Forwarding Address: OS X

Saturday, May 07, 2005

Major, major automatically-downloading-and-executing widget warning

This very scary article shows that Apple screwed up really, really badly on security in Tiger. If you have execution of "safe" content automatically displayed, someone can push a widget into your widget set, and you can't remove it. I have turned off that setting in Safari (and every other browser I use) since day 1, but it looks like this person is right.

If Apple is trying to compete with Microsoft on security cluelessness, Cupertino just moved a few miles closer to Redmond.

posted by Paul at 10:35 AM  

4 Comments:

  • can I be rude ?
    okay ?

    it's STUPID to write this

    these has nothing with microsoft or "security"

    the main problems of windows is TECHNICAL HOLES the USER DON'T KNOW AND CAN'T REMOVE !
    (stuff like to use a specific windows network service to create havoc WITHOUT NEED OF THE USER ! )

    here, the user has still to download a bad widget

    and like ALL stuff : NEVER NEVER NEVER download a weird applications/widgets/binaries/plugins/whatever from an unknown sources

    there are NO technics to help that
    there are NO magical CPU or System things to help that
    there are NO HOPE


    anyway : it's a REAL problem, as all ways to automate installation of stuff. Apple should control more (to force a dialog boxe or to remove possibilities to launch utilities or free(dom) cocoa code inside dashboard.

    it's here "social engineering" problems. a typical one. and not so new (anyone can install easily a new application or a startup items or anything they don't know when they "accept" something. )

    but it's NOT as Microsoft

    don't do that mistake. Windows problems were/are TECHNICALS bugs (a hacker can manipulate some things in windows without your help, only a network)

    we have to never forget the differences
    because social engineering is not an easy thing to prevent, the only TRUE solutions is to remove freedom to users or to educate them. it's mostly impossible.

    Omniweb or firefox has no problems with this stuff (they will put the bad widget on the desktop) because they don't know how to "auto-install".

    easier but dangerous or less easy ?

    or to add another settings stuff in System Preferences ? (a way to remove dashboard widgets with a nice interface ? still a thing to "configure", more headache for user)

    I figure apple will remove the "auto-install" stuff from safari, and will let the finder (or an utility) to do that AFTER a huge dialogbox asking if it install it in Library/Widget.

    there thousands of "social engineering" ways to push people to do mistakes in ALL, ALL systems, any system you can name, I can find a way to force you to install a virus. simply because you "clic"

    (in linux, I could do a nice "package" asking to be installed by the package manager, you click okay, if you gave your password only minutes ago (to be "easy", new interfaces ask password again only after five minutes), boum ! it would accept to install it)
    (there are really easy, very easy ways now to download and install new software under a modern linux)

    is it a bug ? not a technical one, it's a social bug.


    you do not HAVE to tell "more and more as redmond" (it's false, it's not a virus installed in my computer simply because I connected my computer to internet before I sneeze thanks to stupid no-security inside windows and nothing is possible but to wait the patch).

    you have to EDUCATE ! (put a damn screenshot of the setting ! and how to find it )

    to educate about Library
    about the "never trust internet" mantra

    so : remove that stupid "open safe document". remove all automation. all easy stuff

    and apple, add an easy way to destroy a widget, it's a fault to not have that from start.

    By Michel, at 12:47 PM  

  • It's not quite right to say you "can't remove it". You can just delete it from your Library/Widgets folder, and trash it.

    Actually, though, it didn't even show up on my widget bar. The widget was copied into my Widgets folder, but never showed up.

    On the other hand, it *did* show up in Safari's Downloads list, immediately, and clicking the button to show in finder brings up the Widgets folder in the Finder, from which it's easy to delete the widget.

    By Jon Hendry, at 2:17 PM  

  • The linked page runs code on your machine without your permission. It attacks your computer to demonstrate that an attack is possible. Sure, it has the best intentions---but is it buggy?

    Please, please do not link to such pages at all. If you must do so, provide very clear warning.

    By Anonymous, at 9:59 PM  

  • Okay, a few things to keep in mind...

    1. It is automatically downloaded and copied into the user's widgets folder. That's the security hole. It's not installing software, it's installing a widget - a plug in. Still not good, but not as bad as installing a daemon, for instance.

    2. It is copied into the user's widgets folder, not the system. So the only person who could be affected would be that users' account. The other accounts on the system are unaffected.

    3. It would appear that it doesn't automatically get added to the running Dashboard. So you have to find it in the Dashboard Widgets tray and deliberately drag into on the screen to activate it.

    It's bad, it's a risk, it's embarrassing, and it needs to be fixed, but it's hardly Outlook.

    By Sly Revolutionary, at 10:31 AM  

Post a Comment

<< Home