Apple gives identity thieves a way in
One of the world's leading software companies has just introduced a product that can put users and their data in peril. And despite being warned about it, this company has so far done nothing to protect its customers.
Apple has won well-deserved plaudits for the elegance and security of its Mac OS X operating system. The worms, viruses, and assorted malware that plague users of Microsoft Windows are virtually unknown among Mac devotees. When geeks congregate, they often debate why this is. Some say the Mac's software architecture, based on the advanced Unix operating system, is inherently more secure. Others say that since only about 3 percent of the world's computer users own Macs, vandals rarely bother with them. The hundreds of millions of Windows machines are a juicier target.
But it's just possible that the bad guys will develop a new interest in attacking Macs, thanks to the inclusion of a well-intentioned but risky feature of Apple's latest upgrade to OS X, nicknamed Tiger.
Overall, Tiger is an attractive and powerful enhancement of an operating system that was already excellent. The new Spotlight search feature is the best thing of its kind ever offered, a program that indexes every file on your computer and lets you locate and activate them in a few seconds.
But the gaudiest new feature of Tiger is Dashboard, a handy kit of simple mini-programs that let you easily perform a host of valuable little tasks. Tiger comes with a dozen or so of these ''widgets," as Apple calls them. One tracks the local weather, another shows the latest stock market averages, still another lets you look up words in the Oxford American Dictionary. All in all, an appealing and useful tool.
Indeed, Dashboard becomes more useful by the day. Apple made it easy for programmers to whip up widgets to sell or give away. Dashboard users can click a button to visit a website listing dozens of new applets written since Tiger's debut. There's one that shows today's local TV listings, for instance, another that displays news headlines from CNN, still another that lets you look up Bible passages.
Cool, yes? Stephan Meyers thought so. But Meyers, an actor, programmer and former senior research scientist at Finnish cellphone maker Nokia, soon began having second thoughts. While fiddling with the widgets, he found that Tiger would automatically install them on his computer. ''I happen to think autoinstall is great," said Meyers. ''I think it's really cool." But then he realized the damage that could be done if someone wrote a malignant widget that automatically installed itself and attacked its host.
As an experiment, Meyers tried to write such a widget. Alas, he succeeded. Nice guy that he is, Meyers' widget doesn't do anything especially harmful. It just pops open your Web browser and takes you to a page that he created. The widget does this whenever you activate Dashboard, even if you're trying to use a different widget. It's a real nuisance, made possible by Apple's decision to make it easy to write Dashboard programs.
It's an old story for users of Microsoft software. For years, the company practically bragged about designing its products for customer convenience rather than security. The classic example is ActiveX, a technology that lets Microsoft's Web browser install software from a remote website, and run it on your PC. It seemed like a good idea for website operators as well as users. That was before people realized that ActiveX programs could do any number of nasty things, like capturing people's passwords and credit card numbers, and relaying them to identity thieves.
ActiveX programs warn the user before they're installed, something the Dashboard widgets don't do. But the warnings weren't enough. Not knowing any better, millions of people let the programs run, with appalling results. These days, even Microsoft gives users the option to block ActiveX programs. One reason that alternative browsers like Firefox and Opera are so popular is that they can't run ActiveX, thus protecting the public by default.
But Tiger runs Dashboard widgets by default, a fact that worries Meyers and appalls Aaron Harnly, a doctoral candidate in computer science at Columbia University. Harnly began investigating the matter when he read an Internet report about Meyers' work. ''I didn't think it would really be a major flaw," said Harnly, ''but then as I dug into it, it appeared to be more serious."
Harnly figured out a way to replace a ''notepad" widget created by Apple with a hostile version of his own. His version of the program automatically activates the computer's e-mail program and tries to read the names in the address book. Indeed, Harnly said that a skilled programmer could write a widget that could gain full access to data stored on a victim's computer. ''Essentially you could have an autoinstalled widget that looks exactly like the Apple one . . . that has full access to your files."
It's the kind of thing that happens when well-meaning software designers go a little too far, said Harnly. ''They added an extra feature because they thought it would be neat," he said, ''but they didn't think it through."
You can't be sure a widget is safe without running it, though you might be able to rely on programs that come from a trusted source. But at least you can prevent these programs from running without your permission. Go into the Safari Web browser preference window. You'll see a line that reads, ''Open 'safe' files after downloading." This feature will instantly display downloaded photos or movies. But it will also automatically install widgets, which Apple considers ''safe." Uncheck the box next to this line. You'll have to work a little harder to view Web videos, but you'll be protected from wicked widgets.
No doubt you're wondering what Apple has to say. The answer: no comment. It hasn't urged Mac users to lock down their browsers, or even officially admitted there's a problem. Never mind, guys; we'll spread the word.
Hiawatha Bray can be reached at firstname.lastname@example.org.