Widgets Of Doom

Diatribe · May 7, 2005

Found this today.
Basically it describes how Widgets can go really bad and I must say after visiting the mentioned link in the story and reading the actual article, I must say it is pretty scary.
It really lowers the bar for malicious code to break into one's computer. And since Widgets are SUPPOSED to be programmed by another person, most likely NOT a trusted company, I must say it is kinda disturbing.
I guess this won't be that much of deal for users who know what they are doing but for the rest this can pose a serious issue.
And don't come with the regular argument that there is not such Widget yet. I know there isn't but there will be, I'm sure.

greenguy4 · May 7, 2005

Wow...Wonder if apple will do anything about this? If people only download widgets from Apple.com and apple lets people submit them and then screens them it won't be a problem.

hodgjy · May 7, 2005

Security of a computer ultimately lies within the end user's hands. Just don't download anything from an untrusted source. Disable the ability of your browser to open programs.

If you do that, you'll be pretty safe.

broken_keyboard · May 7, 2005

People are going to get burned by Widgets. He is right about the social engineering thing: people know that you shouldn't install programs except from a trusted source, but I don't know that they will equate a widget with a fully fledged program.

They will think it is a little harmless thing and safe to install from anywhere, and they will be wrong.

superbovine · May 7, 2005

greenguy4 said:
Wow...Wonder if apple will do anything about this? If people only download widgets from Apple.com and apple lets people submit them and then screens them it won't be a problem.

a virus scanner would also slove the problem. however, that is the case with every program you download. do you think the malicous code can only go in widgets?

ifjake · May 7, 2005

it would be really cool if someone made a widget of the original DOOM shooter. now that would be a widget of DOOM.

seriously, how much power over the system can dashboard widgets have? if there really is a security issue could apple put some kind of limitation on widgets in a future update to prevent any malicious actions from taking place?

MoparShaha · May 7, 2005

The worst a malicious program under OS X could do is delete your home account. That and perhaps a keystroke logger.

katie ta achoo · May 7, 2005

I was about to post this...

I just read it and I'm kind of freaked out.
I hope that this doesn't ever flourish.
I've since disabled opening of "safe downloads".

Eep.

superbovine · May 7, 2005

MoparShaha said:
The worst a malicious program under OS X could do is delete your home account. That and perhaps a keystroke logger.

heh your not very creative. what if there was code to delete firmware on your computer, and the you couldn't even boot without replacing a motherboard. How about code that goes through your address book and emails everyone in it pornographic material or worst yet post it on usenet as some type of sex ad with names and addresses. there are far worse things that deletions.

yg17 · May 7, 2005

superbovine said:
heh your not very creative. what if there was code to delete firmware on your computer, and the you couldn't even boot without replacing a motherboard. How about code that goes through your address book and emails everyone in it pornographic material or worst yet post it on usenet as some type of sex ad with names and addresses. there are far worse things that deletions.

I don't believe the firmware thing is possible without it asking for an admin account password, and if you either dont have a password on your admin account or type it in, you deserve it. For the porn, I know a few people in my address book that would appreciate it

superbovine · May 7, 2005

since when has a password stopped people from gaining root access.

Daveway · May 7, 2005

Soooo... Whose gonna be the first to try it? Post pics.

maxterpiece · May 7, 2005

superbovine said:
heh your not very creative. what if there was code to delete firmware on your computer, and the you couldn't even boot without replacing a motherboard. How about code that goes through your address book and emails everyone in it pornographic material or worst yet post it on usenet as some type of sex ad with names and addresses. there are far worse things that deletions.

whoa... I'm not downloading anything from you!

lssmit02 · May 7, 2005

Don't know if it's correct, but...

this was posted on that site, in the comments section:

18. Posted 5/8/2005 1:18:45 AM by Dale
Talk about a storm in a teacup....

Dashboard widgets run in their own process ('sandbox') and Apple have put limits on what a widget can do. They're also subject to the normal security precautions built in to Mac OS X accounts ie they can't run as root, etc.

Again, I don't know if this is accurate, but perhaps the risk isn't as great as the article makes out?

admanimal · May 7, 2005

hodgjy said:
Security of a computer ultimately lies within the end user's hands. Just don't download anything from an untrusted source. Disable the ability of your browser to open programs.

If you do that, you'll be pretty safe.

Doesn't doing that also keep harmless things like PDFs from being displayed automatically? That's kind of annoying...A better solution would be to add an option in Dashboard to at least prompt the user before it installs a new widget, asking whether it's OK.

lssmit02 · May 7, 2005

I found this link in the Developer Connection:
Widget Security Model

Jist of it is as follows:

Using certain resources within your widget may pose a security risk for users. In these circumstances, the widget security model provides a method for Dashboard to be aware that your widget may perform insecure tasks. If your widget is working with resources that pose a security threat to the user, the user must approve before access is granted.

So, apparently you have to actively allow the widget to do bad things, although the user is only asked once.

If the request is approved, your widget is loaded and granted access to the resources that it requested. The request is not repeated on subsequent loads if approved.

admanimal · May 7, 2005

lssmit02 said:
this was posted on that site, in the comments section:

Again, I don't know if this is accurate, but perhaps the risk isn't as great as the article makes out?

It does seem like Apple took some precautions to prevent widgets from really messing up your system...but perhaps not from spamming and/or scamming you. A widget is technically doing nothing wrong by displaying porn on itself, and likewise by sending information it collects to a 3rd party website, since these behaviors are identical to what many legitimate widgets would do.

Really the main problem here is with the fact that the widget can install itself just by you going to a website without having to click on anything. As others have pointed out, as long as you're not dumb about where you download from, any widgets you purposely click on to download should be fine.

lssmit02 · May 7, 2005

admanimal said:
It does seem like Apple took some precautions to prevent people from really messing up your system...but perhaps not from spamming and/or scamming you.

Yeah, the trojan horse model of malware would seem to work.

Widgets can open applications and web pages outside of their bundle. If your widget provides a subset of information found on the Internet, a link to the full data set that opens in Safari is appropriate. If your widget interfaces with an application, for example, iTunes, it should open it first. Dashboard can do this all for you.

From External Access

Dave Marsh · May 7, 2005

Dashboard Widgets slowed my Mac to a crawl

I installed Tiger on my 1GHz G4 iMac (with 768MB of memory) a week ago today, and this evening I found my Mac almost unresponsive. It hadn't actually locked up, but it was responding very slowly. A check of Activity Monitor (after waiting patiently for several minutes for the Mac to catch up to my mouse clicks) revealed that nearly all of my installed Widgets were hung (highlighted in red). I was able, using Activity Monitor, to kill each one individually to recover enough CPU cycles to gracefully restart the system.

Has anyone else experienced this behavior yet? I never shut down my desktop Macs, so I should know in another week whether this was an anomaly or something really is amiss with the widgets.

Concerning the other issue about widgets installing automatically following a download, I also disagree with this behavior. I wouldn't want to be spoofed into thinking I was clicking on a normal hotlink on a web page and finding it installing a Unix-specific virus using the widget's self-installing "feature." I hope Apple gives us a way to turn off this behavior and force us back into entering our admin password to confirm an intended application installation ... perhaps with a security update. That would be a reasonable confirmation that we know we're installing something intentionally. Even if a widget can't get access to root, an offending widget could apparently easily consume enough clock cycles to create a denial of service scenario.

admanimal · May 8, 2005

Dave Marsh said:
Concerning the other issue about widgets installing automatically following a download, I also disagree with this behavior. I wouldn't want to be spoofed into thinking I was clicking on a normal hotlink on a web page and finding it installing a Unix-specific virus using the widget's self-installing "feature." I hope Apple gives us a way to turn off this behavior and force us back into entering our admin password to confirm an intended application installation ... perhaps with a security update. That would be a reasonable confirmation that we know we're installing something intentionally. Even if a widget can't get access to root, an offending widget could apparently easily consume enough clock cycles to create a denial of service scenario.

It is unlikely that a widget could easily install a true virus of any sort...at least not one that could really do any harm to your system. As you point out, it is possible for one to hijak your resources, on purpose or not, but in that scenario it seems all you would have to do is kill the widget and them delete it from your ~/Library/Widgets folder. (Don't ask me why Apple didn't include some facility for gracefully deleting them)

All it would really take is one dialog box asking if its OK to install a widget and all of these potential problems (except the performance issues you had) would vanish.

Mechcozmo · May 8, 2005

I'm pretty sure that this will be fixed, and soon, by Apple. At least it can't do devastating things without your permission.

Yes, we are mad, but yes, we know that it isn't the worst thing ever and it will be fixed.

admanimal · May 8, 2005

Yeah I have a feeling they will be making some changes to Dashboard in 10.4.1. I mean how can they let it stay with no (official) way to delete widgets from the tray? Worst. Idea. Ever.

eva01 · May 8, 2005

just be careful of what you download, don't be stupid and things wont happen to you.

Dave Marsh · May 8, 2005

User Widget Folder deleted overnight

An interesting thing happened overnight on both my desktop Macs. The ~/Library/Widgets folder (the one in the user account) was deleted on BOTH Macs. My laptop was asleep, so it remained OK.

Any ideas how this could have happened? The only thing that comes to mind for me is that Tiger's overnight system maintenance deleted it. But why?

I recreated it this morning and put new copies of the widgets into it. We'll see if anything happens this evening.

CubaTBird · May 8, 2005

this is very disconcerting.. or however u spell that... i think apple should fix this issue pronto.. but then hackers could always get creative and mess with the fix.. so go figure..

Widgets Of Doom

macrumors 601

macrumors 6502

macrumors 6502

macrumors 65816

macrumors 68030

macrumors 6502a

Contributor

Blogger emeritus

macrumors 68030

macrumors Pentium

macrumors 68030

macrumors 68040

macrumors 6502a

macrumors 6502

macrumors 68040

macrumors 6502

macrumors 68040

macrumors 6502

macrumors regular

macrumors 68040

macrumors 603

macrumors 68040

macrumors 601

macrumors regular

macrumors 68020

Our Staff