news of 2005-05-09

Malicious widgets? Don't be afraid. Be careful.

The web's abuzz with talk of how Dashboard widgets are a security risk. Worst case scenario: It's almost as bad as Windows without a firewall using an unpatched Internet Explorer. But let's get this straight, shall we...

Let's say I develop a widget that does nothing but erase all of the user's files. Without user interaction, no button to click. That's possible, since widgets can execute console commands. If I'm VERY evil, I'll create a nice page for that widget, advertising it as something you really want. (Imagine it to be the widget you've been waiting for.) So you'll download it. Say, in Safari. It gets automatically installed in your user's Library's widgets folder. But SO FAR NOTHING'S HAPPENED YET! No files have been erased. So, no: A click on the web won't suddenly erase your files. Sure: If you _activate_ that widget in Dashboard or Amnesty, it'll do its trick. But that's expected and well-documented behaviour. Apple can't hinder a user from destroying his or her own files! I can write AppleScripts that erase your files, applications that erase your files, I can even just tell you to try "rm -rf ~/*" in your Terminal yourself. If you happen to try out what I (well, the luckily non-existent veryevilme) suggest, you're on your own. But that's certainly not the same thing as internet worms finding their way through a security whole onto the Windows PC of your choice and doing malicious things _without_ any user interactivity.

For the time being, you should disable Safari's option to execute known files on its own. But more basically, you just shouldn't download everybody's widgets and try them out. If you must, do it using a test account on your Mac (so it'll only erase the test account's files, not your real ones).

[ written by fryke™ on 2005-05-09 at 13:22 CET ]
[ contact (e-mail) ] - [ story link ] - [ back to top ]

our hosting partner:

If you enjoy our site, please send a little bit of money using the PayPal link above. It's easy enough, and every little bit is very welcome... :)

articles from the past:
about optimising drives
about backups
about web advertising

© 2001-2004 by fryke™ - if you want to reference our articles in your publications (on- or offline),
please mention and use the story links below each article. thank you. - this site is served on linux, using
apache and blosxom, it is maintained using a macintosh. we thank all of our sources for their information and trust.