news of 2005-05-09
Malicious widgets? Don't be afraid. Be careful.
The web's abuzz with talk of how Dashboard widgets are a security risk. Worst case scenario: It's almost as bad as Windows without a firewall using an unpatched Internet Explorer. But let's get this straight, shall we...
Let's say I develop a widget that does nothing but erase all of the user's files. Without user interaction, no button to click. That's possible, since widgets can execute console commands. If I'm VERY evil, I'll create a nice page for that widget, advertising it as something you really want. (Imagine it to be the widget you've been waiting for.) So you'll download it. Say, in Safari. It gets automatically installed in your user's Library's widgets folder. But SO FAR NOTHING'S HAPPENED YET! No files have been erased. So, no: A click on the web won't suddenly erase your files. Sure: If you _activate_ that widget in Dashboard or Amnesty, it'll do its trick. But that's expected and well-documented behaviour. Apple can't hinder a user from destroying his or her own files! I can write AppleScripts that erase your files, applications that erase your files, I can even just tell you to try "rm -rf ~/*" in your Terminal yourself. If you happen to try out what I (well, the luckily non-existent veryevilme) suggest, you're on your own. But that's certainly not the same thing as internet worms finding their way through a security whole onto the Windows PC of your choice and doing malicious things _without_ any user interactivity.
For the time being, you should disable Safari's option to execute known files on its own. But more basically, you just shouldn't download everybody's widgets and try them out. If you must, do it using a test account on your Mac (so it'll only erase the test account's files, not your real ones).
[ written by fryke™ on 2005-05-09 at 13:22 CET ]
[ contact (e-mail) ] - [ story link ] - [ back to top ]