Looks like Apple are going to need to have "Apple Approved" widgets and a number of servers delivering the real deal to avoid malware widgets...
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Widgets Of Doom
- Thread starter Diatribe
- Start date
- Sort by reaction score
Meh, I don't really get the appeal of Dashboard.
I'll admit that I havn't played with it on either of my primary machines yet, but I don't see widgets as being helpful. Nearly everything that I do I can do with Quicksilver and a couple of key combos.
But when I do get around to playing with it, I'll be deleting (or maybe just archiving someplace else) any widget I don't use, and setting the ~/Library/Widgets to "read only"
I'll admit that I havn't played with it on either of my primary machines yet, but I don't see widgets as being helpful. Nearly everything that I do I can do with Quicksilver and a couple of key combos.
But when I do get around to playing with it, I'll be deleting (or maybe just archiving someplace else) any widget I don't use, and setting the ~/Library/Widgets to "read only"
I am surprised that even in my Firefox setup, this file downloaded automatically without me having to verify. I guess I had let it set up an auto action of downloading zip files before. Ugh. Annoying.
I feel like it would be good if Safari prompted users to verify a download when it came about as a refresh tag. It would be annoying with sites like Versiontracker or Sourceforge, but it's better than this! Either that, or a verify for widgets on download. Or, of course, like lots of other people have said, the ability to set by filetype what happens, as in Firefox.
I feel like it would be good if Safari prompted users to verify a download when it came about as a refresh tag. It would be annoying with sites like Versiontracker or Sourceforge, but it's better than this! Either that, or a verify for widgets on download. Or, of course, like lots of other people have said, the ability to set by filetype what happens, as in Firefox.
admanimal said:
The problem is though, according to the article, it does not tell you what access it will use. OSX just asks you whether you want to run this widget. A lot of people will click and not read. And even without any root, etc. access you can launch apps, etc. and can cause some real damage like harvesting passwords, email addresses, etc. as someone pointed out.
The hype is starting already, all kinds of people posting this story all over the board. Do you think people who can't even use a search function will be able to get rid of/not install those potential widgets?
Angrist said:
The best way round the problem at the moment is to turn off Safari's auto-opening of 'safe' files. Anything that downloads (and let's face it, the concerns we're all having is that any malwidgets would try to download themselves without permission) ends up on the desktop.
The ones that look scariest are the ones with the doublespace in front of a standard Apple widgetname so they take over the first page of Dashboard. I guess it's a 'download from safe sources' and be aware for the time being. An easy way to deleted unwanted widgets (rather than someone having to know to go to Library/Widgets would also be a good thing)
I wouldn't be so fast to dismiss Dashboard. I thought it would be a gimmick but there are a few widgets that I find really useful; I found one yesterday that takes the current URL from Safari and finds the BugMeNot log-in details. Much faster than opening a new tab, going to my BMN bookmark and pasting in the URL.
It popped up on my RSS feed from Dashboardwidgets.com
Site UP
You have to remember the username/password combo since it doesn't allow you to cut and paste unfortunately. I also haven't figured out how to tell it if a particular combination no longer works like you can on the website. But it's worked most of the time for me - there are even combinations for MR!
Site UP
You have to remember the username/password combo since it doesn't allow you to cut and paste unfortunately. I also haven't figured out how to tell it if a particular combination no longer works like you can on the website. But it's worked most of the time for me - there are even combinations for MR!
Applespider said:
Thank you very much, I guess I will use the RSS feed for Dashboardwidgets.com too, I seem to miss the stuff on there.
blah blah
Theres not an awful lot Apple can do to protect its users from their own stupidity. Yeah dashboard could introduce malware, but not if the end users got any sense.
I actually really like the automatic nature of clicking on a link and letting it download and install itself in my widgets folder. However, i've only ever downloaded widgets from the Apple downloads site. Not sure its any more secure than others, but I presume so.
The idea another poster had about making a Widget read-only is a good idea, but I cant see that stopping the widget (in theory) being able to write to anywhere else on your hard drive.
For the incredibly paranoid - learn how to code and read each widget before installing. Even better - only ever write your own
But meh.. i'm too lazy for that. If i get malware its not the end of the world, being a PC user I'm used to it
Theres not an awful lot Apple can do to protect its users from their own stupidity. Yeah dashboard could introduce malware, but not if the end users got any sense.
I actually really like the automatic nature of clicking on a link and letting it download and install itself in my widgets folder. However, i've only ever downloaded widgets from the Apple downloads site. Not sure its any more secure than others, but I presume so.
The idea another poster had about making a Widget read-only is a good idea, but I cant see that stopping the widget (in theory) being able to write to anywhere else on your hard drive.
For the incredibly paranoid - learn how to code and read each widget before installing. Even better - only ever write your own
But meh.. i'm too lazy for that. If i get malware its not the end of the world, being a PC user I'm used to it
pulsewidth947 said:Theres not an awful lot Apple can do to protect its users from their own stupidity. Yeah dashboard could introduce malware, but not if the end users got any sense.
For the incredibly paranoid - learn how to code and read each widget before installing. Even better - only ever write your own
But meh.. i'm too lazy for that. If i get malware its not the end of the world, being a PC user I'm used to it
I was in shock reading your post until I got to the last line--you're a PC user and you are used to this! Saying that Apple can't do much to protect users from their own stupidity sounds a lot like what Microsoft was saying a year ago when they were complaining that people didn't download the 10,000 latest patches, service packs and anti-virus updates.
The developers and users of software each need to take responsibility for security. IMO, most of this burden falls on the developer.
Now that there is the potential for malware under Mac OS X I'm wondering if some of the Mac faithful will be saying how Malware isn't that big of a deal and that it is not Apple, not OS X, not the implementation of Dashboard but the users who are at fault...scary.
eva01 said:
Thats to problem! How can you be careful of things that are auto downloaded! And then auto installed!
All some one has to do to get a user to click on the evil widget is call it caculator, and give it the right icon. All of a suden boom, the user has two caculator icons in their widget dock. 50/50 shot. Now a normal user would go, wtf. But some users are not that computer savy. There will be people who click, and there will be a widget that erases you home directory, or keylogs you password ect..
wow, who would have thought that Apple would have provided such a potentially lethal security issue in Tiger. And not only that, Tiger's been out for just a short time and there are already problems like this.
So has anyone programmed a widget? What does it take?
D
So has anyone programmed a widget? What does it take?
D
csubear said:
No, it won't be able to do that unless you give it an admin password if I've read things correctly; but it could lock up your CPU by running in the background or cause a denial of service attack by consistently polling a website, or pick up the names from your address book
But as I understand the developer site, it will not have auto access to your system. For that, there is a popup request. So the rule is, as with all software, don't say "yes" unless you specifically started the program that is making the request. Now, if you intentionally download a widget from a less than reliable site, and give it access to your system, that's your fault, not Apple's. The key here is for there to be reliable sources of widgets.csubear said:
from apple's developers site:
Widget Security Model
Using certain resources within your widget may pose a security risk for users. In these circumstances, the widget security model provides a method for Dashboard to be aware that your widget may perform insecure tasks. If your widget is working with resources that pose a security threat to the user, the user must approve before access is granted.
Dashboard allows you to declare your intentions when you:
* Access files outside of your widget bundle
* Use a Web Kit or standard browser plug-in
* Access network resources
* Run a Java applet
* Run a command-line utility
* Using a widget plug-in
Declaring your intentions means that before your widget is run, you specify in your widgets information property list file which resources you want to use ..."
I feel a little better now, a little
Widget Security Model
Using certain resources within your widget may pose a security risk for users. In these circumstances, the widget security model provides a method for Dashboard to be aware that your widget may perform insecure tasks. If your widget is working with resources that pose a security threat to the user, the user must approve before access is granted.
Dashboard allows you to declare your intentions when you:
* Access files outside of your widget bundle
* Use a Web Kit or standard browser plug-in
* Access network resources
* Run a Java applet
* Run a command-line utility
* Using a widget plug-in
Declaring your intentions means that before your widget is run, you specify in your widgets information property list file which resources you want to use ..."
I feel a little better now, a little
The answer to the topic question is "sorta". They screwed up, but not big-timeno code executes without user intervention. If this gets fixed soon, it's all good.
If not, well I'm going to hope that it doesn't come to that.
~J
If not, well I'm going to hope that it doesn't come to that.
~J
Wow.
The good news is, the Mac community (being so much smaller) would be on to any malicious widgets pretty, and could spread the word.
It's the prinicpal though. We shouldn't have to be paranoid and constantly on guard, like our Windows friends across the aisle. I came across a Widget that's a countdown timer to Star Wars 3, but was afraid to download it. What can I say, I'm overly paranoid/protective of my system.
I don't use the Widgets that much anyway, the whole thing seems "un-Apple" to me, not being able to change your list and/or delete widgets right there in the dashboard. Yeah, I know to go to ~/library/widgets, but......that's not very Apple, right?
Hopefully Apple will provide us with an elegant fix fo the whole sha-bang in 4.1. Somebody send Steve an email.
The good news is, the Mac community (being so much smaller) would be on to any malicious widgets pretty, and could spread the word.
It's the prinicpal though. We shouldn't have to be paranoid and constantly on guard, like our Windows friends across the aisle. I came across a Widget that's a countdown timer to Star Wars 3, but was afraid to download it. What can I say, I'm overly paranoid/protective of my system.
I don't use the Widgets that much anyway, the whole thing seems "un-Apple" to me, not being able to change your list and/or delete widgets right there in the dashboard. Yeah, I know to go to ~/library/widgets, but......that's not very Apple, right?
Hopefully Apple will provide us with an elegant fix fo the whole sha-bang in 4.1. Somebody send Steve an email.
Mike Teezie said:
The only problem is that there are plenty of people who won't become part of the 'community' until after they've been hit by one of these things and search online to find a way to fix it.
Apple does need to come up with a fix, that is for certain - but I think the main issue would be that any fix would hamper the innate philosophy of widgets in general - so I think an elegant solution might not be available and we'll have to settle for some sort of work around.
I hope I'm wrong.
D
It's BS. Yes, it DID download when I visited the site but prior to that I "locked" my Widgets folder. ^_^ Nice try you lamers... There'll never be adware on OS X... Ever.
ShiggyMiyamoto said:
He brings up an interesting point. When a permissions file gets corrupted, then whenever you attempt to modify the corrupted folder, you're asked for an admin password. Could apple just make the widgets folder admin access only and force the user to type a password before a widget could be installed? BTW, this is no reason to be worried, apple, unlike another computer company we all know and love, is Good about releasing security patches in a timely manner.
Widget Security
From the Apple Widget Developer site :
Using certain resources within your widget may pose a security risk for users. In these circumstances, the widget security model provides a method for Dashboard to be aware that your widget may perform insecure tasks. If your widget is working with resources that pose a security threat to the user, the user must approve before access is granted.
Dashboard allows you to declare your intentions when you:
Access files outside of your widget bundle
Use a Web Kit or standard browser plug-in
Access network resources
Run a Java applet
Run a command-line utility
Using a widget plug-in
http://developer.apple.com/document...d_Tutorial/Security/chapter_10_section_1.html
imho this widget paranoia "could" become overblown..
In order to run a malwidget it must get the users permission before running.
From the Apple Widget Developer site :
Using certain resources within your widget may pose a security risk for users. In these circumstances, the widget security model provides a method for Dashboard to be aware that your widget may perform insecure tasks. If your widget is working with resources that pose a security threat to the user, the user must approve before access is granted.
Dashboard allows you to declare your intentions when you:
Access files outside of your widget bundle
Use a Web Kit or standard browser plug-in
Access network resources
Run a Java applet
Run a command-line utility
Using a widget plug-in
http://developer.apple.com/document...d_Tutorial/Security/chapter_10_section_1.html
imho this widget paranoia "could" become overblown..
In order to run a malwidget it must get the users permission before running.