Tiger's Dashboard Makes Macs Vulnerable

Forum Moderators: travelin cat

Message Too Old, No Replies

Tiger's Dashboard Makes Macs Vulnerable

tedster

5:21 pm on May 11, 2005 (gmt 0)

There may be a serious security issue with the Dashboard 'widgets' feature of the new Tiger OS X - it looks like personal data of all kinds can be exposed.

A new feature of Mac OS X Tiger, Dashboard is a suite of simple programs called widgets that often access information on the internet... For the convenience of users, most widgets automatically install themselves. But experts fear any program that auto-installs is ripe for exploitation....
Further, there is no immediate way to delete a widget that has been installed. According to Tiger's own Help file, "You cannot remove widgets from the Widget Bar or change their order."
[wired.com...]

EliteWeb

5:36 pm on May 11, 2005 (gmt 0)

Im sure this 'feature' will be deactived by default from now on. iCalendar also allows for automatic addition with events sent via email.

tstaheli

7:29 pm on May 11, 2005 (gmt 0)

"Further, there is no immediate way to delete a widget that has been installed. According to Tiger's own Help file, "You cannot remove widgets from the Widget Bar or change their order.""

On your Hard Drive click Library > Widgets > Then drag the widget you don't want to the Trash. Sounds pretty simple to me to remove.

EliteWeb

7:51 pm on May 11, 2005 (gmt 0)

tstaheli, correct that is how you do it :) I think those directions may scare some people. :D They dont want you to play with files!

timster

8:21 pm on May 11, 2005 (gmt 0)

A funky thing about Widgets is right now, they decide for themsleves how much access they get to the user's system, and you have to check out the source code for the widget if you want to see how much it uses.

I hope Apple will soon give the user more information control here before the Widgets run, such as popping up a message such as:

The Widget : "Dancing Widget" is requesting full access to your computer's ______. This may be a security risk. Allow/Deny/Delete.

In the meantime, users should be as cautious running new Widgets as they (hopefully) are running new applications.

Kennyh

11:14 pm on May 11, 2005 (gmt 0)

None of the Widgets I've downloaded automatically installed - they had to be manually put in /Library/Widgets. And as has been said above, removing them is just a matter of moving them to the Trash.

This seems to be yet another scare story based around misinformation together with speculation based on a theoretical hypothosis, which in this case is flawed.

Macs aren't immune to attacks, and we should all be vigilant, but scaremongering is nt helpful.

jamesa

7:45 am on May 12, 2005 (gmt 0)

No different than downloading and installing any software. Widgets are just applications.

The Safari behavior of auto-installing Widgets needs to change, however. That's just brain-dead.

Slone

6:26 pm on May 17, 2005 (gmt 0)

Apple released an update today for the Widget auto-installation (potential vulnerability) issue. They added Widgets to the items that Safari prompts for before a download is complete.

Thought to share...

chueewowee

11:18 pm on May 22, 2005 (gmt 0)

Daft! Is it the clock or the dictionary that worries you?

I don't see why a widget should have any security issue just because its called a widget. If I changed the name to safehouse, would that help? Or made it bigger like to spread over the wole desktop, more visible?

Its an application that searches the web, possibly more. So your own firewall's and keychains, permissions etc.. are the protection you have anyway for all applications when conneted to the web, including your browser.

Take them out of the widget folder and chuck them in the bin if you don't like them. You can't remove them from the dashboard, like it says.