Apple issues press release on Dashboard Security issue !!!!!!

[Ex_PC_Puke]

Apple Executives Admit That Dashboard Widgets Can Do Harm To Computer Files In Their New Operating System - Tiger. (AP Wire Services - Cupertino, CA).

In a brief press release, senior Apple executives admitted that a highly touted feature in the newly released OS X - Tiger called the Dashboard could open the system to malicious software. Within 2 weeks of Tiger’s debut, an independent developer demonstrated how a Dashboard element called a Widget could insert itself in the Dashboard and not be removed. Thus exposing a possible security hole into the system.

“Yes we admit to being caught off guard on this particular aspect of the Dashboard environment” noted Rob Schoeben VP of Applications Product Marketing at Apple. He continued “Our enthusiasm to deliver a new and useful tool to our users should have been tempered by a more realistic look at the issues of allowing third party applets to be easily loaded into our operating system. We firmly believe that Dashboard and widgets will be a key aspect of all future Apple operating systems, but that security elements to protect both the user and the system from malicious or poorly written widgets needs to be in place”.

He went on to say that a Tiger task force has been created to immediately address and solve these issues with the Dashboard element of Tiger. An update is planned by end of May 2005.

 

[Ex_PC_Puke]

Ha - Ha - Ha

I couldn't resist --- this is how a computer co. should react when they mess up a product

But only in a fantasy world

 

[untoastytoast]

i call bs

www.apple.com/pr

 

[ApplejustWorks]

err..so is this true or not?

 

[rman]

Hopefully they resolve that problem within a week or so, instead of end of the month.

 

[untoastytoast]

I'm pretty sure the security flaw is true, but the press release part isn't.

 

[Kokopelli]

I do not think this is a real announcement. It was an attempt at humor and so should have been in Anything Goes. Regardless, it is not really a security flaw in Dashboard so much as a inequity in Safari.

1) Safari should not auto install Dashboard widgets. This is easily solved by uncecking "Open Safe Files after Downloading" (which I really would not recommend leaving checked anyways.)

2) Dashboard widgets should give the same warning as programs the first time they are run. I do not think they do, but since I do not use Dashboard and have never installed a widget I am not certain.

Given these two elements a Widget is no more dangerous than any other program on your system. Actually less considering the partial sandbox in which widgets run.

 

[iWhat]

I do not think this is a real announcement. It was an attempt at humor and so should have been in Anything Goes. Regardless, it is not really a security flaw in Dashboard so much as a inequity in Safari.

2) Dashboard widgets should give the same warning as programs the first time they are run. I do not think they do, but since I do not use Dashboard and have never installed a widget I am not certain.

Yep, Dashboard does ask you, if you would like to accept or decline the widget upon installing it for the first time.

 

[Kokopelli]

Well there you go. I could create an app that wipes out your home directory when you run it. I could even wipe the whole system if you type in the admin password. Does that constitute a security hole? You downloaded it, then you vouched that you wanted it to run. A poorly programmed widget could cause problems on your system or "spy" on you. So could any other app that runs all the time.

This security hole as it stands is way over rated. Perhaps someone will come up with something more malicious but as it stands there is no reasonable security issue that has not existed before. Just the perception of one. It could be used to make spyware, but this is why you do not install widgets indescriminately and monitor which ones are running. Just like any other app.

 

[Ex_PC_Puke]

Yeah sorry for the bad joke -- but this link points out some really bad things

http://www1.cs.columbia.edu/~aaron/files/widgets/

 

[Kokopelli]

Ah... The substitution as described on that page is worse. Not epic in scale but it should not be allowed.

Again uncheck the automatically open safe files in Safari or use an alternative browser and this is less of an issue. IMHO it should not have been checked in the first place since I do not consider any file downloaded from the internet safe. The problem does need to be corrected within Dashboard, but it is an easily mitigated risk.

 

[Ex_PC_Puke]

Well ...... I remain in the camp that widgets and the dashboard are a great "concept" --- but not ready for prime time


Only a matter of time before some one creates a phishing widget .... where a security hole puts the "user" in the position of having to decide what this message on the screen means ??? and should I click Ok or Cancel ??

Would let your mother or grandma use widgets ????? I wouldn't

 

[torchy]

PC Puke, there are Mothers & Grandmothers here as members.
We are NOT idiots.

 

[KuruMonkey]

The real "problem" isn't the current severity or not of this particular issue.

Its more the fact that it demonstrates that

A: dashboard was released FAR from finished (no user-friendly removal system at all?).

B: elements of what was not finished largely includes the "having thought about potential security problems" aspect.

Its more worrying in the potential for apple dev. going down the MS route of "release, let public fall into security hole in the wild, fix at leisure", which is, bluntly, what drives some of us switchers to SWITCH in the first place...

Oh, and my mother manages to use WinXP quite safely (virus scanner, firefox and a stern "phone me before opening attachments!" from me sorted that pretty well), frankly I'd rather she used dashboard than that, but there you go...

 

[Murlyn]

Torchy I don't think he was calling grandma's or mother's idiots. I think he brings up a very good concern, which is not limited to mother's or grandma's. I know my grandmother is on an eMac and I have not updated her to Tiger yet due to the problems. And I know I would not want my grandmother using dashboard with those security problems, for her.. it wouldn't matter.. if I said go ahead and use them.. she probably wouldn't since it's outside the realm of her comfort level.. She does email and surfs the web.. that's pretty much it. That's not calling her an idiot, that's just saying that like her, a lot of grandmother's, mother's, father's etc just want to use a certain part of the computer and that's it and they don't care to learn about any of the other things you can do with a computer. That lack of knowledge and desire of knowledge in this example could do some damage if she surfs to a page and it automatically loads up a new widgit that does damage. Definitely not an idiot, but definitely uninformed and this type of security hole should not be in existance, especially for casual users who trusts in someone else to manage their computer for them.

 

[iWhat]

I don't think that I could face the embarrassment of removing the Goatse Man widget from a family members' computer. People, please hold off on installing Tiger for the faint of heart!

 

[torchy]

I hate generalisations.
Like most adults I am quite capable of looking after my own Mac & PC, installed Tiger & SP2 without any problems. Help files & written manuals are available for all.
Teenage Grandkids & Stepkids can make a mess of their own darn computers. Mine are both locked down.

The whole idea that I would have to ask permission to do anything with my computers just because I'm an older female is obnoxious.
It's worse than telling teenagers to hurry up & get a job while they still know everything.

 

[Murlyn]

Well I hope I was clear in my post that it was not limited to grandmother's and mother's, that it was limited to those that do not know what they are doing on the computer and could care less about anything except net surfing and email. If I was not clear, then I apologize

 

[torchy]

No problem Murlyn,

 

[rman]

Widget security: fact and fiction.