Apple: Widget worries persist

Despite Apple updating its latest OS this week to solve a security problem with widgets, worries persist that the small applications still pose a potentially serious risk.

Widgets, or small programs that automatically install after downloading, were introduced in Tiger for the Dashboard, which overlays the desktop. An attacker could write a malicious widget for Mac OS X 1.4 Tiger that would run invisibly in the background and hijack a user's "sudo" (or administrative) privileges on a system, according to an alert distributed on the Full Disclosure mailing lists. With administrative privileges, the attacker would have full control over the targeted Mac.

Last Monday, Apple published the Mac OS X 10.4.1 update to fix an earlier security issue related to the widgets. Before the patch, widgets would download and install without warning. Patched machines display a box which asks the PC user to confirm a download but doesn't tell the user that the confirmation also triggers installation of the widget.

While the patch mitigates the risk, security issues remain with widgets, according to Jonathan Zdziarski, a software engineer and author of the Full Disclosure posting.

"Those widgets should never be allowed to get administrative access on the system," Zdziarski said in an interview. "Apple has taken sort of the Microsoft stance with widgets, in that it is one of the few tools that is completely built into the operating system."

Zdziarski is also unhappy with how the Mac maker addressed the previous widget problem. It should be clear to users that a widget is not only being downloaded but also installed, he said. "They terribly mis-worded that button. When I click 'download', I expect to just download it. In fact, the widget is installed."

A malicious widget, after it is installed, can run in the background and wait until a time when the user logs in as administrator. It can then hijack those credentials to deliver its payload, Zdziarski said. The action could be anything from wiping a hard drive to sending the attacker the victim's list of usernames and passwords on Apple's Keychain tool, he said.

For a user to fall victim to a malicious widget, the application first needs to be installed on a Mac. This required user interaction disqualifies it as a security vulnerability, according to several responses to Zdziarski's posting on Full Disclosure.

Apple is encouraging developers to create new widgets and its website already lists 209 of them. Widgets are also available elsewhere on the web.

For protection, users should download widgets only from trusted websites, Zdziarski suggests.

Apple declined to comment for this story.

Joris Evers writes for CNET News.com