[X4U] Malware for Mac...

Brett Conlon brett_conlon at sonymusic.com.au
Tue May 10 23:41:44 PDT 2005

Stroller, wasn't it remiss of you not to warn us in your original email 
that viewing this web page will install software without your concent???

I gotta ask!


Stroller <MacMonster at myrealbox.com>

On May 9, 2005, at 8:55 pm, Matt Gregory wrote:

> For newbies, like me, what kind of possible malware widgets could be 
> downloaded in 10.3.9?  I thought what was being pointed out was a risk 
> in using dashboard, which is a 10.4 thing.  I understand the "Open 
> safe files" vulnerability now and will turn it off as soon as I get 
> home, but I didn't think much of it because none of the "safe" file 
> types seemed like possible vulnerabilities...

Try the link: <http://stephan.com/widgets/zaptastic/>

The author describes & provides more than one sample widget which 
exploits this behaviour. They're all fairly benign & he describes how 
to remove them.

"Ho, ho!" chortled the Macintosh users, "we'd never have to delve into 
a folder like ~/Library/Widgets/ or reboot our computers to disable a 

I'm pretty confident that Apple will fix this in 10.4.1 - these widgets 
show the sort of classic behaviour that malware has done on the PC for 
several years now: persistent referrals to a marketing webpage & 
pornographic images that are difficult (impossible for the uninitiated 
user) to get rid of. You probably *don't* want to run the Goatse.cx 
widget - it's not very pleasant. Human curiosity being what it is - I 
told you so.

In some ways this isn't a Big Deal - it's easy to disable, Apple'll fix 
it soon, and there are unlikely to be many serious 'sploits taking 
advantage of it - but it's a great demonstration to those who say Macs 
are inherently more secure than PCs.


More information about the X4U mailing list