Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Widgets Of Doom
- Thread starter Diatribe
- Start date
- Sort by reaction score
Let's not have the download link. If it does exist, the fewer places it's referenced to the better to stop the script kiddies joining in
Peace said:
First ...thanks for not flaming.
Just wanted to add that there was a prblem I was having with Mail (and still do from time to time) where it would ask for the mail server pasword for a random pop box I was checking and / or mail would ask for the admin password. Dont know why. Haven't seen it in two updates or so. Repair permissions didnt fix it. That why she had the admin password. Was dam annoying.
Agreed. I know this is entirely possible with dashboard's current configuration - he is not joking... (No helpful warnings either)Applespider said:
csubear said:
Who cares if it's auto installed? All that means is that the widget is copied to your Widgets folder. Big deal. So it shows up in the widgets list when you want to add something to your dashboard.
The important part is that it does not auto execute. Apple has already done their job here. The first time you go to add any new widget to your dashboard, a dialog comes up to ask if you really want to do that. It's no different from downloading a program except that the widget ends up in ~/Library/Widgets while the program ends up in ~/Desktop.
This is a complete non-issue. Either the person writing the original article doesn't fully understand it, or they're a very successful troll. I can't believe it got front page coverage here.
No Fear from Widgets
I have no fear from widgets and here's why: Everytime I have downloaded a Widget in Safari, as of late, it has flagged the ZIP as containing a Binary and asked if I wanted to extract it. I also only download widgets from trusted sources like Apple's own repository and a few other trusted ones. I have even had a few widgets taht were setup wrong and did NOT install, but dropped the widget icon on the desktop. I am simply not worried about them. I have enough to worry about. I am always careful anyway and the only virus I have ever caught has been as a result of a stupid net admin and not my own actions (he had logged into an infected machine and then it propagated it through the network....).
Also, Widgets are Javascript are they not?? Javascript does not even have the ability to execute outside of the sandbox. Anyway, I pass this article off as FUD.
I have no fear from widgets and here's why: Everytime I have downloaded a Widget in Safari, as of late, it has flagged the ZIP as containing a Binary and asked if I wanted to extract it. I also only download widgets from trusted sources like Apple's own repository and a few other trusted ones. I have even had a few widgets taht were setup wrong and did NOT install, but dropped the widget icon on the desktop. I am simply not worried about them. I have enough to worry about. I am always careful anyway and the only virus I have ever caught has been as a result of a stupid net admin and not my own actions (he had logged into an infected machine and then it propagated it through the network....).
Also, Widgets are Javascript are they not?? Javascript does not even have the ability to execute outside of the sandbox. Anyway, I pass this article off as FUD.
admanimal said:
This thing installed automatically. You do not get to choose to install it. It seems this is a common advice given by people. Are the people giving this advice read the original article?. I am not even concerned about virus and such. I am sure the widgets behave similiarly to java (in that the widgets play in a restricted space).. however, i am concerned about a new entry point for spyware and such. Imagine creating a dashboard widget that installed and displayed porn when your 10 year old daughter is surfing the web. Imagine if she attempts to close this widget, it auto opens safari and takes her to a porn site. Imagine then that regardless of what she does (like trying to close the porn site), just reopens more porn site, downloads clarion/gator new dashboard widget (assuming clarion hires mac developers immediately to exploit this), etc. See, all this mayhem and we are not even talking virus.
gorkonapple said:
Most widgets are (and should be) made with solely HTML, CSS, and Javascript, as well as a few harmless PNG's and a .plist file or two.
However, it's relatively easy to write a 'Widget Plugin' in Objective C or even Applescript that interfaces with the HTML/Javascript face of your widget to provide more complex features Javascript alone cannot provide.
In essence, this can make a widget alarmingly powerful.
(In the 'Dashboard Developer Resources', however, Apple recommends against adding such a plugin unless you absolutely cannot create your widget with only Javascript.)
However, as a previous poster added, though widgets will be auto installed by default in Safari, they will not be automatically executed. They will simply appear in the available widgets bar on the Dashboard. And now some bold, for emphasis: Available widgets are not running in any way, in any form, until the user pulls them out of the bar and plunks them onto the Dashboard workspace.
A very useful Widget tool, especially for the paranoid, can be found here:
http://www.downtownsoftwarehouse.com/WidgetManager/
This way, you can deactivate or remove widgets you've installed, or you believe could be harmful.
Widget away!
-rand()
Widgets can potentially run Perl scripts so they can be dangerous, but it would be difficult because the user would have to be running as root to do anything really crazy which most Mac users don't do, unlike another silly OS we all have heard about where everyone is administrator. I think that this is a minor issue, and Apple will fix it, but now since OS X has a reputation for being secure, it seems like magazines and news sites are always trying to throw up any little security issue, like on news.com the other day, the headline read "Apple fixes handful of OS X flaws." I think flaws is a little strong for garden variety bugs. You don't see articles on the front of news.com when Microsoft releases a security update, at least not anymore there were so many.
I am running tiger and safari and when i click the link for that zaptastic site.. it downloads but does not auto install anything.
i would imagine this only auto installs if you have "open safe" files clicked in your preferences (which is selected by default)
uncheck that and ur safe
i would imagine this only auto installs if you have "open safe" files clicked in your preferences (which is selected by default)
uncheck that and ur safe
Common Sense?
Just download widgets from Apple.com and you'll be fine? They wouldn't post anything that could harm your computer? At least I hope not...
Just download widgets from Apple.com and you'll be fine? They wouldn't post anything that could harm your computer? At least I hope not...
What a paranoid bunch you all are.
This widget doesn't essentially do anything that dashboard wasn't designed to do. Ok, so safari allows it to d/l without you asking it to, but from that point you have all the protection you would have with any d/l file.
I believe that in most part the panic arises from two events which together allow the widget to d/l without the user knowing and the auto install.
The d/l issue can be turned off in safari and I'm sure an update will soon address this issue anyway. The auto install is exactly what is supposed to happen and on it's own isn't particularly an issue. After all install in this sense means moved to one single non system folder which by now 90% of users know about anyway.
And as for those that claim to have written destructive or malicious widgets, well these are probabaly the same people who claim to be decendants of father christmas.
This widget doesn't essentially do anything that dashboard wasn't designed to do. Ok, so safari allows it to d/l without you asking it to, but from that point you have all the protection you would have with any d/l file.
I believe that in most part the panic arises from two events which together allow the widget to d/l without the user knowing and the auto install.
The d/l issue can be turned off in safari and I'm sure an update will soon address this issue anyway. The auto install is exactly what is supposed to happen and on it's own isn't particularly an issue. After all install in this sense means moved to one single non system folder which by now 90% of users know about anyway.
And as for those that claim to have written destructive or malicious widgets, well these are probabaly the same people who claim to be decendants of father christmas.
skythefly13 said:
You must not have gone to the site/read all the posts.
The problem with this is that when you go to the site it autodownloads the widget, then Safari auto installs the widget.
If you have run safe applications un checked, it will not be auto installed.
fatfish said:
90 percent of users who know about their computers, but to the many computer illiterate mac users. They wouldn't know where the library folder is.
Sharewaredemon said:
Agreed. I'm surprised Apple didn't make a more elegant way of managing the widgets. They should have put the Widgets folder next to the Applications folder, or at least in the sidebar by default. Or make a application like Widget Manager. I think the first method is more consistent (that's how you deal with regular applications after all).
spakers said:Why don't you make a folder action that moves the widget out of the ~library/Widgets, library/Widgets folder until the user is prompted for permission? Thats what i did
I took the advice of VanNess and set a folder action that tells you when a new item has been added to the folder.
"add - new item alert.scrpt"
Sharewaredemon said:
I'm sure they do.
The majority of widgets come as zips, unstuff to your desktop and have to be manually installed. Most users will have encountered this and know exactly where thier library folder is, even if they didn't 14 days ago.
fatfish said:
I suppose, but what is interesting is that the only widgets I manually installed I had downloaded before I installed Tiger, the other ones I downloaded installed automatically.
fatfish said:
It depends. Apparently widgets that are housed in a folder when downloaded don't get the automatic treatment. If the zip contains just the widget, by itself without an enclosing folder, then it's moved to the user's widget folder, at least when Safari handles the download. Haven't checked Firefox yet. My guess is that somewhere along the line the .wdgt extension comes into play.
It would be nice if people who found the holes would quietly let Apple know about them instead of showing everyone else how to do it. Are they trying to help or hurt?
swissmann said:
Not sure, but for me, I have now taken preventative measures, so that now whenever something is added to my widget folder, it brings up a warning telling me, and I can choose to view the file.