or Connect
AppleInsider › Forums › Software › Mac OS X › Tiger update to patch Dashboard vulnerability
New Posts  All Forums:Forum Nav:

Tiger update to patch Dashboard vulnerability

post #1 of 47
Thread Starter 
A forthcoming update to Apple's Mac OS X 10.4 "Tiger" operating system will reportedly plug a hole in the company's new Dashboard application that allows potentially malicious widgets to auto-install on a user's system.

The fix is believed to be one of over three dozen expected in Apple's Mac OS X 10.4.1 Update. According to rumors, the update, code-named "Atlanta," could see a release as early as the end of the week.

After installing the update, sources say users of the Tiger operating system will be prompted before a widget is downloaded to their hard drive. Currently, Tiger possess a vulnerability where potentially dangerous or annoying widgets can be downloaded onto a hard drive and installed without the user's knowledge or consent.

It has also been rumored that Mac OS X 10.4.1 will correct minor issues with at least four of the default widgets included with the retail version of Mac OS X 10.4 "Tiger."

Based on reports already present on several internet Web sites, it's believed that Apple on Wednesday evening provided thousands of its developers and corporate partners with a third pre-release build of the Mac OS X 10.4.1 Update.

Said to be build 8B15, this latest seed comes less than 2 days after the company was reported to have seeded build 8B13, a tell-tale sign that development is winding down. Like the previous build, online reports indicated that build 8B15 lists just a single known issue pertaining to synching of Tiger's Address Book over Apple's .Mac internet services.

Rumor has it that Mac OS X 10.4.1 will also include fixes to Tiger's iCal, Font Book, Mail, and Preview applications. Meanwhile, previously published tidbits suggest the update will also pack improvements to DHCP over wireless networks, file sharing over AFP and SMB/CIFS network file services, and disk image creation and burning via Disk Utility.

As previously noted, Mac OS X 10.4.1 is also rumored to include an update to Tiger's Core Graphics subsystem, which should provide updated graphics card drivers to Mac users with an ATI or Nvidia graphics card.
post #2 of 47
Which four would that be, mmmmm!

iTunes - barely works!
Translation - not real time
Phone Book - only in US
Weather - only in certain towns
(or FlightTracker?)

or am I missing something?
post #3 of 47
It is nice to see apple dealing quickly with the dashboard issue.
post #4 of 47
Quote:
Originally posted by MacCrazy
Which four would that be, mmmmm!

iTunes - barely works!
Translation - not real time
Phone Book - only in US
Weather - only in certain towns
(or FlightTracker?)

or am I missing something?

Well, you're quite missing the fact that you need a weatherstation in a town before the town can provide the weather information!!

Actually, the only thing that I would like to work is my restart/log out/shut down abbilities... some how Tiger won't respond to my commands, and I have to touch the back of my iMac G5 continuesly after installing some crappy application that needs a reboot..
Besides, there should be an option for turning off the annoying message in Safari that i'm 'downloading a program'. hell I know, otherwise I wouldn't have downloaded it!
post #5 of 47
Quote:
Originally posted by TednDi
It is nice to see apple dealing quickly with the dashboard issue.

sort of - but IMHO, as an apple n00b, I say too little too late - this is unacceptabe QC, it should have never left the shop - have the dashboard/safari people ever heard of activex and IE in the windows world...it aint prety...and this bug is damn near the same thing!
You can't quantify how much I don't care -- Bob Kevoian of the Bob and Tom Show.
Reply
You can't quantify how much I don't care -- Bob Kevoian of the Bob and Tom Show.
Reply
post #6 of 47
Quote:
Originally posted by MacCrazy

iTunes - barely works!

I have had no problems with itunes in tiger eccept for one crash...and 2.8 seems even faster in tiger than 4.7... what troubles are you haveing with it?
You can't quantify how much I don't care -- Bob Kevoian of the Bob and Tom Show.
Reply
You can't quantify how much I don't care -- Bob Kevoian of the Bob and Tom Show.
Reply
post #7 of 47
Quote:
Well, you're quite missing the fact that you need a weatherstation in a town before the town can provide the weather information!!

Ther's a lot of them about - and outside the US!

And if the Konfabulator weather widget can do it......\
post #8 of 47
Quote:
Originally posted by spylaw4
Ther's a lot of them about - and outside the US!

And if the Konfabulator weather widget can do it......\

The server they use covers my town - so that says it all.

The server they use is AccuWeather.com - so check to see if you're town is covered.

iTunes - I have 9000 songs and hundereds of playlists and I don;t think the widget can cope - it just doesn't respond for ages - basically it's unusable - I've had no problems with other iTunes widgets - album art - (the actual iTunes widget works on my sisters computer).
post #9 of 47
I have weather here in the UK using the regular widget from apple.

j.
www.pixelrevolution.com/webcam/
2.66 MacPro, 15" MacbookPro
"I think I once saw Steve Jobs at Seaworld"
www.vrhull.co.uk/(click an ad and earn me some cash)
Reply
www.pixelrevolution.com/webcam/
2.66 MacPro, 15" MacbookPro
"I think I once saw Steve Jobs at Seaworld"
www.vrhull.co.uk/(click an ad and earn me some cash)
Reply
post #10 of 47
Quote:
Originally posted by johnrp
I have weather here in the UK using the regular widget from apple.

j.

Yeah but Hull is supported - Canterbury is not on the Apple widget but is online.
post #11 of 47
Quote:
Originally posted by MacCrazy
Weather - only in certain towns

Weather works for me here in this little rinky-dink town of Graysville, Alabama. I just entered my zip code and it found it.

Now, the one that bothers me is the clock. I know that the city is representative of the time zone, but I do not particularly care to see "Chicago" at the bottom of my clock.
post #12 of 47
I just want Apple to fix iChat AV on Tiger so that it is actually usable.
post #13 of 47
Quote:
Originally posted by MacCrazy
Which four would that be, mmmmm!

iTunes - barely works!
Translation - not real time
Phone Book - only in US
Weather - only in certain towns
(or FlightTracker?)

or am I missing something?

Unit Converter runs at 100% CPU utilisation on many machines and uploads/downloads quite a lot. Many people wouldn't notice it though.

Weather would be nice - it does do Sydney here, but it shows that it's night during day, and day during night. And the temperature is up to 7'c off (13'f) so it'd be nice to connect to australia's bureau of meteorology instead! That's not a bug though, that's a limitation of the websites the widgets are connecting to.
post #14 of 47
Quote:
Originally posted by GregAlexander
Unit Converter runs at 100% CPU utilisation on many machines and uploads/downloads quite a lot. Many people wouldn't notice it though.

Weather would be nice - it does do Sydney here, but it shows that it's night during day, and day during night. And the temperature is up to 7'c off (13'f) so it'd be nice to connect to australia's bureau of meteorology instead! That's not a bug though, that's a limitation of the websites the widgets are connecting to.

MY problem is that the website they get the info from supports the cities that weather wont connect to.
post #15 of 47
Quote:
Originally posted by GregAlexander
Unit Converter runs at 100% CPU utilisation on many machines and uploads/downloads quite a lot. Many people wouldn't notice it though.

Weather would be nice - it does do Sydney here, but it shows that it's night during day, and day during night. And the temperature is up to 7'c off (13'f) so it'd be nice to connect to australia's bureau of meteorology instead! That's not a bug though, that's a limitation of the websites the widgets are connecting to.

I think you have the wrong Sidney chosen.

Flip the widget, enter Sidney, press Return.

Three Sydneys turn up - choose the Australian one
JLL

95% percent of the boat is owned by Microsoft, but the 5% Apple controls happens to be the rudder!
Reply
JLL

95% percent of the boat is owned by Microsoft, but the 5% Apple controls happens to be the rudder!
Reply
post #16 of 47
Quote:
Originally posted by MacCrazy
Translation - not real time

You do realise how difficult real time translation is to do accurately given many languages actually give implicit meanings by endings or word order used later in a sentence?

Quote:
Originally posted by GregAlexander
Weather would be nice - it does do Sydney here, but it shows that it's night during day, and day during night. And the temperature is up to 7'c off (13'f) so it'd be nice to connect to australia's bureau of meteorology instead! That's not a bug though, that's a limitation of the websites the widgets are connecting to.

Really I don't know why the site, accuweather.com, doesn't take the weather for Australia from the BoM.
"When I was a kid, my favourite relative was Uncle Caveman. After school, wed all go play in his cave, and every once and awhile, hed eat one of us. It wasnt until later that I discovered Uncle...
Reply
"When I was a kid, my favourite relative was Uncle Caveman. After school, wed all go play in his cave, and every once and awhile, hed eat one of us. It wasnt until later that I discovered Uncle...
Reply
post #17 of 47
Quote:
Originally posted by JLL
I think you have the wrong Sidney chosen.

Flip the widget, enter Sidney, press Return.

Three Sydneys turn up - choose the Australian one

Nice... got Sydney working right now. The first time I entered it was a morning (US afternoon) so the sun was right and temperature was similar... so I didn't even consider it. Thank you very much.

I guess my biggest wish would be for the Apple Australia website to offer localised versions of a few widgets.
post #18 of 47
Quote:
Originally posted by Telomar
You do realise how difficult real time translation is to do accurately given many languages actually give implicit meanings by endings or word order used later in a sentence?

Yeah but once I've finished typing I have to wait a long time. Not just a few seconds. This is very different from the Jobs keynote.
post #19 of 47
That's because it's connecting to the internet to do the translation. You must have a slow connection.
post #20 of 47
Quote:
Originally posted by Thinine
That's because it's connecting to the internet to do the translation. You must have a slow connection.

What dict. servers do they use? dictionary.com?
(And if so, can i assign a different one?)
" I will not commit anything to memory that I can get from another source . . . "
ALBERT EINSTEIN
Reply
" I will not commit anything to memory that I can get from another source . . . "
ALBERT EINSTEIN
Reply
post #21 of 47
Quote:
Originally posted by Thinine
That's because it's connecting to the internet to do the translation. You must have a slow connection.

I have a 1mbps connection - I don't think it's that which is slowing me down. I think it delays getting a response.
post #22 of 47
This is my first post although I've started to frequent the forums for awhile now. My iTunes widget barely works as well and upon opening the dashboard I get a weather widget crash window but it stills runs.

I haven't had most of the problems every one else has had with the new OS. One or two things have been buggy like my version of illustrator 10 upon closing but that's about it other than the weather widget.

That being said I downloaded the new iTunes 4.8 and long story short between that, Tiger, and the fact I use it on my work computer still running Jaguar...it crashed. I lost everything on the drive but it was all backed up.

It took about 2 mins to copy over one song and then just locked everything up. The only thing I could do was pull it out of the dock and shut down my iMac with the button in the back. I even restored the Pod twice and in the process it locked up as well. I've contacted MacInTouch to find out if anyone else was experiencing this but so far no response.

I'll move the topic out of the thread if anyone has any information on this because as of now the only thing we could do was restore it on my fiance's mac still runing Panther and have her upload songs to it. A few years ago there was some firmware issues on Jaguar so I think that might have been the case but iTunes and TIger didn't help.
Anthony Schiavino

Designer
Blinding Force Productions
Reply
Anthony Schiavino

Designer
Blinding Force Productions
Reply
post #23 of 47
Quote:
Now, the one that bothers me is the clock. I know that the city is representative of the time zone, but I do not particularly care to see "Chicago" at the bottom of my clock. [/B]

You can edit the cities that are displayed by the worldclock. The file in the widget package is worldclock.js.
post #24 of 47
Quote:
Originally posted by rtamesis
I just want Apple to fix iChat AV on Tiger so that it is actually usable.

So how is it broken?

I have personally thought it to be the most stable, well-behaved IM app I have used.

Voice chat works well too.
post #25 of 47
My own issue with Dashboard is that sometimes it seems to use CPU when it's not in use. Not all the time, but enough that I've noticed that there is an errant process. I'm pretty new to MacOS so I don't know what some of the processes do save for some of the process it has in common with other UNIX systems.

I have since turned Dashboard off as much as I could. There doesn't seem to be a way to kill Dashboard short of never allowing it to turn on, and the only way to prevent it from accidentally turning on is to remove dock icon and disable the hot key.

The fact that Activity Monitor claims these dashboard clients claim to take 200MB of virtual memory each is disturbing too, I'd like to know why a widget is doing that.

To me, the Dashboard / Safary vulnerability seems to be an egg in Apple's face because no downloaded program should be allowed to automatically execute. Whether they can cause damage, and how much damage isn't the issue. The fact that Apple didn't ship with an easy means to manage installed widgets seems to show that first, they didn't think it through very well, and second, they should have allowed a wider beta testing for comments. IMO, concern over leaks be damned, it needed some public comment.

That said, Tiger does seem pretty nice, although the value of many of the improvements are at least somewhat overstated.
post #26 of 47
Quote:
Originally posted by schmidm77
You can edit the cities that are displayed by the worldclock. The file in the widget package is worldclock.js.

I looked for worldclock.js on my system, but Spotlight did not find it anywhere.
post #27 of 47
Quote:
Originally posted by kwsanders
I looked for worldclock.js on my system, but Spotlight did not find it anywhere.

I don't think it is safe for Spotlight to help users find system files. Spotlight was only meant for user documents.

It is in the system hard drive at: /Library/Widgets
post #28 of 47
Quote:
Originally posted by JeffDM

To me, the Dashboard / Safary vulnerability seems to be an egg in Apple's face because no downloaded program should be allowed to automatically execute.

Do they automatically execute though?

My understanding is that they 'auto-install', but you have to manually execute them.
post #29 of 47
Quote:
Originally posted by Rayz66
Do they automatically execute though?

My understanding is that they 'auto-install', but you have to manually execute them.

But if Safari auto-downloads a widget called Stickies - first you wouldn't notice - then it would go to your widget folder making it more difficult to realise it has downloaded. Because it has the same name as an Apple widget it takes precedent over the Apple widget. Launching the Stickies which you think is safe would result in the new widget being opened inadvertently so you would have launched a potentially harmful application. I hope this is succinct enough!
post #30 of 47
I've never once had a problem with the widgets. I know exactly what I'm downloading every time and I know that it goes on my desktop. It doesn't install unless I want it to and I made it a point to find out where they go. I think apple is partially to blame but I also think the uninformed user is as well.

Do download a widget from a third party site. It's exactly like not opening an attachment in a spam mail. You just DON'T DO IT.

Any widget I download is on the apple site. Even then it's not perfectly safe but I've read people going nuts and downloading every widget they can find. The question is...WHY? I download what I use. I understand the issue and the fact Apple really is at fault here but I can't understand why people can't take two seconds and think about what they download and or where it goes.

If you just look around you'll find what you're looking for far easier than on a windows machine (I'm a windows user of some 8+ years since Win3.1 I believe it was called), and not with Spotlight it's even less of an excuse. I'm sorry Apple is wrong but so is the random user who just clicks buttons like a zombie.
Anthony Schiavino

Designer
Blinding Force Productions
Reply
Anthony Schiavino

Designer
Blinding Force Productions
Reply
post #31 of 47
Quote:
Originally posted by BlindingForce
I've never once had a problem with the widgets. I know exactly what I'm downloading every time and I know that it goes on my desktop. It doesn't install unless I want it to and I made it a point to find out where they go. I think apple is partially to blame but I also think the uninformed user is as well.

Do download a widget from a third party site. It's exactly like not opening an attachment in a spam mail. You just DON'T DO IT.

Any widget I download is on the apple site. Even then it's not perfectly safe but I've read people going nuts and downloading every widget they can find. The question is...WHY? I download what I use. I understand the issue and the fact Apple really is at fault here but I can't understand why people can't take two seconds and think about what they download and or where it goes.

If you just look around you'll find what you're looking for far easier than on a windows machine (I'm a windows user of some 8+ years since Win3.1 I believe it was called), and not with Spotlight it's even less of an excuse. I'm sorry Apple is wrong but so is the random user who just clicks buttons like a zombie.

BUT these can auto-donload without you selecting a link or anything - the user may not notice this or will be too late as these are small files. These then go to the widgets folder. It is auto downloading widgets that I have the problem with.
post #32 of 47
But can't this be fixed by turning off the open safe files after download within the Safari prefs? I'm not one to visit backwater sites so while I understand the problem and agree Apple is at fault I can't see this happening to most people, and even less had they not actually said anything. I mean yeah I'm all for keeping the public in the know but now you have a bunch of people who are going to do it for the sake of pretty much ruining things for everyone else because they needed to get their jollies. This really is a big issue but what I'm asking is if there are certain steps that can be taken even now prior to the OS updated?
Anthony Schiavino

Designer
Blinding Force Productions
Reply
Anthony Schiavino

Designer
Blinding Force Productions
Reply
post #33 of 47
Quote:
Originally posted by JeffDM
It is in the system hard drive at: /Library/Widgets

Nope... I don't have it. This is a pre-installed copy of Tiger, by the way. I just got the Power Mac.

No biggie. I was not really interested in changing the city name. Your post was just a nice aside to the thread.
post #34 of 47
Quote:
Originally posted by BlindingForce
But can't this be fixed by turning off the open safe files after download within the Safari prefs?

Yes, but this shouldn't be necessary, and it isn't a good fix. For any program, the default should generally be the safest option. The user shouldn't have to deal with it. Any kind of file type with scripting or execution capabilities shouldn't be automatically opened. New software shouldn't be allowed to automatically download or automatically execute unless the user specifically requested it. I think that's three bad things going on, simultaneously.

I know that one shouldn't go to seedy sites, but what if an otherwise good site got hacked so it served this stuff up? Even server software with the latest patches may have vulnerabilities that haven't been addressed yet.
post #35 of 47
Like I said I agree that this is an Apple problem and should have been handled before launch but I know I go into every program's prefs that I use and look around. I understand most people don't but I've had the download options in Safari set since day one. It still doesn't excuse the user to play ignorance to anything because they don't know computers (I see this too much and too often) especially in the past year or so with what's been going on virus wise and etc. You don't have to be a computer geek and know every crevice but you, as in general not specific, should have some idea what's going on.

I'm glad in a way this has been made public (although in alot of ways it shouldn't have been) because maybe people will wake up and actual think before they do anything.
Anthony Schiavino

Designer
Blinding Force Productions
Reply
Anthony Schiavino

Designer
Blinding Force Productions
Reply
post #36 of 47
Quote:
Originally posted by kwsanders
Nope... I don't have it. This is a pre-installed copy of Tiger, by the way. I just got the Power Mac.

No biggie. I was not really interested in changing the city name. Your post was just a nice aside to the thread.

Go to Macintosh HD>Library>Widgets>

then find the world clock - right click (control-click/contextual menu button) and select show package contents.
post #37 of 47
Quote:
Originally posted by AppleInsider
Meanwhile, previously published tidbits suggest the update will also pack improvements to DHCP over wireless networks, file sharing over AFP and SMB/CIFS network file services...

You know, it just wouldn't be a proper System Update without even more improvements to file sharing. File sharing has been improved so many times now, why, I'll bet that after this next update all I'll have to do is think about a file I want that's on another computer, Mac or PC, and it will just appear on my desktop!
We were once so close to heaven
Peter came out and gave us medals
Declaring us the nicest of the damned -- They Might Be Giants          See the stars at skyviewcafe.com
Reply
We were once so close to heaven
Peter came out and gave us medals
Declaring us the nicest of the damned -- They Might Be Giants          See the stars at skyviewcafe.com
Reply
post #38 of 47
Which would solve the problem of people letting widgets download automatically! The new Spotlight Mindreader plugin because they forgot about the new Spotlight feature and it's too much to type in Widgets to find the folder!

GENIUS!
Anthony Schiavino

Designer
Blinding Force Productions
Reply
Anthony Schiavino

Designer
Blinding Force Productions
Reply
post #39 of 47
Quote:
Originally posted by JeffDM
My own issue with Dashboard is that sometimes it seems to use CPU when it's not in use. Not all the time, but enough that I've noticed that there is an errant process. I'm pretty new to MacOS so I don't know what some of the processes do save for some of the process it has in common with other UNIX systems..

The problem here is not with Dashboard but with someone making a widget that did not know what they are doing. Apple even tells developers how to turn off the functions that are using system resources when a widget is idle and/or dashboard is hidden.

If you want to see poor programing just open up any one of the 3rd party widgets listed on apples site and look at the code. The Amazon search widget looks like it was written by someone who never once read the Apple documentation on how to do it properly.
post #40 of 47
Quote:
Originally posted by shetline
You know, it just wouldn't be a proper System Update without even more improvements to file sharing. File sharing has been improved so many times now, why, I'll bet that after this next update all I'll have to do is think about a file I want that's on another computer, Mac or PC, and it will just appear on my desktop!

I'd be content if they'd fix the HORRIBLE lag that comes after disconnecting a SMB share, about half of the time. I'm talking 100% unresponsive UI and choppy mouse pointer for about 30 seconds.

I'm still on Panther. This issue has survived through nine updates up to 10.3.9. Please someone tell me that they fixed this in Tiger
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Tiger update to patch Dashboard vulnerability