Previous entries
Next entries

May 11th, 2005

Are Apple’s New Desktop Widgets a Security Threat?

Apple’s new and well-received TigerOS has a feature called “Dashboard” that uses beautiful little applets called “widgets.” I have been using Konfabulator - a cross-platform version of widgets that many believe were stolen by Apple for the new OS. (If you haven’t tried Konfabulator you can download for free and it works for Windows and Mac with no operating system upgrade required.

All drama aside, it looks like the self-install feature of the new widgets makes them an ideal target for a security threat. Here’s a report from Wired News:

“A new feature of Mac OS X Tiger, Dashboard is a suite of simple programs called widgets that often access information on the Internet. Tiger comes preloaded with 14 widgets, including a world clock, a dictionary and a weather station. For the convenience of users, most widgets automatically install themselves. But experts fear any program that auto-installs is ripe for exploitation.

“Dashboard allows any user with basic skills in HTML or JavaScript to build their own widgets. Apple’s Dashboard widgets page, as well as third-party sites like Dashboard Widgets, maintain constantly updated databases, but it’s not clear if the sites vet their offerings. Further, there is no immediate way to delete a widget that has been installed. According to Tiger’s own Help file, “You cannot remove widgets from the Widget Bar or change their order.”

“A growing number of Mac experts are sounding the alarm over the dangers of widgets — which can carry Unix commands that could be run invisibly from within a widget. “It’s really just wrong and stupid of (Apple) to not give a regular user a way to take widgets out of Dashboard,” said Stephan Meyers, an unemployed artist and developer who was one of the first to publicize the hole. “It just flat-out says you cannot remove a widget from Dashboard. That’s just dumb.”

“Meyers felt so strongly that Apple erred by not giving Tiger users a way to delete widgets directly from Dashboard that he created two of the downloadable tools designed to demonstrate the vulnerability. His Zaptastic widget (warning: following the link in Safari automatically downloads Zaptastic.wdgt) is benign, but when run, it loads a Safari browser and takes the user to a web page promoting the forthcoming launch of a new online payment system.

But on his website, Meyers argues that widgets can carry a dangerous payload. His Zaptastic Evil is a widget that, when run, forces a user’s computer to open a Safari browser pointing at the online payment site every time Dashboard is booted.” Source: Wired News

More About Konfabulator

Share and Enjoy:These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • digg
  • Fark
  • NewsVine
  • Reddit
  • YahooMyWeb
You can leave a comment, or trackback from your own site. RSS 2.0

10 comments to "Are Apple’s New Desktop Widgets a Security Threat?"

  1. jfb3 says:

    To disable or remove widgets try:

    1) Widget Manager: http://mac.sofotex.com/download-128481.html “allows you to inspect, remove, and disable Dashboard Widgets”

    2) Apple Documentation: http://www.apple.com/support/mac101/work/4/

    May 11th, 2005 at 9:30 am

  2. justin says:

    I have Tiger and I love it. But from what I’ve heard and seen Apple rushed this OS out. It still had bugs (as you can see in anandtech’s review of the OS), and now a security flaw. Apple is going to have to be careful, or they will just become a slightly more lickable Microsoft.

    May 11th, 2005 at 9:33 am

  3. Jason says:

    I don’t think Apple OR Microsoft are particularly lickable. Ewww…

    May 11th, 2005 at 10:00 am

  4. justin says:

    http://www.flamingmailbox.com/maccomedy/articles/010620ibook.html

    May 11th, 2005 at 10:54 am

  5. Jason says:

    Good one!

    I hear from a Mac guru that Apple already has the first Tiger OS patch testing for release.

    May 11th, 2005 at 12:35 pm

  6. justin says:

    Yeah, but I’d say there’s a good chance it won’t fix the widget problem (unless they delay the patch so they have time to fix it).

    May 11th, 2005 at 12:51 pm

  7. David says:

    I don’t think it’s really that surprising that there are bugs in Tiger, though it is dissappointing that some of them are so obvious and should have been thought of. Of course, MS had the whole Messenger Service issue. That was horrible.

    May 11th, 2005 at 1:42 pm

  8. Dave Barnes says:

    As Chevy Chase said to Jane Curtain on SNL: “Jane, you ignorant slut.”

    The solutions to this problem are simple:
    1. Use FireFox as your browser.
    2. Turn off the auto install feature in Safari.
    3. Wait for Apple to change the defaults.

    People who don’t pay attention deserve to be slaughtered.

    ,dave

    May 11th, 2005 at 6:42 pm

  9. Jason says:

    Good tip, bad attitude.

    Using FireFix is smart, but it still doesn’t excuse or eliminate the actual widget problem.

    May 11th, 2005 at 10:04 pm

  10. Alice says:

    Dave - dios mio. Good advice but my goodness!

    May 11th, 2005 at 10:58 pm

Leave a comment