"Mac OS X is the latest version of the Mac OS, the operating system software for Macintosh computers. It consists of two main parts: Darwin, an open source UNIX-like environment which is based on the BSD source tree and the Mach microkernel, adapted and further developed by Apple Computer with involvement from independent developers; and a proprietary GUI named Aqua, developed by Apple."
Combination of Safari and Dashboard in OS X are vulnerable to arbitrary widget injection, exploiting this vulnerability may lead to arbitrary code execution and allows malicious attacker to gain full control over the system.
Immune Systems:
* Mac OS X version 10.4.1 or newer
Dashboard in combination with Safari in Mac OS X contains a flaw that may allow a remote attacker to inject arbitrary widgets. The issue is triggered when the 'Open "safe" files after downloading' option in Safari is enabled. It is possible that the flaw may allow a remote attacker to create a malicious web page that contains an embedded META tag to trigger Safari to download a malicious widget, which would be automatically installed under the /Library/Widgets or ~/Library/Widgets directory without any user intervention resulting in a loss of integrity.
Workaround:
Disable the 'Open "safe" files after downloading' option in Safari.
