downloads
    News
    Reviews
    Shopper.com
    More information
    Newsletters
    CNET Mobile
    CNET Widgets
    Customer Help Center
    RSS
    CNET API
    About CNET
    sponsored