Apple To Patch Dashboard Vulnerability

bonch writes "Apple has quickly patched a previously reported security hole that allows websites to auto-install potentially malicious widgets without prompting the user. The fix is one of over three dozen miscellanous fixes to be included in OS X 10.4.1, code-named 'Atlanta', and may appear by the end of the week. Users will now be prompted before a widget downloads to their hard drive."

Re:They should post an advisory

[supabeast!]

Apple users aren't the kind of people who read security advisories. Most Apple users not only don't know what one is, they don't know where to go look for one. At best Apple could send email to registered users, but given how many hackers/phisers are sending out fake emails from ebay, paypal, banks, and Microsoft, there's no reason to expect anyone to trust emailed advisories.

The real problem here is not Apple's handling of the advisory. It's that Apple created a culture where users aren't supposed to worry about security, and then made an incredibly stupid design decision that has the potential to negatively affect users. It also makes one wonder who Apple's beta testers are - apparently there aren't any competent IT security firms doing testing, because if there were someone would have pointed it out a long time ago.