Apple has patched a vulnerability in its Tiger OS regarding widgets, or small programs that self-install after they have been downloaded, but one
expert claims the problem is not solved. The problem lies with the wording in a display box that indicates that the user is approving a download,
when in fact an installation is being approved. Malicious coders can write widgets that can, using administrative privileges, run undetected in the
background and deliver its malicious code.
Though Apple Computer updated its latest OS this week to solve a security problem with widgets, worries persist that the small applications still
pose a potentially serious risk.
Widgets, or small programs that automatically install after downloading, were introduced in Tiger for the Dashboard, which overlays the desktop. An
attacker could write a malicious widget for Mac OS X 1.4 Tiger that would run invisibly in the background and hijack a user's "sudo," or
administrative, privileges on a system, according to an alert distributed on the Full Disclosure mailing lists late Wednesday. With administrative
privileges, the attacker would have full control over the targeted Mac.
On Monday, Apple published the Mac OS X 10.4.1 update to fix an earlier security issue related to the widgets. Before the patch, widgets would
download and install without warning. Patched machines display a box that asks the PC user to confirm a download, but don't tell the user that the
confirmation also triggers installation of the widget.
While the patch mitigates the risk, security issues remain with widgets, according to Jonathan Zdziarski, a software engineer and author of
Wednesday's Full Disclosure posting.
Please visit the link provided for the complete story.
In my reading of late regarding the relative merits of Macs and PCs, it has been noted by some that one of the main problems with PCs is that many
people, if not most, surf the web with an administrative account, not understanding the problems that can occur as a result, if malware is downloaded.
Apple actually encourages developers to write widgets and over two hundred are available on Apple's web site. It does seem, however, that if Mac
users are aware of the risks, they can avert danger by exercising caution.
Related News Links:
[edit on 05/5/20 by GradyPhilpott]