Apple Mac OS X Tiger Dashboard executes arbitrary widgets with the same "bundle identifier" as a system widget. This can allow a user-installed widget to override a system-installed one.
Dashboard is a new feature introduced in Apple Mac OS X Tiger 10.4. Dashboard is a collection of applications called "widgets." The system-installed widgets are located in /Library/Widgets and user-installed widgets are located in ~/Library/Widgets.
If an attacker can convince a user to install a widget, the attacker may be able to execute arbitrary commands or code with the privileges of the user. This execution would take place when the user runs what appears to be a system widget.
Install an update
Apple Computer, Inc.
This vulnerability was publicly reported by mithras.the.prophet.
This document was written by Will Dormann.
|Date First Published:||2005-06-08|
|Date Last Updated:||2006-02-22 15:23 UTC|