Apple Safari on Mac OS X Tiger automatically installs Dashboard widgets without user intervention or notice.
Dashboard is a new feature introduced in Apple Mac OS X Tiger 10.4. Dashboard is a collection of applications called "widgets." The system-installed widgets are located in
/Library/Widgets and user-installed widgets are located in
widget.system() or execute a plug-in that contains native OS X code.
The first time a user runs a widget that requests certain privileges, such as those required to make system calls, a warning dialog is displayed. Note that this dialog is displayed for all widgets except those in
/Library/Widgets (system-installed widgets) and
~/Library/Widgets (user-installed widgets). For example, if a user attempts to run a widget called "Stickies" for the first time, and that widget requests certain privileges, the following dialog will be displayed:
Apple Safari automatically opens certain files by default, including widgets. When Safari opens a widget it actually performs an installation of the widget. The installation of a widget involves extracting the widget archive and copying the contents to
~/Library/Widgets. Because Safari installs the widget to the user's widget directory, the execution warning dialog is not presented when the user runs the widget for the first time.
An attacker may be able to install arbitrary code on a vulnerable system. Since OS X executes user-installed widgets over system-installed widgets with the same bundle identifier (VU#983429), a user may be more likely to unknowingly execute the code.
Upgrade or patch
With the Mac OS X 10.4.1 Update, Safari will prompt the user before installing a widget, thus preventing automatic widget installation. Please note that the dialog used in this prompt is somwhat misleading. The dialog asks "Are you sure you want to download the application '
<widgetname>'?" For example:
By the time the dialog is displayed, Safari has already downloaded, extracted, and examined the contents of the widget archive. If the user clicks "Download," the widget is not "downloaded" in the expected sense. It is installed into the user's widget directory.
Disable "Open 'safe' files after downloading"
By default, Safari will open "safe" files after downloading them. This includes movies, pictures, sounds, documents, disk images, and widgets. By disabling this option, Safari will not automatically install widgets. This appears to be a more effective solution than upgrading to 10.4.1 by itself. By not automatically opening files, Safari will not automatically execute other software to handle downloaded files. Other software may contain vulnerabilities, and some "safe" files may contain code, place content in a known location, or otherwise contribute to an attack. To disable this option, select "Preferences" from the Safari menu and uncheck the option "Open 'safe' files after downloading," as specified in the Securing Your Web Browser document.
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Vendor has issued information
__ Sort by: Status Alphabetical
Affected Unknown __ Unaffected
Notified: June 08, 2005 Updated: June 08, 2005
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A
This vulnerability was publicly reported by stephan.com.
This document was written by Will Dormann.
CVE IDs: | CVE-2005-1474
Severity Metric:** | 17.06
Date Public: | 2005-05-08
Date First Published: | 2005-06-08
Date Last Updated: | 2006-02-22 15:22 UTC
Document Revision: | 27