Slashdot Mirror


Malicious Web Pages Can Install Dashboard Widgets

bonch writes "If you're running Safari on OS X Tiger and go to this website, a 'slightly evil' Dashboard widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer. The widget is called Zaptastic and is a demonstration by the author of how easy it is to exploit Dashboard for nefarious purposes. The essay, released under the Creative Commons License, goes on to describe the many ways users can be taken advantage of--imagine porn sites auto-installing adware widgets without your knowledge." So if you're on a Mac, it would be smart to view that page with something other than Safari.

3 of 610 comments (clear)

  1. Ouch! by Godboy_g · · Score: 1, Redundant

    That seems liek quite a security flaw... Any timeline on it being patched?

    --
    I LIKE TOAST!!!
  2. Re:Thank God for Firefox and Windows by TomHandy · · Score: 1, Redundant
    Yeah, it's definitely good nefarious websites can't do anything to you if you're using Firefox...... Oh... wait...

    -Tom

  3. Re:Firefox asks what to do by BasilBrush · · Score: 1, Redundant
    installed != executed.

    Also from TFA:

    "That's not such a big deal; by default, widgets can't do much damage, and they can't run unless you drop them into your dashboard."

    Nothing will be executed unless the user explicitly runs it by dragging the widget from the widget bar to the dashboard.