Slashdot Mirror
Malicious Web Pages Can Install Dashboard Widgets
bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.
There is no such thing is a secure OS, all Operating systems have flaws.
True, true. But hasn't apple learned anything from MS? Automatically running/installing *anything* from the internet is a bad, bad idea. And a widget could, in theory, do things like make widget pop up ads, revolving goatse/tubgirl widget, etc.
Basically, bad apple bad. Fix.
The solution to spyware on windows is to turn off activex in internet explorer and set it to run as guest...
It's just common sense.
Seriously though this is a very bad idea and apple needs to fix this ASAP.
No, it should be pretty easy to tell what is a "safe" file. PDF, for example, is a safe file, as is HTML, as is a GIF. A dashboard widget is NOT.
.app.
Apple really screwed up with allowing dashboard widgets to be listed as a "safe" file and they need to patch this as soon as possible. This is one of the big problems with IE, that they went from "autoopen anything, even unsafe stuff" to "warn you about viruses when you try to download ANYTHING, including a PDF". Clearly identifying what is safe is as important as identifying what is unsafe, otherwise people just double-click everything they download not realizing it's a
Which you should left unchecked if you're not entirely stupid
I always thought that one of Apple's selling points was that they are made for non-experts. So giving users an option to potentially shoot their foot off seems to be a little unfortunate. Almost by definition, few people are experts.
-- Mike
So does IE. ActiveX controls have ALWAYS prompted.
And with XP SP2 (released in AUGUST) unsigned binaries simply can't be installed, and the default is "NO" for signed binaries...
Somebody thought they had a cool feature and didn't think about the consequences.
Um, never? Because it actually prompts you and asks you if you're sure you want to run it?
/. int he name of the great Jihad but a exactly similar (or worse) Apple problem gets apologists running.
So the fact that IE does the same thing for, say, ActiveX and has similar options for control is consistently ignored on
So amusing.
--> Fight tyranny and repression.... read
Good thing it hasn't happened then.
Sure it has. Still does, past and present examples.
Joke or not, your comment is indicative of the denial most Mac users seem to live in- "If it's not Windows, it's secure" and "If I don't hear about it, I must be OK" but the fact is that Mac OS X uses BSD, BSD has holes == Mac OS X has holes. Mac OS X is written by people who want users to have the easiest possible experience using their Mac. As a result, some of the things in place to make usability easier open up holes. This is the same for any OS. Anytime you cater to the user first and security second (or later) you will always ALWAYS provide someone else a way in.
I have no problem with using one OS or another, I use whatever the hell I need to get the job done- to me it's a tool, not a lifestyle. As such, I make sure my tools are safe and pay attention when someone says my OS has a hole or exploit or vulnerability, rather than just refusing to believe it's true.
R(k)