CERTVU:983429Apple Mac OSX executes arbitrary widget with same "bundle identifier" as system widget
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
73.6%
Overview
Apple Mac OS X Tiger Dashboard executes arbitrary widgets with the same “bundle identifier” as a system widget. This can allow a user-installed widget to override a system-installed one.
Description
Dashboard
Dashboard is a new feature introduced in Apple Mac OS X Tiger 10.4. Dashboard is a collection of applications called “widgets.” The system-installed widgets are located in /Library/Widgets and user-installed widgets are located in ~/Library/Widgets.
Widgets
A widget is an application that is created using a combination of HTML, CSS, and JavaScript. Although the content of a widget is similar to a web page, a widget that executes within the context of Dashboard has additional privileges that are not available within a web browser. For example, a Dashboard widget can make system calls via widget.system() or execute a plug-in that contains native OS X code.
The problem
Dashboard identifies widgets by the CFBundleIdentifier property in the Info.plist file contained within the widget. As specified in Apple QA1373, “applications with identical CFBundleIdentifier values will override each other.” When a widget is executed, Dashboard will run the user-installed widget instead of the system-installed widget with the same CFBundleIdentifier value. A user-installed widget with the same CFBundleIdentifier as a system-installed widget will replace the system-installed widget in the Dashboard, so the user may not be aware that the change has taken place.
Impact
If an attacker can convince a user to install a widget, the attacker may be able to execute arbitrary commands or code with the privileges of the user. This execution would take place when the user runs what appears to be a system widget.
By default, Safari on OS X 10.4 downloads and installs widgets without any user interaction or notification (VU#775661).
Solution
Install an update
This issue is addressed by the OS X 10.4.2 update. With this update, OS X will warn the user if a widget to be installed will override an existing widget. User-installed widgets will still override system-installed widgets, but this change will help prevent accidental installation of a widget that has the same CFBundleIdentifier value as an existing widget.
Disable “Open ‘safe’ files after downloading”
By default, Safari will open “safe” files after downloading them. This includes movies, pictures, sounds, documents, disk images, and widgets. By disabling this option, Safari will prompt before installing widgets. By not automatically opening files, Safari will not automatically execute other software to handle downloaded files. Other software may contain vulnerabilities, and some “safe” files may contain code, place content in a known location, or otherwise contribute to an attack. To disable this option, select “Preferences” from the Safari menu and uncheck the option “Open ‘safe’ files after downloading,” as specified in the Securing Your Web Browser document.
Do not open untrusted Dashboard widgets
Dashboard widgets may give the impression that they are harmless web applets. Widgets are effectively arbitrary OS X code. Do not download, install, or execute arbitrary code, including widgets.
Vendor Information
983429
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Apple Computer, Inc. __ Affected
Notified: June 08, 2005 Updated: June 08, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23983429 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www1.cs.columbia.edu/~aaron/files/widgets/>
- <http://docs.info.apple.com/article.html?artnum=301722>
- <http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/index.html>
- <http://www.apple.com/macosx/features/dashboard/>
- <http://www.appleinsider.com/article.php?id=1073>
- <http://developer.apple.com/qa/qa2004/qa1373.html>
Acknowledgements
This vulnerability was publicly reported by mithras.the.prophet.
This document was written by Will Dormann.
Other Information
| CVE IDs: | CVE-2005-1933 |
|---|---|
| Severity Metric: | 1.58 Date Public: |
References
developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/index.html
developer.apple.com/qa/qa2004/qa1373.html
docs.info.apple.com/article.html?artnum=301722
www.apple.com/macosx/features/dashboard/
www.appleinsider.com/article.php?id=1073
www1.cs.columbia.edu/~aaron/files/widgets/
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
73.6%