Dashboard widgets... a security threat??

13

Comments

  • Reply 41 of 69
    tednditedndi Posts: 1,921member
    Quote:

    Originally posted by Xool

    I What pleases me is the the response of the Mac community. Everyone's a hubub discussing this. I just checked and now its on CNet. Point is, everyone is discussing this one issue. If this is all there is and this is how fast the market responds, solutions and awareness will be fast as well.





    I agree with Xool on this one. What will be really interesting is Apple's response to the hullaballoo over this. It will really give some good press if Apple "fixes" this problem in 10.4.1. It would show apples flexibility and adaptiveness to the threat.
  • Reply 42 of 69
    chris vchris v Posts: 460member
    Well, Apple is certainly aware of it-- they just locked the thread about it on the apple support discussion page.
  • Reply 43 of 69
    maccrazymaccrazy Posts: 2,658member
    Quote:

    Originally posted by TednDi

    I agree with Xool on this one. What will be really interesting is Apple's response to the hullaballoo over this. It will really give some good press if Apple "fixes" this problem in 10.4.1. It would show apples flexibility and adaptiveness to the threat.



    although then they're admitting there is a problem.
  • Reply 44 of 69
    xoolxool Posts: 2,460member
    Apple could have added a bunch of Dashboard Security settings to System Preferences to enable restrictions on widget functionality, but this would have made it start to feel like windows and your average user would just get annoyed/confused that they'd have such issues installing new widgets.



    Like the "Don't steal music" sticker on iPods, its almost easier to have simple restrictions in place and educate the user. Why place baby locks on all your cabinets if you're old enough to know not to drink the draino?



    I think the best thing Apple could do is improve the language used in the widget acceptance dialog box. Specifically, it could at least indicate what the widget wants to do. Forcing widgets to be signed in some manner by the originator at least lets you confirm that it is from who you think its from.



    I think as long as Apple makes it clear that widgets are just mini-applications, users will hopefully grok that they can do damage as well as good.
  • Reply 45 of 69
    tednditedndi Posts: 1,921member
    a simple way to remove a widget would be nice. Yes I know that removing the offending little bugger from ~library/widgets, etc. is the way to go.



    Why not just give the option in the widget bar which would be analogous to removing it from the dock by just dragging it off.
  • Reply 46 of 69
    johnqjohnq Posts: 2,763member
    Quote:

    Originally posted by TednDi

    Why not just give the option in the widget bar which would be analogous to removing it from the dock by just dragging it off.



    You know, people keep saying this but dragging an app off the Dock only poofs the alias and leaves the original in /Applications (or wherever).



    But I know what you mean.





    Green= Good/adequate, Red=Bad/not ideal, Blue=indifferent







    As imperfect as the Dock might be (it has its faults), Dashboard also has some room for improvement.



    It really undermines usability, say, when in one context (the Dock) dragging off removes an item and in another context, that same dragging off launches an instance of an application. Upon coming across new situations, what is the user to do? If Apple isn't consistent themselves, will any developer be?



    ETC.
  • Reply 47 of 69
    rokrok Posts: 3,519member
    something dawned on me the other day, when reading how apple says that you cannot delete or reorder widgets in dashboard. yet you can delete them by rooting into your library/widgets folder, and you can reorder them by changing their names by adding leading spaces and bullets to the names...



    sound familiar? i'll give you a hint... we had to do the same technique for manageing another system-wide mini-app launcher throughout the days of classic. here's another hint... it was just a global menu. still can't guess? well, it had an apple logo at the top.
  • Reply 48 of 69
    rokrok Posts: 3,519member
    Quote:

    Originally posted by johnq

    You know, people keep saying this but dragging an app off the Dock only poofs the alias and leaves the original in /Applications (or wherever).



    But I know what you mean.





    Green= Good/adequate, Red=Bad/not ideal, Blue=indifferent







    i see someone owns omnioutliner.
  • Reply 49 of 69
    maccrazymaccrazy Posts: 2,658member
    Quote:

    Originally posted by rok

    something dawned on me the other day, when reading how apple says that you cannot delete or reorder widgets in dashboard. yet you can delete them by rooting into your library/widgets folder, and you can reorder them by changing their names by adding leading spaces and bullets to the names...



    sound familiar? i'll give you a hint... we had to do the same technique for manageing another system-wide mini-app launcher throughout the days of classic. here's another hint... it was just a global menu. still can't guess? well, it had an apple logo at the top.




    I remember doing that - I did that in the Launcher as well - remember that! The control strip was interesting too.
  • Reply 50 of 69
    tednditedndi Posts: 1,921member
    so dashboard = system 7 ?



    wow talk about recycling.



    I even remember the puzzle app.
  • Reply 51 of 69
    maccrazymaccrazy Posts: 2,658member
    Quote:

    Originally posted by TednDi

    so dashboard = system 7 ?



    wow talk about recycling.



    I even remember the puzzle app.




    Which one? Remember that Map tool with longitude and latitude. Anyway I turned off safe-downloading and downloading widgets is so much more of a hassle than before - I think Apple's solution may be dangerous but is so much simpler and convenient. Apple need to put in security so that I can be lazy and keep safe. For example not allow Widgets to delete things etc.
  • Reply 52 of 69
    rokrok Posts: 3,519member
    and by the way, the real reason this is potentially serious is that the guy who wrote zaptastic also showed how, using safari's default settings, you could install a widget on a person's computer without their knowledge -- JUST LOADING THE PAGE installed the widget, no notification. now the one thing i am not clear on is how a widget actually RUNS without a user dragging it from the dashboard dock, which kinda sounds like a layer of protection, but imagine if a website used an infinite loop of redirects or pop-behinds, and each redirect/pop-behind plopped a 2k widget on your computer until it just filled up your computer. basically, i can see how this could be exploited in all sorts of ways when you start thinking about it.
  • Reply 53 of 69
    johnqjohnq Posts: 2,763member
    You can leave "Open Safe Files" on if you just lock your ~/Library/Widgets folder.



    Safari will just download the widget to the Safari downloads folder and not run it.



    But all other "safe" downloads will open like normal.
  • Reply 54 of 69
    maccrazymaccrazy Posts: 2,658member
    Quote:

    Originally posted by johnq

    You can leave "Open Safe Files" on if you just lock your ~/Library/Widgets folder.



    Safari will just download the widget to the Safari downloads folder and not run it.



    But all other "safe" downloads will open like normal.




    I like the widgets going in there though - I want the best of both worlds. I want Safari to ask me if I want to download something and then I can keep tabs on automatic downloads.
  • Reply 55 of 69
    tednditedndi Posts: 1,921member
    locking the widgets folder does seem to be a good workaround.



    I also like to download everything to the desktop then put it away myself.
  • Reply 56 of 69
    johnqjohnq Posts: 2,763member
    Quote:

    Originally posted by TednDi

    locking the widgets folder does seem to be a good workaround.



    I also like to download everything to the desktop then put it away myself.




    I just download to my Downloads folder.



    Not sure why Apple just doesn't make these folders standard:











    Nice and tidy.



    (I just use CanCombineIcons to make them)
  • Reply 57 of 69
    maccrazymaccrazy Posts: 2,658member
    Quote:

    Originally posted by johnq

    I just download to my Downloads folder.



    Not sure why Apple just doesn't make these folders standard:











    Nice and tidy.



    (I just use CanCombineIcons to make them)




    My dock is already full but I don't think Apple should add anything to the dock IMO - it should be empty when you start so that users don't just accept the icons that are there. My sister has never changed her dock - she just keeps it at the default. Anyway I wouldn't want a widgets folder in the dock. But it would work well for lots of people I'm sure.
  • Reply 58 of 69
    dave marshdave marsh Posts: 349member
    Take a look at Widget Manager ( http://www.macupdate.com/info.php/id/17990 ) for deleting/deactivating widgets.
  • Reply 59 of 69
    johnqjohnq Posts: 2,763member
    Quote:

    Originally posted by MacCrazy

    My dock is already full but I don't think Apple should add anything to the dock IMO - it should be empty when you start so that users don't just accept the icons that are there. My sister has never changed her dock - she just keeps it at the default. Anyway I wouldn't want a widgets folder in the dock. But it would work well for lots of people I'm sure.



    I didn't mean to imply Apple should add them to the Dock, just that they should increase the number of standard folders in ~/, especially a Downloads folder.



    Right now people just clutter the Desktop with downloads, needlessly.
  • Reply 60 of 69
    maccrazymaccrazy Posts: 2,658member
    Quote:

    Originally posted by johnq

    I didn't mean to imply Apple should add them to the Dock, just that they should increase the number of standard folders in ~/, especially a Downloads folder.



    Right now people just clutter the Desktop with downloads, needlessly.




    I think some sort of download manager is needed - maybe Safari should have a hidden downloads folder and then you install it and delete it - maybe not! I don't know - I clear my desktop every now and then but then some people have so many icons that they sit on top of each other.
Sign In or Register to comment.