Apple Safari automatically installs Dashboard widgets
2005-06-08T00:00:00
ID VU:775661 Type cert Reporter CERT Modified 2006-02-22T15:22:00
Description
Overview
Apple Safari on Mac OS X Tiger automatically installs Dashboard widgets without user intervention or notice.
Description
Dashboard
Dashboard is a new feature introduced in Apple Mac OS X Tiger 10.4. Dashboard is a collection of applications called "widgets." The system-installed widgets are located in /Library/Widgets and user-installed widgets are located in ~/Library/Widgets.
Widgets
A widget is an application that is created using a combination of HTML, CSS, and JavaScript. Although the content of a widget is similar to a web page, a widget that executes within the context of Dashboard has additional privileges that are not available within a web browser. For example, a Dashboard widget can make system calls via widget.system() or execute a plug-in that contains native OS X code.
Execution warning
The first time a user runs a widget that requests certain privileges, such as those required to make system calls, a warning dialog is displayed. Note that this dialog is displayed for all widgets except those in /Library/Widgets (system-installed widgets) and ~/Library/Widgets (user-installed widgets). For example, if a user attempts to run a widget called "Stickies" for the first time, and that widget requests certain privileges, the following dialog will be displayed:
The problem
Apple Safari automatically opens certain files by default, including widgets. When Safari opens a widget it actually performs an installation of the widget. The installation of a widget involves extracting the widget archive and copying the contents to ~/Library/Widgets. Because Safari installs the widget to the user's widget directory, the execution warning dialog is not presented when the user runs the widget for the first time.
Impact
An attacker may be able to install arbitrary code on a vulnerable system. Since OS X executes user-installed widgets over system-installed widgets with the same bundle identifier (VU#983429), a user may be more likely to unknowingly execute the code.
Solution
Upgrade or patch
With the Mac OS X 10.4.1 Update, Safari will prompt the user before installing a widget, thus preventing automatic widget installation. Please note that the dialog used in this prompt is somwhat misleading. The dialog asks "Are you sure you want to download the application '<widgetname>'?" For example:
By the time the dialog is displayed, Safari has already downloaded, extracted, and examined the contents of the widget archive. If the user clicks "Download," the widget is not "downloaded" in the expected sense. It is installed into the user's widget directory.
Disable "Open 'safe' files after downloading"
By default, Safari will open "safe" files after downloading them. This includes movies, pictures, sounds, documents, disk images, and widgets. By disabling this option, Safari will not automatically install widgets. This appears to be a more effective solution than upgrading to 10.4.1 by itself. By not automatically opening files, Safari will not automatically execute other software to handle downloaded files. Other software may contain vulnerabilities, and some "safe" files may contain code, place content in a known location, or otherwise contribute to an attack. To disable this option, select "Preferences" from the Safari menu and uncheck the option "Open 'safe' files after downloading," as specified in the Securing Your Web Browser document.
Vendor Information
775661
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Vendor has issued information
__ Sort by: Status Alphabetical
Expand all
Affected Unknown __ Unaffected
Javascript is disabled. Click here to view vendors.
__ Apple Computer, Inc.
Notified: June 08, 2005 Updated: June 08, 2005
Status
__ Vulnerable
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A
This vulnerability was publicly reported by stephan.com.
This document was written by Will Dormann.
Other Information
CVE IDs: | CVE-2005-1474
---|--- Severity Metric:** | 17.06 Date Public: | 2005-05-08 Date First Published: | 2005-06-08 Date Last Updated: | 2006-02-22 15:22 UTC Document Revision: | 27
{"id": "VU:775661", "hash": "409bd50d686568a8a88da9095ad64021", "type": "cert", "bulletinFamily": "info", "title": "Apple Safari automatically installs Dashboard widgets", "description": "### Overview \n\nApple Safari on Mac OS X Tiger automatically installs Dashboard widgets without user intervention or notice.\n\n### Description \n\n**Dashboard**\n\n[Dashboard](<http://www.apple.com/macosx/features/dashboard/>) is a new feature introduced in Apple Mac OS X Tiger 10.4. Dashboard is a collection of applications called \"widgets.\" The system-installed widgets are located in `/Library/Widgets` and user-installed widgets are located in `~/Library/Widgets`. \n \n**Widgets** \n \nA [widget](<http://developer.apple.com/macosx/dashboard.html>) is an application that is created using a combination of HTML, CSS, and JavaScript. Although the content of a widget is similar to a web page, a widget that executes within the context of Dashboard has additional privileges that are not available within a web browser. For example, a Dashboard widget can make system calls via [`widget.system()`](<http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Scripts/chapter_12_section_2.html#//apple_ref/doc/uid/TP40001340-CH212-DontLinkElementID_36>) or execute a [plug-in](<http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/NativePlugin/chapter_13_section_2.html#//apple_ref/doc/uid/TP40001340-CH213-DontLinkElementID_22>) that contains [native OS X code](<http://developer.apple.com/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Tasks/ObjCFromJavaScript.html#//apple_ref/doc/uid/30001215>). \n \n**Execution warning** \n \nThe first time a user runs a widget that requests [certain privileges](<http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html>), such as those required to make system calls, a warning dialog is displayed. Note that this dialog is displayed for all widgets except those in `/Library/Widgets` (system-installed widgets) and `~/Library/Widgets` (user-installed widgets). For example, if a user attempts to run a widget called \"Stickies\" for the first time, and that widget requests certain privileges, the following dialog will be displayed: \n \n \n \n**The problem** \n \nApple Safari automatically opens certain files by default, including widgets. When Safari opens a widget it actually performs an installation of the widget. The installation of a widget involves extracting the widget archive and copying the contents to `~/Library/Widgets`. Because Safari installs the widget to the user's widget directory, the execution warning dialog is not presented when the user runs the widget for the first time. \n \n--- \n \n### Impact \n\nAn attacker may be able to install arbitrary code on a vulnerable system. Since OS X executes user-installed widgets over system-installed widgets with the same bundle identifier (VU#983429), a user may be more likely to unknowingly execute the code. \n \n--- \n \n### Solution \n \n--- \n \n**Upgrade or patch** \n \nWith the [Mac OS X 10.4.1 Update](<http://docs.info.apple.com/article.html?artnum=301630>), Safari will prompt the user before installing a widget, thus preventing automatic widget installation. Please note that the dialog used in this prompt is somwhat misleading. The dialog asks \"Are you sure you want to download the application '`<widgetname>`'?\" For example: \n \n \n \nBy the time the dialog is displayed, Safari has already downloaded, extracted, and examined the contents of the widget archive. If the user clicks \"Download,\" the widget is not \"downloaded\" in the expected sense. It is installed into the user's widget directory. \n \n**Disable \"Open 'safe' files after downloading\"** \n \nBy default, Safari will open \"safe\" files after downloading them. This includes movies, pictures, sounds, documents, disk images, and widgets. By disabling this option, Safari will not automatically install widgets. This appears to be a more effective solution than upgrading to 10.4.1 by itself. By not automatically opening files, Safari will not automatically execute other software to handle downloaded files. Other software may contain vulnerabilities, and some \"safe\" files may contain code, place content in a known location, or otherwise contribute to an attack. To disable this option, select \"Preferences\" from the Safari menu and uncheck the option \"Open 'safe' files after downloading,\" as specified in the [Securing Your Web Browser](<http://www.us-cert.gov/reading_room/securing_browser/#sgeneral>) document. \n \n--- \n \n### Vendor Information\n\n775661\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Apple Computer, Inc.\n\nNotified: June 08, 2005 Updated: June 08, 2005 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23775661 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.macworld.com/news/2005/05/09/dashboard/>\n * [http://www.macworld.co.uk/news/index.cfm?home&NewsID=11531](<http://www.macworld.co.uk/news/index.cfm?home&NewsID=11531>)\n * <http://www1.cs.columbia.edu/~aaron/files/widgets/>\n * <http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/index.html>\n * [[<a href=\"http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101\">http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/ Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101</a>]](<\\[<a href=\"http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101\">http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/ Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101</a>\\]>)\n * <http://www.apple.com/macosx/features/dashboard/>\n * <http://www.appleinsider.com/article.php?id=1073>\n * <http://securitytracker.com/alerts/2005/May/1014012.html>\n * <http://www.securityfocus.com/bid/13694>\n * <http://docs.info.apple.com/article.html?artnum=301630>\n\n### Credit\n\nThis vulnerability was publicly reported by stephan.com. \n\nThis document was written by Will Dormann. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2005-1474](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1474>) \n---|--- \n**Severity Metric:****** | 17.06 \n**Date Public:** | 2005-05-08 \n**Date First Published:** | 2005-06-08 \n**Date Last Updated: ** | 2006-02-22 15:22 UTC \n**Document Revision: ** | 27 \n", "published": "2005-06-08T00:00:00", "modified": "2006-02-22T15:22:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.kb.cert.org/vuls/id/775661", "reporter": "CERT", "references": ["http://www.macworld.com/news/2005/05/09/dashboard/", "http://www.macworld.co.uk/news/index.cfm?home&NewsID=11531", "http://www1.cs.columbia.edu/~aaron/files/widgets/", "http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/index.html", "[<a href=\"http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101\">http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/ Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101</a>]", "http://www.apple.com/macosx/features/dashboard/", "http://www.appleinsider.com/article.php?id=1073", "http://securitytracker.com/alerts/2005/May/1014012.html", "http://www.securityfocus.com/bid/13694", "http://docs.info.apple.com/article.html?artnum=301630"], "cvelist": ["CVE-2005-1474"], "lastseen": "2019-04-24T19:52:00", "history": [{"bulletin": {"id": "VU:775661", "hash": "c9a450bae4d2d10d814d91bca847b8b274c8b719475cf56742e6a51d022ddb4c", "type": "cert", "bulletinFamily": "info", "title": "Apple Safari automatically installs Dashboard widgets", "description": "### Overview\n\nApple Safari on Mac OS X Tiger automatically installs Dashboard widgets without user intervention or notice.\n\n### Description\n\n**Dashboard**\n\n[Dashboard](<http://www.apple.com/macosx/features/dashboard/>) is a new feature introduced in Apple Mac OS X Tiger 10.4. Dashboard is a collection of applications called \"widgets.\" The system-installed widgets are located in `/Library/Widgets` and user-installed widgets are located in `~/Library/Widgets`. \n \n**Widgets** \n \nA [widget](<http://developer.apple.com/macosx/dashboard.html>) is an application that is created using a combination of HTML, CSS, and JavaScript. Although the content of a widget is similar to a web page, a widget that executes within the context of Dashboard has additional privileges that are not available within a web browser. For example, a Dashboard widget can make system calls via [`widget.system()`](<http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Scripts/chapter_12_section_2.html#//apple_ref/doc/uid/TP40001340-CH212-DontLinkElementID_36>) or execute a [plug-in](<http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/NativePlugin/chapter_13_section_2.html#//apple_ref/doc/uid/TP40001340-CH213-DontLinkElementID_22>) that contains [native OS X code](<http://developer.apple.com/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Tasks/ObjCFromJavaScript.html#//apple_ref/doc/uid/30001215>). \n \n**Execution warning** \n \nThe first time a user runs a widget that requests [certain privileges](<http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html>), such as those required to make system calls, a warning dialog is displayed. Note that this dialog is displayed for all widgets except those in `/Library/Widgets` (system-installed widgets) and `~/Library/Widgets` (user-installed widgets). For example, if a user attempts to run a widget called \"Stickies\" for the first time, and that widget requests certain privileges, the following dialog will be displayed: \n \n \n \n**The problem** \n \nApple Safari automatically opens certain files by default, including widgets. When Safari opens a widget it actually performs an installation of the widget. The installation of a widget involves extracting the widget archive and copying the contents to `~/Library/Widgets`. Because Safari installs the widget to the user's widget directory, the execution warning dialog is not presented when the user runs the widget for the first time. \n \n--- \n \n### Impact\n\nAn attacker may be able to install arbitrary code on a vulnerable system. Since OS X executes user-installed widgets over system-installed widgets with the same bundle identifier (VU#983429), a user may be more likely to unknowingly execute the code. \n \n--- \n \n### Solution \n \n--- \n \n**Upgrade or patch** \n \nWith the [Mac OS X 10.4.1 Update](<http://docs.info.apple.com/article.html?artnum=301630>), Safari will prompt the user before installing a widget, thus preventing automatic widget installation. Please note that the dialog used in this prompt is somwhat misleading. The dialog asks \"Are you sure you want to download the application '`<widgetname>`'?\" For example: \n \n \n \nBy the time the dialog is displayed, Safari has already downloaded, extracted, and examined the contents of the widget archive. If the user clicks \"Download,\" the widget is not \"downloaded\" in the expected sense. It is installed into the user's widget directory. \n \n**Disable \"Open 'safe' files after downloading\"** \n \nBy default, Safari will open \"safe\" files after downloading them. This includes movies, pictures, sounds, documents, disk images, and widgets. By disabling this option, Safari will not automatically install widgets. This appears to be a more effective solution than upgrading to 10.4.1 by itself. By not automatically opening files, Safari will not automatically execute other software to handle downloaded files. Other software may contain vulnerabilities, and some \"safe\" files may contain code, place content in a known location, or otherwise contribute to an attack. To disable this option, select \"Preferences\" from the Safari menu and uncheck the option \"Open 'safe' files after downloading,\" as specified in the [Securing Your Web Browser](<http://www.us-cert.gov/reading_room/securing_browser/#sgeneral>) document. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nApple Computer, Inc.| | 08 Jun 2005| 08 Jun 2005 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23775661 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.macworld.com/news/2005/05/09/dashboard/>\n * [http://www.macworld.co.uk/news/index.cfm?home&NewsID;=11531](<http://www.macworld.co.uk/news/index.cfm?home&NewsID=11531>)\n * <http://www1.cs.columbia.edu/~aaron/files/widgets/>\n * <http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/index.html>\n * [http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/ Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101](<<a href=>)\">[http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/ Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101](<http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101>)\n", "published": "2005-06-08T00:00:00", "modified": "2006-02-22T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.kb.cert.org/vuls/id/775661", "reporter": "CERT", "references": ["http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Scripts/chapter_12_section_2.html#//apple_ref/doc/uid/TP40001340-CH212-DontLinkElementID_36", "http://www.macworld.co.uk/news/index.cfm?home&NewsID=11531", "http://www.us-cert.gov/reading_room/securing_browser/#sgeneral", "http://www.macworld.com/news/2005/05/09/dashboard/", "http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/NativePlugin/chapter_13_section_2.html#//apple_ref/doc/uid/TP40001340-CH213-DontLinkElementID_22", "http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html", "http://developer.apple.com/macosx/dashboard.html", "http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101", "http://developer.apple.com/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Tasks/ObjCFromJavaScript.html#//apple_ref/doc/uid/30001215", "http://www1.cs.columbia.edu/~aaron/files/widgets/", "http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/index.html", "http://docs.info.apple.com/article.html?artnum=301630", "http://www.apple.com/macosx/features/dashboard/"], "cvelist": [], "lastseen": "2016-02-03T09:12:21", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "objectVersion": "1.4"}, "lastseen": "2016-02-03T09:12:21", "differentElements": ["description"], "edition": 1}, {"bulletin": {"id": "VU:775661", "hash": "d6e155229e5c43bde53c942f6a7e0eee", "type": "cert", "bulletinFamily": "info", "title": "Apple Safari automatically installs Dashboard widgets", "description": "### Overview\n\nApple Safari on Mac OS X Tiger automatically installs Dashboard widgets without user intervention or notice.\n\n### Description\n\n**Dashboard**\n\n[Dashboard](<http://www.apple.com/macosx/features/dashboard/>) is a new feature introduced in Apple Mac OS X Tiger 10.4. Dashboard is a collection of applications called \"widgets.\" The system-installed widgets are located in `/Library/Widgets` and user-installed widgets are located in `~/Library/Widgets`. \n \n**Widgets** \n \nA [widget](<http://developer.apple.com/macosx/dashboard.html>) is an application that is created using a combination of HTML, CSS, and JavaScript. Although the content of a widget is similar to a web page, a widget that executes within the context of Dashboard has additional privileges that are not available within a web browser. For example, a Dashboard widget can make system calls via [`widget.system()`](<http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Scripts/chapter_12_section_2.html#//apple_ref/doc/uid/TP40001340-CH212-DontLinkElementID_36>) or execute a [plug-in](<http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/NativePlugin/chapter_13_section_2.html#//apple_ref/doc/uid/TP40001340-CH213-DontLinkElementID_22>) that contains [native OS X code](<http://developer.apple.com/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Tasks/ObjCFromJavaScript.html#//apple_ref/doc/uid/30001215>). \n \n**Execution warning** \n \nThe first time a user runs a widget that requests [certain privileges](<http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html>), such as those required to make system calls, a warning dialog is displayed. Note that this dialog is displayed for all widgets except those in `/Library/Widgets` (system-installed widgets) and `~/Library/Widgets` (user-installed widgets). For example, if a user attempts to run a widget called \"Stickies\" for the first time, and that widget requests certain privileges, the following dialog will be displayed: \n \n \n \n**The problem** \n \nApple Safari automatically opens certain files by default, including widgets. When Safari opens a widget it actually performs an installation of the widget. The installation of a widget involves extracting the widget archive and copying the contents to `~/Library/Widgets`. Because Safari installs the widget to the user's widget directory, the execution warning dialog is not presented when the user runs the widget for the first time. \n \n--- \n \n### Impact\n\nAn attacker may be able to install arbitrary code on a vulnerable system. Since OS X executes user-installed widgets over system-installed widgets with the same bundle identifier (VU#983429), a user may be more likely to unknowingly execute the code. \n \n--- \n \n### Solution \n \n--- \n \n**Upgrade or patch** \n \nWith the [Mac OS X 10.4.1 Update](<http://docs.info.apple.com/article.html?artnum=301630>), Safari will prompt the user before installing a widget, thus preventing automatic widget installation. Please note that the dialog used in this prompt is somwhat misleading. The dialog asks \"Are you sure you want to download the application '`<widgetname>`'?\" For example: \n \n \n \nBy the time the dialog is displayed, Safari has already downloaded, extracted, and examined the contents of the widget archive. If the user clicks \"Download,\" the widget is not \"downloaded\" in the expected sense. It is installed into the user's widget directory. \n \n**Disable \"Open 'safe' files after downloading\"** \n \nBy default, Safari will open \"safe\" files after downloading them. This includes movies, pictures, sounds, documents, disk images, and widgets. By disabling this option, Safari will not automatically install widgets. This appears to be a more effective solution than upgrading to 10.4.1 by itself. By not automatically opening files, Safari will not automatically execute other software to handle downloaded files. Other software may contain vulnerabilities, and some \"safe\" files may contain code, place content in a known location, or otherwise contribute to an attack. To disable this option, select \"Preferences\" from the Safari menu and uncheck the option \"Open 'safe' files after downloading,\" as specified in the [Securing Your Web Browser](<http://www.us-cert.gov/reading_room/securing_browser/#sgeneral>) document. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nApple Computer, Inc.| | 08 Jun 2005| 08 Jun 2005 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23775661 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.macworld.com/news/2005/05/09/dashboard/>\n * [http://www.macworld.co.uk/news/index.cfm?home&NewsID;=11531](<http://www.macworld.co.uk/news/index.cfm?home&NewsID=11531>)\n * <http://www1.cs.columbia.edu/~aaron/files/widgets/>\n * <http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/index.html>\n * [http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/ Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101](<<a href=>)\">[http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/ Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101](<http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101>)\n", "published": "2005-06-08T00:00:00", "modified": "2006-02-22T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.kb.cert.org/vuls/id/775661", "reporter": "CERT", "references": ["http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Scripts/chapter_12_section_2.html#//apple_ref/doc/uid/TP40001340-CH212-DontLinkElementID_36", "http://www.macworld.co.uk/news/index.cfm?home&NewsID=11531", "http://www.us-cert.gov/reading_room/securing_browser/#sgeneral", "http://www.macworld.com/news/2005/05/09/dashboard/", "http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/NativePlugin/chapter_13_section_2.html#//apple_ref/doc/uid/TP40001340-CH213-DontLinkElementID_22", "http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html", "http://developer.apple.com/macosx/dashboard.html", "http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101", "http://developer.apple.com/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Tasks/ObjCFromJavaScript.html#//apple_ref/doc/uid/30001215", "http://www1.cs.columbia.edu/~aaron/files/widgets/", "http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/index.html", "http://docs.info.apple.com/article.html?artnum=301630", "http://www.apple.com/macosx/features/dashboard/"], "cvelist": [], "lastseen": "2018-08-02T21:57:13", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "objectVersion": "1.4"}, "lastseen": "2018-08-02T21:57:13", "differentElements": ["cvelist", "cvss", "description", "modified", "references"], "edition": 2}, {"bulletin": {"id": "VU:775661", "hash": "4fdceff7e5afa7b9ef1752480b1cd868", "type": "cert", "bulletinFamily": "info", "title": "Apple Safari automatically installs Dashboard widgets", "description": "### Overview \n\nApple Safari on Mac OS X Tiger automatically installs Dashboard widgets without user intervention or notice.\n\n### Description \n\n**Dashboard**\n\n[Dashboard](<http://www.apple.com/macosx/features/dashboard/>) is a new feature introduced in Apple Mac OS X Tiger 10.4. Dashboard is a collection of applications called \"widgets.\" The system-installed widgets are located in `/Library/Widgets` and user-installed widgets are located in `~/Library/Widgets`. \n \n**Widgets** \n \nA [widget](<http://developer.apple.com/macosx/dashboard.html>) is an application that is created using a combination of HTML, CSS, and JavaScript. Although the content of a widget is similar to a web page, a widget that executes within the context of Dashboard has additional privileges that are not available within a web browser. For example, a Dashboard widget can make system calls via [`widget.system()`](<http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Scripts/chapter_12_section_2.html#//apple_ref/doc/uid/TP40001340-CH212-DontLinkElementID_36>) or execute a [plug-in](<http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/NativePlugin/chapter_13_section_2.html#//apple_ref/doc/uid/TP40001340-CH213-DontLinkElementID_22>) that contains [native OS X code](<http://developer.apple.com/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Tasks/ObjCFromJavaScript.html#//apple_ref/doc/uid/30001215>). \n \n**Execution warning** \n \nThe first time a user runs a widget that requests [certain privileges](<http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html>), such as those required to make system calls, a warning dialog is displayed. Note that this dialog is displayed for all widgets except those in `/Library/Widgets` (system-installed widgets) and `~/Library/Widgets` (user-installed widgets). For example, if a user attempts to run a widget called \"Stickies\" for the first time, and that widget requests certain privileges, the following dialog will be displayed: \n \n \n \n**The problem** \n \nApple Safari automatically opens certain files by default, including widgets. When Safari opens a widget it actually performs an installation of the widget. The installation of a widget involves extracting the widget archive and copying the contents to `~/Library/Widgets`. Because Safari installs the widget to the user's widget directory, the execution warning dialog is not presented when the user runs the widget for the first time. \n \n--- \n \n### Impact \n\nAn attacker may be able to install arbitrary code on a vulnerable system. Since OS X executes user-installed widgets over system-installed widgets with the same bundle identifier (VU#983429), a user may be more likely to unknowingly execute the code. \n \n--- \n \n### Solution \n \n--- \n \n**Upgrade or patch** \n \nWith the [Mac OS X 10.4.1 Update](<http://docs.info.apple.com/article.html?artnum=301630>), Safari will prompt the user before installing a widget, thus preventing automatic widget installation. Please note that the dialog used in this prompt is somwhat misleading. The dialog asks \"Are you sure you want to download the application '`<widgetname>`'?\" For example: \n \n \n \nBy the time the dialog is displayed, Safari has already downloaded, extracted, and examined the contents of the widget archive. If the user clicks \"Download,\" the widget is not \"downloaded\" in the expected sense. It is installed into the user's widget directory. \n \n**Disable \"Open 'safe' files after downloading\"** \n \nBy default, Safari will open \"safe\" files after downloading them. This includes movies, pictures, sounds, documents, disk images, and widgets. By disabling this option, Safari will not automatically install widgets. This appears to be a more effective solution than upgrading to 10.4.1 by itself. By not automatically opening files, Safari will not automatically execute other software to handle downloaded files. Other software may contain vulnerabilities, and some \"safe\" files may contain code, place content in a known location, or otherwise contribute to an attack. To disable this option, select \"Preferences\" from the Safari menu and uncheck the option \"Open 'safe' files after downloading,\" as specified in the [Securing Your Web Browser](<http://www.us-cert.gov/reading_room/securing_browser/#sgeneral>) document. \n \n--- \n \n### Vendor Information\n\n775661\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Apple Computer, Inc. \n\nNotified: June 08, 2005 Updated: June 08, 2005 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23775661 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.macworld.com/news/2005/05/09/dashboard/>\n * [http://www.macworld.co.uk/news/index.cfm?home&NewsID=11531](<http://www.macworld.co.uk/news/index.cfm?home&NewsID=11531>)\n * <http://www1.cs.columbia.edu/~aaron/files/widgets/>\n * <http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/index.html>\n * [[<a href=\"http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101\">http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/ Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101</a>]](<\\[<a href=\"http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101\">http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/ Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101</a>\\]>)\n * <http://www.apple.com/macosx/features/dashboard/>\n * <http://www.appleinsider.com/article.php?id=1073>\n * <http://securitytracker.com/alerts/2005/May/1014012.html>\n * <http://www.securityfocus.com/bid/13694>\n * <http://docs.info.apple.com/article.html?artnum=301630>\n\n### Credit\n\nThis vulnerability was publicly reported by stephan.com. \n\nThis document was written by Will Dormann. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2005-1474](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1474>) \n---|--- \n**Severity Metric:****** | 17.06 \n**Date Public:** | 2005-05-08 \n**Date First Published:** | 2005-06-08 \n**Date Last Updated: ** | 2006-02-22 15:22 UTC \n**Document Revision: ** | 27 \n", "published": "2005-06-08T00:00:00", "modified": "2006-02-22T15:22:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.kb.cert.org/vuls/id/775661", "reporter": "CERT", "references": ["http://www.macworld.com/news/2005/05/09/dashboard/", "http://www.macworld.co.uk/news/index.cfm?home&NewsID=11531", "http://www1.cs.columbia.edu/~aaron/files/widgets/", "http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/index.html", "[<a href=\"http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101\">http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/ Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101</a>]", "http://www.apple.com/macosx/features/dashboard/", "http://www.appleinsider.com/article.php?id=1073", "http://securitytracker.com/alerts/2005/May/1014012.html", "http://www.securityfocus.com/bid/13694", "http://docs.info.apple.com/article.html?artnum=301630"], "cvelist": ["CVE-2005-1474"], "lastseen": "2018-12-25T20:19:33", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-1474"]}, {"type": "osvdb", "idList": ["OSVDB:16499"]}, {"type": "nessus", "idList": ["MACOSX_10_4_2.NASL", "MACOSX_10_4_1.NASL"]}], "modified": "2018-12-25T20:19:33"}}, "objectVersion": "1.4"}, "lastseen": "2018-12-25T20:19:33", "differentElements": ["description"], "edition": 3}], "viewCount": 0, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-1474"]}, {"type": "osvdb", "idList": ["OSVDB:16499"]}, {"type": "nessus", "idList": ["MACOSX_10_4_2.NASL", "MACOSX_10_4_1.NASL"]}], "modified": "2019-04-24T19:52:00"}, "vulnersScore": 7.2}, "objectVersion": "1.4", "_object_type": "robots.models.cert.CertBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.cert.CertBulletin"]}
{"cve": [{"lastseen": "2016-09-03T05:24:25", "bulletinFamily": "NVD", "description": "Dashboard in Apple Mac OS X 10.4.1 allows remote attackers to install widgets via Safari without prompting the user, a different vulnerability than CVE-2005-1933.", "modified": "2008-09-05T16:49:16", "published": "2005-06-13T00:00:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1474", "id": "CVE-2005-1474", "title": "CVE-2005-1474", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:12", "bulletinFamily": "software", "description": "## Vulnerability Description\nDashboard in combination with Safari in Mac OS X contains a flaw that may allow a remote attacker to inject arbitrary widgets. The issue is triggered when the 'Open \"safe\" files after downloading' option in Safari is enabled. It is possible that the flaw may allow a remote attacker to create a malicious web page that contains an embedded META tag to trigger Safari to download a malicious widget, which would be automatically installed under the /Library/Widgets or ~/Library/Widgets directory without any user intervention resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 10.4.1 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Disable the 'Open \"safe\" files after downloading' option in Safari.\n## Short Description\nDashboard in combination with Safari in Mac OS X contains a flaw that may allow a remote attacker to inject arbitrary widgets. The issue is triggered when the 'Open \"safe\" files after downloading' option in Safari is enabled. It is possible that the flaw may allow a remote attacker to create a malicious web page that contains an embedded META tag to trigger Safari to download a malicious widget, which would be automatically installed under the /Library/Widgets or ~/Library/Widgets directory without any user intervention resulting in a loss of integrity.\n## References:\nVendor URL: http://www.apple.com/\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=301629)\nSecurity Tracker: 1014012\nOther Advisory URL: http://www1.cs.columbia.edu/~aaron/files/widgets/\nOther Advisory URL: http://stephan.com/widgets/zaptastic/\n[CVE-2005-1474](https://vulners.com/cve/CVE-2005-1474)\n", "modified": "2005-05-09T00:00:00", "published": "2005-05-09T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:16499", "id": "OSVDB:16499", "type": "osvdb", "title": "Mac OS X Dashboard Arbitrary Widget Injection", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:08:34", "bulletinFamily": "scanner", "description": "The remote host is running a version of Mac OS X 10.4.x that is prior to 10.4.1.\n\nMac OS X 10.4.1 contains several security fixes for :\n\n- Bluetooth\n- Dashboard\n- Kernel\n- SecurityAgent", "modified": "2018-07-14T00:00:00", "id": "MACOSX_10_4_1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=18353", "published": "2005-05-20T00:00:00", "title": "Mac OS X 10.4.x < 10.4.1 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(18353);\n script_version (\"1.19\");\n script_cve_id(\"CVE-2005-1472\", \"CVE-2005-1473\", \"CVE-2005-1474\");\n script_bugtraq_id(13694, 13695, 13696);\n\n script_name(english:\"Mac OS X 10.4.x < 10.4.1 Multiple Vulnerabilities\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes various\nsecurity issues.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X 10.4.x that is prior\nto 10.4.1.\n\nMac OS X 10.4.1 contains several security fixes for :\n\n- Bluetooth\n- Dashboard\n- Kernel\n- SecurityAgent\" );\n # http://web.archive.org/web/20090106074817/http://support.apple.com/kb/TA23244?viewlocale=en_US\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e2ed7e60\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mac OS X 10.4.1.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/05/20\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2005/05/19\");\n script_cvs_date(\"Date: 2018/07/14 1:59:35\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"local\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\nscript_end_attributes();\n\n script_summary(english:\"Check for the version of Mac OS X\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"MacOS X Local Security Checks\");\n script_dependencies(\"ssh_get_info.nasl\", \"mdns.nasl\");\n #script_require_keys(\"Host/MacOSX/packages\");\n exit(0);\n}\n\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif ( ! os ) os = get_kb_item(\"mDNS/os\");\nif ( ! os ) exit(0);\n\nif ( ereg(pattern:\"Mac OS X 10\\.4$\", string:os )) security_warning(0);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:08:37", "bulletinFamily": "scanner", "description": "The remote host is running a version of Mac OS X 10.4.x that is prior to 10.4.2. Mac OS X 10.4.2 contains several security fixes for :\n\n- TCP/IP\n- Dashboard\n- Bluetooth File and Object Exchange", "modified": "2018-07-14T00:00:00", "id": "MACOSX_10_4_2.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=18683", "published": "2005-07-12T00:00:00", "title": "Mac OS X 10.4.x < 10.4.2 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(18683);\n script_version (\"1.22\");\n\n script_cve_id(\"CVE-2005-1333\", \"CVE-2005-1474\", \"CVE-2005-2194\");\n script_bugtraq_id(14241);\n\n script_name(english:\"Mac OS X 10.4.x < 10.4.2 Multiple Vulnerabilities\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host may be affected by multiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X 10.4.x that is prior\nto 10.4.2. Mac OS X 10.4.2 contains several security fixes for :\n\n- TCP/IP\n- Dashboard\n- Bluetooth File and Object Exchange\" );\n # http://web.archive.org/web/20060419231505/http://docs.info.apple.com/article.html?artnum=301948\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?35ecc934\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the Mac OS X 10.4.2 Update.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/07/12\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/05/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2005/07/11\");\n script_cvs_date(\"Date: 2018/07/14 1:59:35\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"local\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\nscript_end_attributes();\n\n script_summary(english:\"Check the version of Mac OS X\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"MacOS X Local Security Checks\");\n script_dependencies(\"ssh_get_info.nasl\", \"mdns.nasl\");\n #script_require_keys(\"Host/MacOSX/packages\");\n exit(0);\n}\n\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif ( ! os ) os = get_kb_item(\"mDNS/os\");\nif ( ! os ) exit(0);\n\nif ( ereg(pattern:\"Mac OS X 10\\.4($|\\.1([^0-9]|$))\", string:os )) security_warning(0);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
