Widgets Of Doom

Discussion in 'macOS' started by Diatribe, May 7, 2005.

  1. Diatribe macrumors 601


    Jan 8, 2004
    Back in the motherland
    Found this today.
    Basically it describes how Widgets can go really bad and I must say after visiting the mentioned link in the story and reading the actual article, I must say it is pretty scary.
    It really lowers the bar for malicious code to break into one's computer. And since Widgets are SUPPOSED to be programmed by another person, most likely NOT a trusted company, I must say it is kinda disturbing.
    I guess this won't be that much of deal for users who know what they are doing but for the rest this can pose a serious issue.
    And don't come with the regular argument that there is not such Widget yet. I know there isn't but there will be, I'm sure.
  2. greenguy4 macrumors 6502

    Jan 2, 2005
    Wow...Wonder if apple will do anything about this? If people only download widgets from Apple.com and apple lets people submit them and then screens them it won't be a problem.
  3. hodgjy macrumors 6502

    Apr 15, 2005
    Security of a computer ultimately lies within the end user's hands. Just don't download anything from an untrusted source. Disable the ability of your browser to open programs.

    If you do that, you'll be pretty safe.
  4. broken_keyboard macrumors 65816


    Apr 19, 2004
    Secret Moon base
    People are going to get burned by Widgets. He is right about the social engineering thing: people know that you shouldn't install programs except from a trusted source, but I don't know that they will equate a widget with a fully fledged program.

    They will think it is a little harmless thing and safe to install from anywhere, and they will be wrong.
  5. superbovine macrumors 68030


    Nov 7, 2003
    a virus scanner would also slove the problem. however, that is the case with every program you download. do you think the malicous code can only go in widgets?
  6. ifjake macrumors 6502a

    Jan 19, 2004
    it would be really cool if someone made a widget of the original DOOM shooter. now that would be a widget of DOOM.

    seriously, how much power over the system can dashboard widgets have? if there really is a security issue could apple put some kind of limitation on widgets in a future update to prevent any malicious actions from taking place?
  7. MoparShaha macrumors 68000


    May 15, 2003
    San Francisco
    The worst a malicious program under OS X could do is delete your home account. That and perhaps a keystroke logger.
  8. katie ta achoo macrumors G3

    May 2, 2005
    I was about to post this...

    I just read it and I'm kind of freaked out.
    I hope that this doesn't ever flourish.
    I've since disabled opening of "safe downloads".

  9. superbovine macrumors 68030


    Nov 7, 2003
    heh your not very creative. what if there was code to delete firmware on your computer, and the you couldn't even boot without replacing a motherboard. How about code that goes through your address book and emails everyone in it pornographic material or worst yet post it on usenet as some type of sex ad with names and addresses. there are far worse things that deletions.
  10. yg17 macrumors G5


    Aug 1, 2004
    St. Louis, MO
    I don't believe the firmware thing is possible without it asking for an admin account password, and if you either dont have a password on your admin account or type it in, you deserve it. For the porn, I know a few people in my address book that would appreciate it :D
  11. superbovine macrumors 68030


    Nov 7, 2003
    since when has a password stopped people from gaining root access.
  12. Daveway macrumors 68040


    Jul 10, 2004
    New Orleans / Lafayette, La
    Soooo... Whose gonna be the first to try it? Post pics. ;) :p
  13. maxterpiece macrumors 6502a


    Mar 5, 2003
    whoa... I'm not downloading anything from you!
  14. lssmit02 macrumors 6502

    Mar 25, 2004
    Don't know if it's correct, but...

    this was posted on that site, in the comments section:

    Again, I don't know if this is accurate, but perhaps the risk isn't as great as the article makes out?
  15. admanimal macrumors 68040

    Apr 22, 2005
    Doesn't doing that also keep harmless things like PDFs from being displayed automatically? That's kind of annoying...A better solution would be to add an option in Dashboard to at least prompt the user before it installs a new widget, asking whether it's OK.
  16. lssmit02 macrumors 6502

    Mar 25, 2004
    I found this link in the Developer Connection:
    Widget Security Model

    Jist of it is as follows:

    So, apparently you have to actively allow the widget to do bad things, although the user is only asked once.

  17. admanimal macrumors 68040

    Apr 22, 2005
    It does seem like Apple took some precautions to prevent widgets from really messing up your system...but perhaps not from spamming and/or scamming you. A widget is technically doing nothing wrong by displaying porn on itself, and likewise by sending information it collects to a 3rd party website, since these behaviors are identical to what many legitimate widgets would do.

    Really the main problem here is with the fact that the widget can install itself just by you going to a website without having to click on anything. As others have pointed out, as long as you're not dumb about where you download from, any widgets you purposely click on to download should be fine.
  18. lssmit02 macrumors 6502

    Mar 25, 2004
    Yeah, the trojan horse model of malware would seem to work.

    From External Access
  19. Dave Marsh macrumors regular

    Jul 23, 2002
    Sacramento, CA
    Dashboard Widgets slowed my Mac to a crawl

    I installed Tiger on my 1GHz G4 iMac (with 768MB of memory) a week ago today, and this evening I found my Mac almost unresponsive. It hadn't actually locked up, but it was responding very slowly. A check of Activity Monitor (after waiting patiently for several minutes for the Mac to catch up to my mouse clicks) revealed that nearly all of my installed Widgets were hung (highlighted in red). I was able, using Activity Monitor, to kill each one individually to recover enough CPU cycles to gracefully restart the system.

    Has anyone else experienced this behavior yet? I never shut down my desktop Macs, so I should know in another week whether this was an anomaly or something really is amiss with the widgets.

    Concerning the other issue about widgets installing automatically following a download, I also disagree with this behavior. I wouldn't want to be spoofed into thinking I was clicking on a normal hotlink on a web page and finding it installing a Unix-specific virus using the widget's self-installing "feature." I hope Apple gives us a way to turn off this behavior and force us back into entering our admin password to confirm an intended application installation ... perhaps with a security update. That would be a reasonable confirmation that we know we're installing something intentionally. Even if a widget can't get access to root, an offending widget could apparently easily consume enough clock cycles to create a denial of service scenario. :(
  20. admanimal macrumors 68040

    Apr 22, 2005
    It is unlikely that a widget could easily install a true virus of any sort...at least not one that could really do any harm to your system. As you point out, it is possible for one to hijak your resources, on purpose or not, but in that scenario it seems all you would have to do is kill the widget and them delete it from your ~/Library/Widgets folder. (Don't ask me why Apple didn't include some facility for gracefully deleting them)

    All it would really take is one dialog box asking if its OK to install a widget and all of these potential problems (except the performance issues you had) would vanish.
  21. Mechcozmo macrumors 603


    Jul 17, 2004
    I'm pretty sure that this will be fixed, and soon, by Apple. At least it can't do devastating things without your permission.

    Yes, we are mad, but yes, we know that it isn't the worst thing ever and it will be fixed.
  22. admanimal macrumors 68040

    Apr 22, 2005
    Yeah I have a feeling they will be making some changes to Dashboard in 10.4.1. I mean how can they let it stay with no (official) way to delete widgets from the tray? Worst. Idea. Ever.
  23. eva01 macrumors 601


    Feb 22, 2005
    Gah! Plymouth
    just be careful of what you download, don't be stupid and things wont happen to you.
  24. Dave Marsh macrumors regular

    Jul 23, 2002
    Sacramento, CA
    User Widget Folder deleted overnight

    An interesting thing happened overnight on both my desktop Macs. The ~/Library/Widgets folder (the one in the user account) was deleted on BOTH Macs. My laptop was asleep, so it remained OK.

    Any ideas how this could have happened? The only thing that comes to mind for me is that Tiger's overnight system maintenance deleted it. But why?

    I recreated it this morning and put new copies of the widgets into it. We'll see if anything happens this evening.
  25. CubaTBird macrumors 68020

    Apr 18, 2004
    this is very disconcerting.. or however u spell that... i think apple should fix this issue pronto.. but then hackers could always get creative and mess with the fix.. so go figure..

Share This Page