PDA

View Full Version : Widgets


sao
05-08-2005, 09:42 AM
.

http://www.tuaw.com/2005/05/07/the-problem-with-widgets/
http://www.cynics.info/journal/2005/05/problem_with_widgets

.

MBHockey
05-08-2005, 09:56 AM
Wow. This has bad news written all over it.

bramley
05-08-2005, 10:24 AM
According to Apple's documentation here. (http://developer.apple.com/documentation/AppleApplications/Conceptual/Dashboard_Tutorial/Security/chapter_10_section_1.html#//apple_ref/doc/uid/TP40001340-CH210-TPXREF101)

Dashboard allows you to “declare your intentions” when you:

Access files outside of your widget bundle
Use a Web Kit or standard browser plug-in
Access network resources
Run a Java applet
Run a command-line utility
Using a widget plug-in


It further goes on to say if your widget states that it requires one of the above resources:

a dialog is presented to users upon your widget’s first load

and also says:

If you attempt to use any of these resources without first specifying them in your widget’s information property list file, your attempt fails.

The above linked to articles don't seem to be saying they have outwitted the security Apple claims is in place. So sorry, but until this is demonstrated, these articles look like FUD.

It is possible to have widgets claiming to need resources to operate the widget and use those resources for nefarious activities i.e operate as a Trojan horse, but a user should be thinking twice before allowing widgets to have a password anyway.

tlarkin
05-12-2005, 03:37 PM
Apple is trying to make the jump to a larger demographic of people. They want to expand their company and expand the amount of their users. IMO, this has nothing to do with someone out witting apple, it has to do with poor programming.

Go pick up a book on hackers (mitnik book for example) and everytime the hacker go through because the programmer used short cuts or got sloppy. Or simply did not think anyone would go to the trouble of doing something. In almost all cases the programmer is wrong. There is always someone who will go to the trouble of figuring something out.

Also, with how common spyware is getting, and the fact that people are getting paid to write it, I can see where such exploits in the OS will be examined. Part of computer security is depended upon the OS, but the other part of it is depended upon the user.

So far I don't think widgets have any real power over a system so you could download one and it could sit there or run and not do too much damage if any at all.

bramley
05-13-2005, 11:53 AM
I don't think users should be panicked by ill-informed, or misleading comments like those posted in the threads that Sao linked to. They suggested that there was something seriously wrong with Dashboard, when in reality the problem they reported only occurred as a result of them downloading widgets with Safari, leaving the 'safe files' checkbox checked, and visiting sites where they were likely to get nefarious software. i.e There was no problem with Dashboard at all, just downloading stuff without thinking about what was being downloaded. Users prior to Tiger have had to contend with the exact same problem if they downloaded any application. A security conscious user not surfing as admin shouldn't have any problems here at all.

They went to suggest that spyware and adware would take over because there's no way to remove a widget. Yes, there is! You throw it in the trash, and login/out. It's not as if parts of your system have been replaced by the adware/spyware guys, which is par for the course on Windows (or used to be.)

The bottom line is that Dashboard is a web browser, with a few extra properties, one of which is the ability to work outside the 'sandbox' i.e interact with your system, which could be used for nefariousness. The widget has to declare that it intends to work outside the sandbox, or the security system cuts in (and it does.) This doesn't mean that Dashboard can differentiate between widgets declaring a need for system access for innocent purposes, and declaring a need prior to erasing your hard drive. You need to be alert, and understand what you are getting to. Just like with any application you've downloaded. The posts in the above threads don't help with understanding at all.

Having said all that I'd agree that there are likely to be exploits in Dashboard for the reasons tlarkin gave, that will eventually come to light - but the stuff posted isn't one.

SC_shooter
05-13-2005, 02:43 PM
I think people are panicing about nothing. Apple should have left widgets out of the "open safe files" to be sure. But to my knowledge, widgets will only execute when you actually add them to the dashboard. This is no different than any trojan horse that could be run.

As Bramley stated, you probably should be browsing with an admin account. I don't think you should even use an admin account, unless you have to. And you probably should pay attention when you are asked for an admin password.

Ron Goodman
05-14-2005, 10:55 AM
The problem should be fixed in 10.4.1. It sounds like widges will be removed from the "safe files" list. It gave the Windoze camp something to point fingers about, but I think it's about to become yesterday's news.