Mac OS X 10.4 (Tiger) #12: Malicious Widget Installation; More on SCSI problems; Potential AirPort re-connect fix; more

CNET staff

Sept. 2, 2009 11:23 a.m. PT

9 min read

Malicious Widget Installation Over the weekend, a Mac OS X user named Stephan posted a Web page demonstrating a vulnerability in Tiger's Widget architecture that could allow malicious JavaScript programs to be installed when automatically when visiting a Web site.

The vulnerability only occurs if the option to "Open 'safe' files after downloading" is turned on in Safari's preferences. Safari will, in this case, automatically download and install a widget when the appropriate meta tag is used. You can see a relatively innocuous demonstration of the vulnerability here.

According to the author:

"Let's start with autoinstall. I happen to like it, actually, I think it's a great thing. But, as I have demonstrated here, it has the side effect of setting up a situation where a user can be given an application without their knowledge.

"That's not such a big deal; by default, widgets can't do much damage, and they can't run unless you drop them into your dashboard. The funny thing is that once that widget is there, according to Apple, you cannot remove it. Type 'remove widget' into Apple Help, and you find out:

"You cannot remove widgets from the Widget Bar or change their order. Most of those reading this are probably aware of the workaround - just remove the offending widget from ~/Library/Widgets/. The Dashboard bar is not very good about updating when a widget is removed, but eventually it figures things out."

Several users have compared this issue to vulnerabilities affecting Microsoft's ActiveX system, which also makes use of code that can be auto-opened and executed.

There are some limitations to how much damage this vulnerability can incur, however.

First, any widget that could do serious damage (e.g. deleting a user home folder) will request system access and require the user to provide access via a prompt. As such, the real threat posed by this vulnerability when simply clicking links in Safari is a breakdown in Dashboard's functionality, or further accessing of other URLs in Safari. These issues -- should they occur -- can be resolved, as mentioned above, by deleting the offending Widget from the ~/Library/Widgets folder and restarting Mac OS X.

Second, the user must actually launch Dashboard after the malicious Widget has been downloaded and placed in the ~/Library/Widgets folder before it can execute any code.

Finally, the use of a utility like Paranoid Android will put an extra step between clicking on a potentially malicious link and actual execution of the downloaded file by watching the URL schemes that are requested and asking the user whether or not to proceed.

Feedback? Late-breakers@macfixit.com.

More on AFP access problems: Norton Firewall conflict Over the past several days we've been covering a number of issues with AFP (Apple fileshare protocol) access under Mac OS X 10.4 (Tiger). As previously noted, Mac OS X 10.4 (Tiger) does not support AFP networking over AppleTalk. Users must instead turn on File Sharing over TCP/IP (in the File Sharing Control Panel on Mac OS 9 systems) in order to enable networking.

If you are still having problems after switching to TCP/IP, there may be another factor at play -- such as an errant Mac OS 9 extension, as in MacFixIt reader Joseph Finnel's case:

"After about 2.5 hours of phone time with AppleCare Support, (and reinstalling Tiger with no improvement) the technician finally had me revert the Extensions on the Mac OS 9 system to the 'locked' Mac OS 9.2.2 All configuration. It worked! I was then able to connect and log on to the Mac OS 9 system from the G5 just like before.

"After comparing the original OS 9 system extensions with the 'All' configuration, I discovered my problem was Norton's Personal Firewall on the Mac OS 9 system. I disabled the firewall to permit all Appletalk/TCP/ IP access and problem solved."

AirPort auto re-connect solution: Deleting keychain We previously reported that deleting, then re-establishing keychain sets can resolve a number of networking issues in Mac OS X 10.4 (Tiger).

Now MacFixIt reader Tom Morris reports that deleting the AirPort keychain entry can resolve previously reported issues where Mac OS X 10.4 will not automatically re-connect to AirPort networks after waking from sleep.

Tom writes:

"After installing Tiger I experienced the same reconnect issue in AirPort where it won?t reconnect after waking from sleep. The fix for me was to delete the airport keychain entry in the keychain application. After that all is back to normal."

More on SCSI problems We continue to cover issues with SCSI expansion cards and SCSI devices themselves -- which do not, in most cases, seem to play nice with Mac OS X 10.4 (Tiger).

MacFixIt reader Norm Gan reports an issue where other devices' functionality is affected by the presence of SCSI expansion cards:

Norm writes:

"I have had a strange problem in Mac OS X 10.4 that appears to be related to the presence of my Adaptec 2930 SCSI card. Printer Setup Utility will not let me select Epson AppleTalk to add my Stylus Color 980N connected via EtherNet. As soon as I select Epson AppleTalk from More Printers in PSU, I get a non-quittable hang (cannot quit even from Activity Monitor, which also hangs).

"I have removed all the Adaptec Extensions from /System/Library/Extensions, but it does not help. I have done all the various Installations (started with Archive and Install, followed by Upgrade Install, and finally an Erase and Install on my G4 450DP/1.5GB) with no change to the problem. Card must be removed to get to my networked Epson Stylus Color 980N."

Dave Manning reports a similar issue, where Mac OS X 10.4 refused to install until a SCSI card was removed.

David writes:

"I too have had problems with my SCSI card from Adaptec. The card had to be removed prior to installing OSX 10.4. The DVD would stall during startup. When I removed the card, the installation went flawlessly."

Keith Young reports that SCSI cards from manufacturers other than Adaptec are affected:

"I use an Initio Miles Bluenote card in my Quicksilver dual 1 GHz G4 to run my Microtek Scanmaker 5. With 'Tiger' it no longer works although the card is visible to the system profiler. Initio are working on a fix."

Last week we also noted that removing the following files from the /System/Library/Extensions folder will resolve most Adaptec SCSI-related issues, but also break functionality of the installed card:

Adaptec290X-2930.kext
Adaptec29160x.kext
Adaptec39160.kext
Adaptec78XXSCSI.kext

Now MacFixIt reader Richard Stout reports that replacing just one of these files (78XXXSCSI.kext) back into the /System/Library/Extensions folder allows proper SCSI operation while potentially eliminating other conflicts.

Richard writes:

"After reading about the problems reported about Tiger and SCSI, I tried using my Nikon Coolscan III connected to Quicksilver 867 via Adaptec PCI SCSI card (pci9004,7850). VueScan software recognized scanner and slide scanning commenced, but, after 3 to 4 seconds, the scanner simply stopped.

"Removed all four files from System/Library/Extensions as noted in your fix. This, however, resulted in the scanner not being recognized by the VueScan software.

"Tried replacing files one at a time and found that 78XXXSCSI.kext alone restored function. Have scanned several slides, and both the software and scanner seem to be working normally, so far.

Disc burning problem -- Temporary images no longer created Mac OS X 10.4 no longer makes temporary disk images when performing burns of CDs and DVDs. This can cause some significant problems when users are attempting to burn data that is being used by other applications or the system itself (for instance, attempting to burn a backup of a user Home folder while still using virtually any applications).

This can result in a burn errors (and wasted media) such as the following:

"The operation could not be completed because one or more required items could not be found. (Error code -43). Could not open the data fork of '' (-43)"

MacFixIt reader Drew Saur notes a couple of potential solutions to this problematic new set-up:

"If you want to burn a backup of a user's folder, log that user out, make a copy of his or her home folder in another (preferably administrative) account, and burn the disc using that folder in this account.

"If you only have one account and you want to burn a backup of your own account's home folder, copy files to a disk image using Disk Utility first ( you can't copy files to your own desktop, because that would be a self-referential, infinitely recursive disaster, of course), and then burn that to a CD or DVD as appropriate."

Potential D-Link router fix Last week we reported problems using D-Link routers (both wireless and wired) after updating to Mac OS X 10.4. Typical symptoms include an inability to establish network connections, or persistently dropping connections.

MacFIxIt reader David Motowylak reports a potential fix: shortening the Computer Name in the Sharing pane of System Preferences.

David writes:

"I installed Tiger yesterday and experienced the wireless router issues reported on the front page. I have a D-Link 624 router, although I know there are similar problems with other routers as well.

"There is a very easy fix. Go to System Preferences, Sharing, and shorten the Computer Name. I'm hearing it should be one word, less than 20 characters. Worked for me."

Problems caused by QuickTime codecs MacFixIt reader Miguel Muelle reports some fairly serious system issues caused by the presence of apparently incompatible QuickTime add-on codes:

Miguel writes:

"I did an 'Archive and Install' of Mac OS X 10.4 and all seemed well until I copied the Quicktime codecs that I use often, Avid and Blackmagic. After copying them into /Library/Quicktime I rebooted and then all hell broke loose with the finder. After that when the Finder comes up it keeps crashing repeatedly so that the result is a Finder that keeps appearing and disappearing, ad nauseam. On my Powerbook, I first did an Upgrade, which did not resolve it, and then just re-installed another 'Archive and Install' and that was fine.

"It didn't occur to me that the codecs (actually Quicktime Components) could be the cause until later on when, after creating a bootable backup of my G5 Dual 2.5. I installed Tiger in the same way. Again, all was well until I copied my QuickTime Components over and then the same on-and-off Finder happened. I went into Terminal, removed the Components and immediately the Finder settled down. All seems well now. I should try installing them one at a time until I get the problem back, but I may just wait until Avid and Blackmagic update their QuickTime Components."

Third-party applications

Adobe Creative Suite installation and Case-sensitive HFS MacFixIt reader Peter Bosse reports that Adobe's Creative Suite will not install on Mac OS X volumes that are formatted with Case-sensitive HFS.

"There is a potential issue installing Adobe Creative Studio on Mac OS X 10.4. If the install volume is formatted as "case-sensitive" the Adobe Creative Studio installer will not install. I haven't seen a report of this yet and the problem and solution is not obvious. If Tiger has been clean installed and the volume format is 'Mac OS X Extended (Case-sensitive, Journaled)' Adobe Creative Studio will refuse to install with the error message, 'This installer cannot be run independently. Please install this product using the suite installer.' This occurs even using the suite installer.

For more information on Case-Sensitive HFS, see previous coverage in our Mac OS X 10.3.x Special Report.

Previous Mac OS X 10.4 (Tiger) Coverage: