Monday, May 09, 2005

Mac OSX Tiger's Dashboard Compromised

Via Slashdot, this post discusses a slightly dangerous and quite annoying vulnerability for Tiger's new Dashboard feature, the Konfabulator-copying new OSX eye candy that I've discussed here. Snippet from Slashdot:

If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of...

The Web site discussed is Zaptastic. DO NOT go to that link if you're using Safari on a Mac with Tiger installed, unless you want to delete the downloaded widget yourself. It's not a necessarily "evil" widget, as the author's main purpose is to demonstrate the vulnerability.

Hope Apple fixes this soon. The whole idea that you aren't supposed to be able to delete widgets once you download them is rediculous. While if you can navigate down to the Widgets folder in your Home > Library, it does require a restart or two to truly clean them up. And Apple's help documentation says "You cannot remove widgets from the Widget Bar or change their order."

Boo, Apple. This is awful. I hope they fix this (as well as several other things) in 10.4.1. How did this get through testing?


1 comment:

Gump said... has a good story today on the issue: "Dashboard Leaves Macs Vulnerable." Snippet: A security hole in Dashboard could expose users of Apple Computer's new Tiger operating system to attack, and may put personal information like passwords and credit card data at risk.