Security hole bites Apple's Tiger
Latest Widgets handy for hackers
Tom Sanders in California, vnunet.com 11 May 2005
The latest version of Apple's Tiger operating system, OS X 10.4, exposes users to a vulnerability that could lead to data loss, security experts have warned.
The software includes the newly developed version 2.0 of Apple's Safari browser which is preconfigured to allow for software to be installed on a system without any user approval.
This software in turn could delete files, format the hard drive or change user settings to direct the browser to a certain website.
Several proof-of-concept exploits have been published on the web. Users running Tiger are strongly advised not to visit any of the sites that demonstrate how the flaw is exploited, such as Stephan.com.
Systems running Windows or older versions of OS X can open the page without any concern.
The exploit uses Widgets, small Java-based applications that run inside Tiger's Dashboard platform for applications such as the calculator and stock price tickers. Third-party developers can also develop software for the platform.
Widgets are hard to remove once installed. Dashboard does not offer any method of removal, and users will have to manually delete the files from a directory.
Users are also advised to disable the automatic installation for Safari until Apple has published a patch. An alternative is to make the directory containing the Widgets read only.
Apple released OS X 10.4 Tiger in late April. In addition to the Dashboard vulnerability, users have reported security issues with network connections.
