Apple Patches Widget Malware Hole in Tiger

Apple patches four security holes, the most well-known of which is the problem where widgets could be downloaded and installed without any specific user confirmation.

Apple Computer Inc. has quietly patched several security holes in Mac OS X 10.4, also known as "Tiger," including one that allows potentially malicious widgets to be downloaded and installed into Dashboard.

The security patches were released as part of an OS X 10.4.1 update earlier this week, but the company has only just released details of them. The update patches four security holes, the most well-known of which is the problem where widgets—small applications working in the softwares Dashboard system—could be downloaded and installed without any specific user confirmation. Under 10.4.1, automatic installation of Widgets is blocked, and users must specifically approve the installation of each Widget.

/zimages/4/28571.gifTo read more about the malicious widgets, click here.

Although several Web pages appeared that demonstrated how widgets could be installed without user intervention, there have been no reports of malicious widgets being found in the wild. However, because widgets can execute code—including shell scripts—outside the Dashboard environment, the ability for widgets to be downloaded and installed simply by clicking on a Web link looked like a potential route for malware on the platform.

Also patched is an issue with Bluetooth file exchange support, which could potentially be used to access files outside the default file exchange directory, allowing Bluetooth devices access to files throughout the system. The update also patches a kernel issue that could reveal the names of files that would normally be hidden from a user through two system calls designed for searching, as well as a second kernel problem that allowed a potential denial-of-service attack via a vulnerability in the nfs_mount() call.

In addition, Apple has fixed an issue with locked screen savers, which had previously allowed any user with physical access to the machine to open URLs without having to type a user name or password to unlock the system.

/zimages/4/28571.gifFor insights on the Mac in the enterprise, check out Executive Editor Matthew Rothenbergs Weblog.

Despite the widgets issue, which received a large amount of attention on its discovery shortly after Tigers release, Apple has had praise from analysts for its approach to security issues. Although several analysts cautioned that the companys growing market share may see it garner more attention from hackers and virus writers, Peter Kastner, director at Vericours Inc., claimed that "so far Apple has been able to keep up with—if not a step ahead of—the bad guys."

/zimages/4/28571.gifCheck out eWEEK.coms for the latest news, reviews and analysis on Apple in the enterprise.