Widgets Of Doom

[Arcus]

imho this widget paranoia "could" become overblown..
In order to run a malwidget it must get the users permission before running.

And a 12 year old kid who just got an iBook and knows the admin password will not type it in because???? There is no answer. This is VERY Windows like. If set up properly and the admin password is not given to the kid then it wont be a problem, but it does add a need for a level of attention to whats going on that a person who bought the iBook for the kid didnt think he would have to worry about.

I gave my GF my admin password. Yea, not the safest thing to do but before THIS I didnt have to worry about something happening that she did not initiate. Now I do. Now I need to explain it to her. Now she needs to worry. She said "Now its just like Windows." That is NOT how Apple wants thier products to be percieved. You can explain it away on a technical level all you want , once the market gets hold of it its like a freight train.


*puts on flame suit*

 

[MacPulse Zack]

And why, after nearly a year of development time, did this just become 'discovered'?

 

[FelixDerKater]

Check for the widget on Apple's Dashboard downloads site or on VersionTracker. They should both be safe bets.

 

[eva01]

Thats to problem! How can you be careful of things that are auto downloaded! And then auto installed!

All some one has to do to get a user to click on the evil widget is call it caculator, and give it the right icon. All of a suden boom, the user has two caculator icons in their widget dock. 50/50 shot. Now a normal user would go, wtf. But some users are not that computer savy. There will be people who click, and there will be a widget that erases you home directory, or keylogs you password ect..

if you have safari as is from apple no changes to it. yes they are auto-downloaded and auto-installed. But safari keeps track of your downloads (if you haven't changed that) and then you can just click on the magnifying glass to see where the file actually ended up then you can delete it.

 

[Peace]

I gave my GF my admin password. Yea, not the safest thing to do but before THIS I didnt have to worry about something happening that she did not initiate. Now I do. Now I need to explain it to her. Now she needs to worry. She said "Now its just like Windows." That is NOT how Apple wants thier products to be percieved. You can explain it away on a technical level all you want , once the market gets hold of it its like a freight train.


*puts on flame suit*

Not gonna flame ya but even windoze users know not to give out admin passwords to anyone other than the administrator.Thats why it's called administrator.Thats also why there is user switching.Each user should have their own accounts with the admin account used to administrate the puter.

But now on the other hand


http://stephan.com/widgets/zaptastic/

this guy is showing how to make a fairly benign malwidget that just opens the safari browser and sends you off to some website.

 

[piracy]

1. This issue is completely solved by unchecking "Open 'safe' files after downloading", which is a good practice anyway.

2. Even when "Open 'safe' files after downloading" checked, the only unique thing that happens is that the widget is moved to ~/Library/Widgets (admittedly, this could be a "malicious" widget - but it still hasn't been run at this point).

3. The widget will be visible on the Dashboard shelf the next time Dashboard is invoked, it still must be manually and deliberately run when Dashboard is invoked. It can be removed by dragging it from ~/Library/Widgets to the Trash.

As we all know, if someone tricks you into running software on your computer, the game is over. This is not nearly as automated as is implied. This is almost exclusively a social engineering exploit, but I agree there should be a prompt or notification to auto-install the Dashboard widget.

 

[Peace]

I might also add that Konfabulator has been around for some time and while their widgets use XML rather than HTML one could still write a malwidget for a Konfabulator widget..

Where are the Mac users complaining about Konfabulator?

 

[MacEyeDoc]

Can you disable Dashboard

Just a question, maybe more interesting now, but I don't really care for Dashboard and would like to remove it from the dock and have it not appear on restart. Anyone know how?

 

[redAPPLE]

widgets are based on javascript, correct? in theory, incorporating code in a webpage should be almost as dangerous as running a widget. javascript is a "standard" internet protocol, no? if this is really a threat, then we should have heard about this problem from webpages by now.

 

[F/reW/re]

The biggest virus in OS X is made by Apple themself! The possibility to rename your home directory and then when you restart your computer, all your stuff is gone!

I don't know how many people I have had to help with this stupid feature!

Apple, please do something!

 

[Gus]

When I downloaded some widgets the other day, I had to manually unstuff them and track down the Library>Widgets folder and place them in there. There's an automatic install feature?

Regards,
Gus

P.S. I LOVE the term "Malwidget".

 

[F/reW/re]

When I downloaded some widgets the other day, I had to manually unstuff them and track down the Library>Widgets folder and place them in there. There's an automatic install feature?

Regards,
Gus

P.S. I LOVE the term "Malwidget".

Doubleckilck the widget.. you can do this right from the downloadwindow in Safari.

 

[skunk]

Just a question, maybe more interesting now, but I don't really care for Dashboard and would like to remove it from the dock and have it not appear on restart. Anyone know how?

Just drag it out of the Dock. That's it.

 

[Iroganai]

The dev doc says there will be a warning panel when you invoke for the first time a widget , which contains external file access or network access (that is, which may be malicious.)
However, Safari-autoinstalled widgets somehow do not bring the warn panel.
I confirm this because I wrote one and checked !

It basically means you can write a extremely malicious html page, which re-directs to a widget, which contains rm -rf ~/ . Bang, your entire home directory is lost.

So here is a strong recommendation for MacRumor readers:

UNCHECK the Open "Safe" Files heckbox in your Safari's preference

until Apple provides a security update. Repeat:

UNCHECK the Open "Safe" Files heckbox in your Safari's preference!!!

 

[Kagetenshi]

You still need to actually run the widget, keep in mind.

~J

 

[Jetson]

I don't believe the firmware thing is possible without it asking for an admin account password, and if you either dont have a password on your admin account or type it in, you deserve it. For the porn, I know a few people in my address book that would appreciate it

How smug - a malicious piece of software tricks you into doing something when your guard is down and this guy says "you deserve it". Give me a freakin' break - how self righteously "superior" can you get?

Good grief, I didn't buy a computer to be sitting on pins and needles the entire time I'm using it. I don't want my computer to be a war zone. Apple should continue to insure that I can use my computer with a reasonable level of safety, protections being built in thus freeing the user from having to be continually worried that some wily miscreant is trying to ruin their day.

Yes the user should be shown to take precautions such as securing their admin password. These concepts have to be taught. A baby that burns his hand on a hot stove doesn't "deserve it" - neither does a neophyte computer user. Blaming the victim is certainly not a very helpful attitude.

 

[mashinhead]

uninstalling, not closing, widgets

how do you remove a widget from your system entirely?

 

[VanNess]

So far, I haven't seen any evidence to date that shows any widget could do any sort of harm to your system, i.e., take it over, erase your hard drive, and so on. Might get one that displays adds, but its easy to get rid of it

But for the seriously neurotic, here's a permanent solution you can apply right now:

1) In the Finder, navigate to your home folder, open the Library folder, and find the folder titled "Widgets" All non-Apple widgets are installed and live in this folder.

2) Click the folder to select it.

3) Control click the folder to bring up the contextual menu.

4) Select "Enable folder actions"

5) Control click the folder again and select "attach a folder action..."

6) From the file menu that appears, choose "add - new item alert.scrpt"

That's it, your done. The next time a widget is whisked into the widget folder, you will see the following alert:

https://forums.macrumors.com/attachment.php?attachmentid=23666&stc=1
Clicking yes will take you directly to the widget folder with the nefarious widget naked and highlighted for your send to trash convenience, if you so desire.

 

[fedora]

how do you remove a widget from your system entirely?

Go to macintosh HD > library > widgets , then trash what you don't want.

 

[mkrishnan]

how do you remove a widget from your system entirely?

Either use the widget manager about which Applesider posted, or delete the file and then killall dock to restart Dashboard.

 

[seashellz]

It looks like again, APPLE is hell-bent on snatching defeat from the
jaws of victory.
Panther and its Firewire fiasco-and now Tiger and all this crap-
What were they thinking? not good publicity at all..
The argument that 'Microsuck is no better' doesnt hold water-we are supposed to be a lot *better* than, not as good as, M$;

At least M$ has a good excuse-poorly written code, and in INFINITE number of motherboards/bios-es to deal with;
Apples small number of ITS OWN boxes is supposed to thwart this kind of thing.


You would think.

Why must we pay to be APPLEs beta-testers?

 

[Peace]

It looks like again, APPLE is hell-bent on snatching defeat from the
jaws of victory.
Panther and its Firewire fiasco-and now Tiger and all this crap-
What were they thinking? not good publicity at all..
The argument that 'Microsuck is no better' doesnt hold water-we are supposed to be a lot *better* than, not as good as, M$;

At least M$ has a good excuse-poorly written code, and in INFINITE number of motherboards/bios-es to deal with;
Apples small number of ITS OWN boxes is supposed to thwart this kind of thing.


You would think.

Why must we pay to be APPLEs beta-testers?

At least we got a 1 1/2 year start on the beta testing

 

[Diatribe]

At least we got a 1 1/2 year start on the beta testing

rofl. nice one.

 

[zzen]

Damaging potentinal limited??

WTF is that mojo talking about?!? That widgets have limited damaging potential? I just made a widget which creates and deletes files on your hard drive. Is that damaging enough, or do you want me to do more?!!

 

[peterjhill]

Dashboard only a risk for the foolish

step 1. turn off automatically open "safe files" in Safari General prefs.

step 2. don't download and run files if you do not know either what they do or how to be safe about it... (one can easily show package contents on a widget and read the code)

Dashboard has a lot of appeal to me... For example, there are some graphs that I check throughout the day to make sure things are working smoothly. It was a quick hack to put together a widget that allows me to "F12" the information. I also like the ability to have a "world clock" since I am often working with people around the globe.

The solution is not to only allow widgets to be downloaded from apple.com... It is a good place to check though, as there is some hope that they at least scan the widgets for malware... The OS already throws up a warning telling you that the widget wants to do something potentially dangerous (if abused)... In any operating system, warnings that are ignored that lead to problems are that users own damn fault.