Comments

Sat, May 7, 2005, @ 22:23

1- John Dowdell

Hmm, interesting. I haven't upgraded yet, but if a widget requires any permissions beyond that of a web page, then it must present a standard dialog box to request various permissions, is that how it works?

tx, jd

Sun, May 8, 2005, @ 0:25

2- chris bush

does that mean if someone built a widget to run a malicious script on your machine, you could open, run, and infect your machine without even being asked?

Sun, May 8, 2005, @ 1:56

3- Peter da Silva

Dude.

Ever since Dashboard was announced this has been something I've been worried about, because a widget is just a special kind of web page, but widgets can run Cocoa (native code) elements. Being able to run native code elements from a browser window has been the BIG security hole at Microsoft for getting on for a decade now.

But.

Being able to run a widget that doesn't contain any native code elements from a browser is not inherently any more dangerous than displaying a web page from a browser. Because a widget is just a packaged fancy web page. It would have been surprising if you couldn't run at least some widgets from the browser. Because, again, it's just a web page.

And.

But... as far as I have been able to tell, you can only run the special kinds of widgets that include native code elements from Dashboard. So what you're looking at isn't a security hole. That doesn't mean there is one, or there isn't one, but this isn't a sign one way or the other.

Sun, May 8, 2005, @ 9:39

4- Pete

jd - basically, the widget will install and then you have to open it to set any specific preferences such as usernames etc (for say, a flickr uploader). But, when you download it, it automatically installs and I have to admit this really surprised me the first time it happened although I didn't explore the possibilities at the time.

Chris - Peter is right. The code it could run is limited to that of a web page. The core technology is purely html, css and javascript - that's it really. But, there are a couple of things that could mess with someone's day maybe...

First, a web page, if wanting to be nasty, could have your computer downloading a large number of widgets - your computer would then just install all of them. The interface for Dashboard isn't that good as you increase the number of installed widgets and could easily get ott. Plus, removing widgets requires delving into the /library or /user/library folders and for a less technical user this could prove problematic maybe.

Secondly, again aimed at the less tech-savvy user would be a widget that claimed to be doing nasty stuff thereby simply messing with the user's head. This would soon destroy Dashboard's reputation even if there was nothing to worry about...

Obviously this needs more thought, and experimentation but generally I agree with Peter - there is no apparent risk here just perceived risk. But, after reading it I thought it should be shared...

Sun, May 8, 2005, @ 14:55

5- philby

More on this here: http://episteme.arstechnica.com/eve/ubb.x/a/tpc/f/8300945231/m/200006323731.

If you have a default Safari install (i.e. open "safe" files after downloading is checked "on"), following this link http://www1.cs.columbia.edu/~aaron/files/widgets/ will open a webpage that automatically downloads and installs widgets that pretend to be Apple's standard widgets.

From the Webpage:
WARNING! Opening the
iTunes widget may make your system unusable!
The iTunes widget in this collection demonstrates how a widget that appears to be a normal Apple widget, loaded without your knowledge and with no click-through `yes I'm a dummy' dialogue box, can hijack your system and render it unusable. ONLY click on this widget if you are prepared to LOSE ANY OPEN DOCUMENTS. The widget will rapidly switch between the Address Book, Chess, and DVD Player applications; only if you are very fast at the command-tab-Q, followed by a `killall Dock' in the Terminal, will you have a possibility of recovering your system after opening the iTunes widget. YOU HAVE BEEN WARNED.

Sun, May 8, 2005, @ 18:06

6- ben Hollingsworth

....Sorry to introduce a smug, 'I told you so' tone here, but I think you'll find that PC users have long been aware and wary of these kind of 'don't worry, we'll do the work for you' features. The fact that Tiger is bowing to the public perception of an easily-updated, easy to use OS is a shame; a little work on the user's part prevents a multitude of sins!

And unfortunately......we Mac users, revelling in our virus-free duvet-padded IT world can't even blame Bill Gates for this 'step-forward'! It is entirely down to Apple trying to compete rather than innovate (see any Jaguar car of the last decade. They still hanker after the E-Type and the S-Type, both fantastic cars when offered-up against the Austin A40, but pretty pants when compared to the Mazda MX5).

Mon, May 9, 2005, @ 19:31

7- John Dowdell

Thanks for the context. So far I haven't seen a scenario that strikes me as meaningful.

Right now it seems to be at that same level as a malicious webpage, sans exploits, which could end a browsing session by putting a JavaScript alert in a loop.

That "could download lotsa widgets which are a hassle to remove" scenario sounds more serious than a Fark page with many large photos, or similar web rudeness, because the clog persists across browser starts.

Is that "clog the Dashboard" exploit the biggest one which has been found so far...?

tx, jd/mm