Another browser "hole"

Similar in nature to the FireFox security hole we pointed out earlier, there is a Safari/Dashboard hole with their "widget" system and auto-installation.
Here is a description of what happens when you click the example link:

[a] Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes

This one is Mac only, you have to be in Safari, and it is only under Tiger (Mac OS X 10.4).

This is very similar to the FireFox issue in that it downloads and installs/runs a program on your machine. If you are letting your system do this, that is a bad thing. The issue with these is less that they are allowed to do it, but the larger issue is that they allow it and don't tell/ask you before it installs and runs.
This is exactly the sort of thing that IE used to do and as of late appears to have less of - and during those times myself and others would say to use Safari (if you are on a Mac) and/or FireFox instead. But also as I warned - the Mac itself is not invulnerable to such things, it just didn't have anyone showing an exploit yet.
Now if you are on Tiger (OS X 10.4), you have one exploit available for you.

No word yet on a patch/fix for this yet.

Posted by Eric at May 9, 2005 02:15 PM | TrackBack