A new feature of Mac OS X Tiger, Dashboard is a suite of simple programs called widgets that often access information on the internet. Tiger comes preloaded with 14 widgets, including a world clock, a dictionary and a weather station.
For the convenience of users, most widgets automatically install themselves. But experts fear any program that auto-installs is ripe for exploitation.
Dashboard allows any user with basic skills in HTML or JavaScript to build their own widgets. Apple’s Dashboard widgets page, as well as third-party sites like Dashboard Widgets, maintain constantly updated databases, but it’s not clear if the sites vet their offerings.
Further, there is no immediate way to delete a widget that has been installed. According to Tiger’s own Help file, “You cannot remove widgets from the Widget Bar or change their order.”
A growing number of Mac experts are sounding the alarm over the dangers of widgets — which can carry Unix commands that could be run invisibly from within a widget.
“It’s really just wrong and stupid of (Apple) to not give a regular user a way to take widgets out of Dashboard,” said Stephan Meyers, an unemployed artist and developer who was one of the first to publicize the hole. “It just flat-out says you cannot remove a widget from Dashboard. That’s just dumb.”
Meyers felt so strongly that Apple erred by not giving Tiger users a way to delete widgets directly from Dashboard that he created two of the downloadable tools designed to demonstrate the vulnerability.
His Zaptastic widget (warning: following the link in Safari automatically downloads Zaptastic.wdgt) is benign, but when run, it loads a Safari browser and takes the user to a web page promoting the forthcoming launch of a new online payment system.
But on his website, Meyers argues that widgets can carry a dangerous payload. His Zaptastic Evil is a widget that, when run, forces a user’s computer to open a Safari browser pointing at the online payment site every time Dashboard is booted.
Still, Meyers said he’s not too concerned about what havoc widgets could wreak, and he said the problem is nothing new for downloadable software.
“You can’t … prevent bad programs from running on a computer,” Meyers said. “You have to strike this balance between usability and security, and that’s always the case. It’s like human immune systems: You’d never get sick if you didn’t take in air and food.”
Widgets can be removed manually by deleting them from a user’s /Library/Widgets/ folder. But that’s something many novice Tiger owners may not know how to do.
“It does pose a certain security risk, because (widgets) can do all sorts of things web pages can’t because they’re loaded into the system all the time,” said Dan Pourhadi, an administrator at Dashboard Widgets. “It’s possible, if the developer knows what they’re doing, and a user downloads widgets from places that don’t check them.”
J. Nicholas Tolson, a Mac fan who is building his own widgets, said auto-installation is the most dangerous feature of the simple programs.
“(Apple needs) to disable the auto-install feature of widgets,” he said. “There should be some user interaction when installing things, either via an actual installer or via drag-and-drop installers that are popular on Macs.”
Mark Charbonneau, who runs Downtown Software House, which developed a free application called Widget Manager that automates the process of manipulating widgets, agreed.
“I … think that’s something that may not have been the best move on their part,” said Charbonneau. “I wouldn’t be surprised if that’s something that (Apple changes) in the future.”
Apple did not return several requests for comment.
Related Posts
- Addicted to Widgets?
- Sirius Canada, Ford Strike Broad-Based Dashboard Deal
- Direct Connect add Tiger Tree Hash support (THEX)
- Apple sues over Tiger leak
- Skype Connects Macs, PCs
Loading ...
