Quote: Originally Posted by TETENAL Well, eventually you have to allow the user to run applications. What more can you do than ask whether the user wants to allow this? It's not…

Reposted from ars: I made a web page that silently downloads a slate full of widgets that looked just like the Apple widgets, and appeared to have the same names, but could have ha…

Evil tracker.

Quote: Originally Posted by Millennium Spread this far and wide, Chris. Tiger hasn't been out for long, so there's still a chance we can get Apple to remove the auto-install fea…

You can try my little page o' evil widgets if you like.

Quote: Originally Posted by alphasubzero949 Go check the thread in the Dashboard section on Apple's support forums. It'll be interesting to see if that thread is still the…

Quote: Originally Posted by chris v It'll be interesting to see if that thread is still there in a day or two. Odds are 50/50 Apple deletes it. I know; but it's worth a sho…

Also, one should note that even a `sandboxed' auto-loaded widget can hijack and overwrite widget preferences. So you could lose your Sticky notes for example.

At the very least, like the guy says on the page I linked to, clicking one "evil" widget could send a browser into pemanent pr0n spazms. This would be wery bad for office workers, …

Quote: Originally Posted by chris v At the very least, like the guy says on the page I linked to, clicking one "evil" widget could send a browser into pemanent pr0n spazms. This…

This is really a regrettable, inexcusable vulnerability. I know OS X is a complex project, but you would think someone in management or QA would take charge and put 2+2 together be…

Just this morning I was thinking about this: would a widget that, for example, scans one's mails (using Spotlight... why not) for username/password combinations, and then occasiona…

I'm wondering why we all did not see this coming before. I don't mean to come off as an alarmist, but the type of scenario workerbee is describing is within the realm of possibilit…

At present I cannot side with those who see this as a security issue. Software executes code and it can do things for the benefit of the user running it or it can do destructive th…

Quote: Originally Posted by workerbee Just this morning I was thinking about this: would a widget that, for example, scans one's mails (using Spotlight... why not) for username/…

As an addendum to my previous post, I will go so far as to say Safari's definition of "safe" files should exclude widgets or any other executable code -- I have no problem with tha…

Quote: Originally Posted by Jeff Mincey At present I cannot side with those who see this as a security issue. Software executes code and it can do things for the benefit of the …

Quote: Originally Posted by Jeff Mincey At present I cannot side with those who see this as a security issue. (snip) But that's not what is happening here and thus I see peo…

User interaction to invoke the widget once installed is worth zero. 99% of Windows Outlook worms require the user to open the messages, which often have subjects like "I AM A V1RUS…

Just curious: Widgets are, on their most basic level, CSS/XHTML/Javascript. As long as the dashboard app only runs widgets that have that criteria, it seems like it's not as big …

Quote: Originally Posted by wtmcgee To me, it doesn't seem like it's as big a deal as some are making it out to be. Yes it is, however, from what I have read, fixing it see…

Quote: Originally Posted by wtmcgee Just curious: Widgets are, on their most basic level, CSS/XHTML/Javascript. As long as the dashboard app only runs widgets that have that c…

Thanks for the info... I was curious as to what else they could do other than being a 'mere' web page.

Here's what else they could do, and it's far worse than either openURL or openApplication: Quote: Originally Posted by Apple Developer Documentation system Executes a command-…

Quote: Originally Posted by CharlesS This is almost the exact same thing as on Windows IE when you browse to a site and it decides it will install some custom toolbar or other s…