Quote: Originally Posted by TETENAL Widgets can not "self spread" because Dashbaord asks the user whether they are allowed to run when they are run the first time. They can only…

Quote: Originally Posted by TETENAL Widgets can not "self spread" because Dashbaord asks the user whether they are allowed to run when they are run the first time. They can only…

Listen, chris, there is absolutely no need of shouting. This was just lack of extensive testing on my side before composing my replies. Of course I have set the "Open 'safe' files…

Quote: Originally Posted by theolein This is exactly the same way that Internet Explorer is abused to download viruses, spyware and other malicious stuff onto a user's Windows s…

Quote: Originally Posted by Mithras Dashboard only asks `are you sure?' for widgets that request system access -- the ones that could potentially delete your home folder. Ordina…

Quote: Originally Posted by TETENAL Well, eventually you have to allow the user to run applications. What more can you do than ask whether the user wants to allow this? It's not…

Reposted from ars: I made a web page that silently downloads a slate full of widgets that looked just like the Apple widgets, and appeared to have the same names, but could have ha…

Evil tracker.

Quote: Originally Posted by Millennium Spread this far and wide, Chris. Tiger hasn't been out for long, so there's still a chance we can get Apple to remove the auto-install fea…

You can try my little page o' evil widgets if you like.

Quote: Originally Posted by alphasubzero949 Go check the thread in the Dashboard section on Apple's support forums. It'll be interesting to see if that thread is still the…

Quote: Originally Posted by chris v It'll be interesting to see if that thread is still there in a day or two. Odds are 50/50 Apple deletes it. I know; but it's worth a sho…

Also, one should note that even a `sandboxed' auto-loaded widget can hijack and overwrite widget preferences. So you could lose your Sticky notes for example.

At the very least, like the guy says on the page I linked to, clicking one "evil" widget could send a browser into pemanent pr0n spazms. This would be wery bad for office workers, …

Quote: Originally Posted by chris v At the very least, like the guy says on the page I linked to, clicking one "evil" widget could send a browser into pemanent pr0n spazms. This…

This is really a regrettable, inexcusable vulnerability. I know OS X is a complex project, but you would think someone in management or QA would take charge and put 2+2 together be…

Just this morning I was thinking about this: would a widget that, for example, scans one's mails (using Spotlight... why not) for username/password combinations, and then occasiona…

I'm wondering why we all did not see this coming before. I don't mean to come off as an alarmist, but the type of scenario workerbee is describing is within the realm of possibilit…

At present I cannot side with those who see this as a security issue. Software executes code and it can do things for the benefit of the user running it or it can do destructive th…

Quote: Originally Posted by workerbee Just this morning I was thinking about this: would a widget that, for example, scans one's mails (using Spotlight... why not) for username/…

As an addendum to my previous post, I will go so far as to say Safari's definition of "safe" files should exclude widgets or any other executable code -- I have no problem with tha…

Quote: Originally Posted by Jeff Mincey At present I cannot side with those who see this as a security issue. Software executes code and it can do things for the benefit of the …

Quote: Originally Posted by Jeff Mincey At present I cannot side with those who see this as a security issue. (snip) But that's not what is happening here and thus I see peo…

User interaction to invoke the widget once installed is worth zero. 99% of Windows Outlook worms require the user to open the messages, which often have subjects like "I AM A V1RUS…

Just curious: Widgets are, on their most basic level, CSS/XHTML/Javascript. As long as the dashboard app only runs widgets that have that criteria, it seems like it's not as big …