So if I'm reading this right, as long as I only download Widgets from trusted sites (like Apple.com) then I should be ok?

I'm guessing the eventual fix to this will be to disable the automatic openning of the Widget. Well, and an easy way to remove it. You could still load a bad one on purpose if it's mis-labled.

But hey, this wouldn't ACTUALLY happen, right? I mean, everyone's been telling me for years that the only reason Macs don't have viruses is because the market-share is so small. So of that means no one would take the time to write bad Widgets either! Right?

We poke fun at the Windows users because of their lack of proper security and then Apple creates a "feature" that smacks of the same lax mentality towards security. I'm a devoted Mac user but we should give Apple some feedback on this one. (And I don't get a bunch or responses about how it doesn't really compromise your security, it's just a nuisance, blah blah blah... My point is that even a nuisance shouldn't be tolerated by users.)

Stephan has done us a bit of a favor identifying a potential problem for users of Widgets and identified a need for users to find and download Widgets from safe sites, like Apple.com.

It also presents a good opportunity for others (like TMO) to review and list Widgets that are "safe" and, hopefully, generate a little big of revenue from the service. Maybe TMO can provide a page called "The Widget Shop" where we know the code has been checked and cleared.

This brings into focus that Widgets are programs and, like any other program, can be either good or dangerous.

Just released this morning is Widget Manager 1.0.1, which "is a Preference Pane for OSX 10.4 that allows you to inspect, remove, and disable Dashboard Widgets. To remove a widget without it, you would have to browse your Library/Widgets folder, delete the .wdgt file, and either log out or force-quit the Dock... what a pain!

Widget Manager also shows you the version numbers of widgets installed on your system, so you know when it's time to look for updates. It can also disable Widgets you don't want cluttering up the Widget bar, but don't necessarily want to delete, either.

What's new in this version:
Widget Manager will now show Widgets in the system Widget library folder.
Widgets are now sent to the Trash, rather than deleted immediately.
Widgets which cannot be deleted will be shown as read-only.
Minor bugfixes and improvements."

I think this should handle removing and knowing what widgets are on your system. Once again, it comes down to people being aware of what they are doing. Common sense is all it takes.

Well it aint a solution, more an opinion. lol Prefer firefox actually.

If you read this carefully, it does not say you should only visit sites you know are safe to download widgets. It says that as soon as you enter the site it automatically downloads and installs the widget. It is not something you are able to choose to do or not to do. The quick and easy way to avoid this is to turn off the the ability to "open 'safe' files after downloading" in the general tab of Safari's prefs. This is a smart thing to do anyway.

Glad I installed Paranoid Android during the last big Mac OS X malware scare. It detected the odd type of URL used to install the widget, and allowed me to block it. But, like the last malware scare, those with less than honorable intentions could install a nastly widget.

The possibilities of this extend far beyond "opening unwanted web sites". A widget can execute shell scripts. That means it can, quite trivially, erase your entire hard drive, or do pretty much anything. (Source: http://www.macosx.com/forums/showthread.php?t=52482 )

And the whole point here is that it doesn't require you to download the Widget yourself. So the whole "only download from trusted sources" thing (which is not an acceptable solution anyway) is irrelevant.

This is truly a Microsoftian security hole, and it should NEVER have made it through the front gate. Safari's "Open 'safe' files after downloading" feature has always been ill-conceived and dangerous. Personally, I think it just needs to go outright. Or at the very least, make it a little smarter!

I'm really disgusted at Apple. I'm sorry, but we Mac users have just officially lost the right to talk about security.

"I'm really disgusted at Apple. I'm sorry, but we Mac users have just officially lost the right to talk about security."

You want some cheese with that whine???

If you don't think Apple will have this fixed within a week, you're nuts. But given your logic so far, I wouldn't doubt you'll complain about that too.

This is, truly "Microsoftian" in lack of foresight. If Apple doesn't address this immediately, it's gonna get out into the press, and all those years of creating a locked-down, safe, virus-free OS will be down the toilet. Once OSX is just as bad as Windows in the average user's mind, a HUGE advantage Apple has will be erased.

Fix it now, Apple. This could blow up in your face.

Apple is coping Microsoft. Now anyone can automatically download something on my machine that I don't want.

Do the widgets install without asking for the admin password? I know it can be a pain having to type the password in, but its the safest way to know what goes on your machine.

The folder where widgets are kept does not require a password to access or transfer files to and from. A potential fix is to require the password.

Apple is coping Microsoft. Now anyone can automatically download something on my machine that I don't want.

Yeah its not like I am going to be installing 10 widegets per minute. I agree with the password prompt idea.

Lost in all this is the fact that for the "exploit" to work, you first MUST go to a website run by such a nefarious hacker.

If you don't make a habit of clicking in porn spam, you really don't have think one to worry about.

Not even a nuisance -- a non-issue. Should be fixed (and will, Apple is very good and quick at this), but hardly something for the average user to waste their time on.

Apple is coping Microsoft. Now anyone can automatically download something on my machine that I don't want.

Actually there are two steps here. One is downloading things to your disk using your browser, and the other is to open such a downloaded file.

(1) Downloading things to your disk is something we all want and use. Usually this comes at the behest of clicking on a "download" link. What stephan.com did was to make this happen when the page is fist loaded. We see that variation all over the web too. But we normally end up with a .pdf .zip .tar or some other file.

(2) Opening such a file can be a problem, and it really is for a .widget. Opening a .pdf is no big deal. Opening a compressed or archive file is not usually a big deal either. But safari's opening a .widget causes some interesting side effects. Instead of opening the widget like the Finder would, Safari seems to move it to the ~/Library/Widgets folder and leaves it there for Dashboard to discover it.

Quote

Mikuro wrote:
The possibilities of this extend far beyond "opening unwanted web sites". A widget can execute shell scripts. That means it can, quite trivially, erase your entire hard drive, or do pretty much anything. (Source: http://www.macosx.com/forums/showthread.php?t=52482 )

personally i don't think it's that big of a problem. the thing that puzzles me the most is that reality check hasn't chimed in yet... looks like he's starting to lose his edge

apple will probably fix the security hole, it isn't that big a deal anyway, all they need to do is patch safari to prompt you whenever you download a widget file with one of those ominous security warnings and MOST people will not accidentally install them. of course there are much more thorough ways to patch the hole, but in order to keep the functionality of the auto install feature intact, that would be the best bet. (the admin pass is a good idea, but many people don't have the admin pass of the computer they use, i'm sure that was apple's reasoning in making the widget folder password-less.)

Quote

Guest wrote:

If you don't make a habit of clicking in porn spam, you really don't have think one to worry about.

Quote

Anonymous wrote:

Sorry, but life just got a little bit harder for Mac users.

So I made the ~/Library/Widgets folder "No Access" (chmod 000). I don't want any widgets there anyway, I want them in /Library/Widgets.

I only use my admin account for maintenance, never for daily work.

I personally approve the suggested password request for the widget downloads but beside this new issue I was expecting that Apple would have already addressed a few issues of compatibility/functionality I have experienced across several machines (ibook, powerbook, iMac and G4 desktops). Thre major ones are:
1) Lost the ability to connect and print to several network deskjet and officejets etc.
2) Pages does not allow font changes (I was trying to use symbol instead of helvetica for some scientific notation)
3) the iMac (17" swivel flat screen) that was fine before installing Tiger now freezes after the screen saver is on for more than 1-2 hours (It does not wake up I should say)
4) I tried to update my email client (eudora from 6.0 to 6.2. It worked in the powerbook 15" where I still have 10.3.9) but I could not and had to do a 'new install' instead.
5) Norton antivirus 9.2 (corporate edition) and LiveUpdate are having problems and the Norton autoprotect module is not working at all.

I am sure the list of glitches will keep growing. I have been there and so have many of you and that is why I have installed only in machines that are not critical to my work. I expect both Apple and third party companies (HP, Symantec, qualcomm etc..) to fix most of these issues in the coming month or so. Or at least I hope so.

Quote

Anonymous wrote:
I expect both Apple and third party companies (HP, Symantec, qualcomm etc..) to fix most of these issues in the coming month or so. Or at least I hope so.

I'm not sure that your mac freezing is a Tiger thing. My PowerBook has started freezing the exact same way since the last security update and I'm not running Tiger on it. Once it goes to sleep, with the lid open, for a long period of time it will not wake up. If I close the lid, it works fine. Go figure.

My Mac life was pretty good before Dashboard so I've taken it upon myself to totaly uninstall it and the widgets associated with it!

Quote

macdude wrote:
I'm not sure that your mac freezing is a Tiger thing. My PowerBook has started freezing the exact same way since the last security update and I'm not running Tiger on it. Once it goes to sleep, with the lid open, for a long period of time it will not wake up. If I close the lid, it works fine. Go figure.

The people that are posting the "just download widgets from Apple" line don't get it ... in its default state, SAFARI will AUTO-DOWNLOAD AND AUTO-INSTALL WIDGETS ... sure, YOU have to RUN them, but a little social engineering is not difficult to work out for users who are not that computer savvy - Now add into the equation a widget that calls on something like Automator - which has already demonstrated the ability to override QUICKTIME 7s default non pro settings - refer: MacFixit forums "Getting a quicktime movie to play full screen with Automator" ... the thing is it appears that no-one at Apple has really thought through the implications of these features and the links that may be made from one to another ... I expect better. The PORN industry must be laughing it up right now as they conceive of loading your machine with something that hijacks your browser every time you use it, heck the widget could be one pixel by one pixel wide - how are you going to track that, not to mention that guy who wants to log every key stroke on your machine and send them to another site ... WAKE UP.

I'm extremely pissed off and you should be too.

Open Safe Files is a feature that Apple should have never included, but any security flaw in it means nothing as long as no one successfully exploits it.

At least Tiger users can easily fix it, and it'll also be easy for Apple to patch, which they'll probably want to do rather quickly.

a week ago all the mac people on these forums were praising Tiger and how badass it is. All I can do now it laugh laugh laugh laugh laugh.

"Sorry, but life just got a little bit harder for Mac users."

Just think, it's only been a week. A week. Just wait a month, six months, a year. Bahahahaha. I love it.

I totally agree! I have been banned from apples discussion boards and all of my posts have been deleted. Furthermore, at least 6 other threads have been deleted. This is truly a sad day for us mac users...

Quote

Mikuro wrote:
The possibilities of this extend far beyond "opening unwanted web sites". A widget can execute shell scripts. That means it can, quite trivially, erase your entire hard drive, or do pretty much anything. (Source: http://www.macosx.com/forums/showthread.php?t=52482 )

And the whole point here is that it doesn't require you to download the Widget yourself. So the whole "only download from trusted sources" thing (which is not an acceptable solution anyway) is irrelevant.

This is truly a Microsoftian security hole, and it should NEVER have made it through the front gate. Safari's "Open 'safe' files after downloading" feature has always been ill-conceived and dangerous. Personally, I think it just needs to go outright. Or at the very least, make it a little smarter!

I'm really disgusted at Apple. I'm sorry, but we Mac users have just officially lost the right to talk about security.

Quote

Anonymous wrote:
a week ago all the mac people on these forums were praising Tiger and how badass it is. All I can do now it laugh laugh laugh laugh laugh.

Wasn't it less than a week ago all sorts of posters to this site were going on about how awesome widgets and the dashboard are?

"Wow, just think how hard you'll laugh when someone actually makes a widget that does all the stuff people are talking about here.

Be sure to tell us when you find one! I'm sure that will make you really happy."

Yes, because no one ever in their entire life will ever try to exploit a mac. It just won't happen. Wow what a computer loser. My mac is impenetrable, no one wants to do anything to it ever! It will make me happy when you go on thinking like you do and all of a sudden your computer is gone. Remember, Windows users were just like you mac users, unconcerned about security, thinking the OS was untouchable.

Less than a week is all it took and after mac users and Job's were ranting and raving about how secure the Tiger OS is. Less than a week.

Quote

Anonymous wrote:
It will make me happy when you go on thinking like you do and all of a sudden your computer is gone. Remember, Windows users were just like you mac users, unconcerned about security, thinking the OS was untouchable.

You did tardo. I use linux. And why can Firefox make a more secure browser? BECAUSE IT'S BRAND FUCKING NEW. God you're stupid. Guess what, firefox has numerous exploits and has been patched numerous times. Such a smart one you are.

Quote

Anonymous wrote:
Such a smart one you are.