Why would they do that! It's just silly. There should be: 1) A scary warning. 2) You should physically have to move the widget to the widget library (or have a big scary screen say…

You guys didn't hear? They're moving to signed widgets, and you have to buy a Widget Developer's License from Apple get a widget signing key.

Quote: Originally Posted by TETENAL Disable "Open 'safe' files" in Safari and the widgets are not installed automatically. Before a widget is run the first time Dashboard asks. …

Quote: Originally Posted by Millennium You don't understand; the point is that this misfeature gives widgets a mean to self-spread. What could have been a simple Trojan can beco…

Quote: Originally Posted by TETENAL Widgets can not "self spread" because Dashbaord asks the user whether they are allowed to run when they are run the first time. They can only…

I've got the same experience as chris v; most widgets that I've downloaded haven't asked me anything. The exceptions have been when the app contained a binary code, shell script, o…

Quote: Originally Posted by TETENAL Widgets can not "self spread" because Dashbaord asks the user whether they are allowed to run when they are run the first time. They can only…

Quote: Originally Posted by TETENAL Widgets can not "self spread" because Dashbaord asks the user whether they are allowed to run when they are run the first time. They can only…

Listen, chris, there is absolutely no need of shouting. This was just lack of extensive testing on my side before composing my replies. Of course I have set the "Open 'safe' files…

Quote: Originally Posted by theolein This is exactly the same way that Internet Explorer is abused to download viruses, spyware and other malicious stuff onto a user's Windows s…

Quote: Originally Posted by Mithras Dashboard only asks `are you sure?' for widgets that request system access -- the ones that could potentially delete your home folder. Ordina…

Quote: Originally Posted by TETENAL Well, eventually you have to allow the user to run applications. What more can you do than ask whether the user wants to allow this? It's not…

Reposted from ars: I made a web page that silently downloads a slate full of widgets that looked just like the Apple widgets, and appeared to have the same names, but could have ha…

Evil tracker.

Quote: Originally Posted by Millennium Spread this far and wide, Chris. Tiger hasn't been out for long, so there's still a chance we can get Apple to remove the auto-install fea…

You can try my little page o' evil widgets if you like.

Quote: Originally Posted by alphasubzero949 Go check the thread in the Dashboard section on Apple's support forums. It'll be interesting to see if that thread is still the…

Quote: Originally Posted by chris v It'll be interesting to see if that thread is still there in a day or two. Odds are 50/50 Apple deletes it. I know; but it's worth a sho…

Also, one should note that even a `sandboxed' auto-loaded widget can hijack and overwrite widget preferences. So you could lose your Sticky notes for example.

At the very least, like the guy says on the page I linked to, clicking one "evil" widget could send a browser into pemanent pr0n spazms. This would be wery bad for office workers, …

Quote: Originally Posted by chris v At the very least, like the guy says on the page I linked to, clicking one "evil" widget could send a browser into pemanent pr0n spazms. This…

This is really a regrettable, inexcusable vulnerability. I know OS X is a complex project, but you would think someone in management or QA would take charge and put 2+2 together be…

Just this morning I was thinking about this: would a widget that, for example, scans one's mails (using Spotlight... why not) for username/password combinations, and then occasiona…

I'm wondering why we all did not see this coming before. I don't mean to come off as an alarmist, but the type of scenario workerbee is describing is within the realm of possibilit…

At present I cannot side with those who see this as a security issue. Software executes code and it can do things for the benefit of the user running it or it can do destructive th…