“One developer claims to have found a security hole in Apple’s new Tiger operating system. According to his website, Apple’s highly touted Dashboard technology, found in the new version of Mac OS X 10.4, has a security vulnerability that could cause malicious third-party sites to auto-install a Widget, a small program designed to display Internet content on the desktop,” MacNN reports.
“If you’re running Safari on OS X Tiger and go to this website, a ‘slightly evil’ Dashboard widget will be automatically downloaded and installed and can’t be removed without manually removing the file from the Library folder and rebooting the computer.”
MacNN reports, “The author says it is a demonstration “how easy it is to exploit Dashboard for nefarious purposes. A subsequent discussion by the author outlines other ‘more evil’ exploits of the security hole.”
Full article, with the link to the demo widget site, here.
Slashdot has a discussion regarding this here.
Apple’s developer pages regarding Dashboard Security note that if a Widget attempts to access your file system, Java applets, and other sensitive parts of your system, and the Widget is located outside of /Library/Widgets/, a dialog is presented to users upon the Widget”s first load. The dialog asks the user whether or not they want to use the widget. If the request is approved, the widget is loaded and granted access to the resources that it requested.
The issue, of course, is that a nefarious Widget could promise you something wonderful, entice you to allow it to load, and then do something unexpected. Apple’s Dashboard Security page is here.
The Widget developer, stephan.com, concludes, “Apple has done a pretty good job of it – the only real change I would consider is re-thinking the logic behind autoinstall, and for heaven’s sake, please provide a way to remove widgets, ideally from outside the Dashboard.”