“One developer claims to have found a security hole in Apple’s new Tiger operating system. According to his website, Apple’s highly touted Dashboard technology, found in the new version of Mac OS X 10.4, has a security vulnerability that could cause malicious third-party sites to auto-install a Widget, a small program designed to display Internet content on the desktop,” MacNN reports.
“If you’re running Safari on OS X Tiger and go to this website, a ‘slightly evil’ Dashboard widget will be automatically downloaded and installed and can’t be removed without manually removing the file from the Library folder and rebooting the computer.”
MacNN reports, “The author says it is a demonstration “how easy it is to exploit Dashboard for nefarious purposes. A subsequent discussion by the author outlines other ‘more evil’ exploits of the security hole.”
Full article, with the link to the demo widget site, here.
Slashdot has a discussion regarding this here.
Apple’s developer pages regarding Dashboard Security note that if a Widget attempts to access your file system, Java applets, and other sensitive parts of your system, and the Widget is located outside of /Library/Widgets/, a dialog is presented to users upon the Widget”s first load. The dialog asks the user whether or not they want to use the widget. If the request is approved, the widget is loaded and granted access to the resources that it requested.
The issue, of course, is that a nefarious Widget could promise you something wonderful, entice you to allow it to load, and then do something unexpected. Apple’s Dashboard Security page is here.
The Widget developer, stephan.com, concludes, “Apple has done a pretty good job of it – the only real change I would consider is re-thinking the logic behind autoinstall, and for heaven’s sake, please provide a way to remove widgets, ideally from outside the Dashboard.”
Start quote …………
freebee – Here is a good article expounding on exactly the point you make – the Mac Community has ZERO tolerance for security holes – we keep our neighborhood nice – and THAT is a very big reason why OS X is so much more secure.
http://daringfireball.net/2004/06/broken_windows
………….. End quote
Unfortunately, Jack, that is just not true. Have you not seen the hoo-hah at MacIntouch over AppleScript “applications”? Did you not follow it up at SecurityFocus?
You all thought the applications you were buying were written in a proper programming langauge, such as objective C – and written carefully and with regard for your interests.
Uh, uh. The Mac platform is plagued with half-assed stuff written in AppleScript that frequently damages people’s hard disks and – worse – sends their admin passwords in the clear (thus exposing their passwords to Trojans). Here’s a detailed write-up:
<http://rixstep.com/1/20050501,03.html>
Worse, this has been known about for some time. Did this so-called “Mac Community” tolerate this?
Yes, it did.
The bottom line:
OS X is Unix-based. Unix is secure. There are over 100 000 viruses for Windows; there are none (repeat none) for Linux or OS X. But even Unix is not immune to malfeasant attacks of various sorts – all it requires is a little “social engineering”. And it does not help matters when Apple open holes in the OS.
Apple is quite capable of f*cking up Unix. This does not bode well for the future. Dashboard was never needed in the first place. It’s there because it “looks good” and for no other or better reason. It is flash not function. What business would want this absurdity. Apple has lost sight of what is important.
Damian, thanks for pointing that out about those passwords exploits.
I think we all like to know when something isn’t as secure as it seems to be. Just like Dashboard.
I think you may be jumping the gun a little bit with saying, “What business would want this absurdity. Apple has lost sight of what is important.”
For one, not everyone who uses OS X is a business user. Therefore Dashboard can be/is very appealing to many people. Personally, I like it. It’s a little bit added to the OS.
I don’t think they’ve lost sight of what is important. Apple has made numerous other improvements to the OS. Mail is better, Safari is better, the speed has increased. Spotlight, for me, is awesome and extremely useful.
Apple, as with other security issues directly releated to its OS, will deal with this issue accordingly. Security fixes for exploits in Apple’s OS have always come out rather quickly (which cannot be said for Microsoft fixes).
This Dashboard issue is in fact an exploit, but should we panic just yet? No. However, we should always be on our toes with exploits within the OS. Nothing is indestructible, and we can’t forget that.
damian
so buisinesses won’t want their employees QUICKLY finding;
the calculator
ce que signifie cette phrase means in english
what time it is in the Chinese branch
and more for example? i sure as hell would
as for applescript applications, frankly its the old case of great power comes great responsabilty on by user and company, yes applescript is dangerous but it’s very handy and anyone who’d consider using it would have to use the same common sense that you’d apply to any app from the net like is this from a reputable source?
frankly i would like an option to make my computer refuse to run apple script that hasn’t been compiled by the mac/admin
Matt: “so buisinesses won’t want their employees QUICKLY finding the calculator”
Sorry, mate, buisnessess (sic) won’t want this crap on their machines.
What do you mean “QUICKLY”? Have you got the caps lock stuck or what? Down Under we laugh at that.
Businesses *won’t* buy Apple. They’ll say: look it’s worse than MS for security.
You want a calculator, Matt. Look in the /Applications folder. Not far to seek. And this baby ain’t written in JavaScript.
Have you got Spotlight?
Try this:
Command + Space > calc > Down arrow > Enter
That didn’t kill you, did it, Matt?
Grow up, mate.
Windows stinks, but don’t – for God’s sake – be a Mac Fanboy. If Apple get it wrong, holler. And holler till they get it right – or move to Linux, if they won’t.