Spyware threat to Apple Tiger OS

A new form of malware raises the possibility of spyware installing itself on Apple Macs.

According to one website, there is a security hole in the latest Tiger (OS X v10.4) operating system that allows malicious programs to be installed on the OS's Dashboard feature.

The Zaptastic website details how a "widget" - an applet that runs on the user's desktop – auto-installs itself when the user visits a particular site. It also tells the hapless Mac user what has just happened to their machine.

"If you are using Safari on Tiger, thanks to the magic of widget autoinstall, combined with the tag, a slightly evil widget has been installed in your dashboard," said Stephan Meyers on his website.

Meyers warned there was a "slightly more evil widget" linked lower on the same page. He said that widgets can't do much damage, and they can't run unless they are dropped into the dashboard. As the widgets have the same privileges as the user it may be possible for it to delete or steal data from the user or open hundreds of different pages in a few seconds.

While it appears that the widget cannot be removed from the dashboard, more advanced users can remove it by opening the /library/widgets/ folder and dragging the offending widget to the trash can. But Meyers said this may not be easy for everyone.

"The average user, who can't find their Library folder with two mice and a spotlight, is stuck," said Meyers. "It would take all of thirty seconds for me to pick out a nice porn image, make it the icon of a widget, drop it in your dashboard, and you're stuck with it."

Readers commenting on the website urged Apple users to disable the "Automatically open safe files" preference in Safari.

As reported in SC Magazine, Apple has released a host of patches for its Panther operating system, days after it released Tiger.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.