Comments on: Mac malware door creaks open
Apple seems to have unwittingly opened a door in its Tiger OS--seen by some as a safer haven from viruses--to malware authors.
Most Popular
Latest tech news headlines
- Facebook, Twitter: How we chose to live in public
January 1, 2010 12:16 PM PST
- Ex-Googler Lee sees Apple tablet debut in January
January 1, 2010 9:20 AM PST
- U.S. trade agency eyes Samsung-Sharp spat
January 1, 2010 7:31 AM PST
- See all headlines
RSS Feeds
Add headlines from CNET News to your homepage or feedreader.
More feeds available in our RSS feed index.
- Markets
Related quotes
damage, and they can't run unless you drop them into your
dashboard. The funny thing is that once that widget is there,
according to Apple, you CANNOT remove it."
Widgets cannot be removed directly from the toolbar, but they
can however be deleted from the Library folder.
"The average user, who can't find their Library folder with two
mice and a spotlight, is stuck. It would take all of 30 seconds for
me to pick out a nice porn image, make it the icon of a widget,
drop it in your dashboard and you're stuck with it. It doesn't
even need any Javascript," Stephan added.
Stephan has also created the zaptastic_evil widget, which
redirects the user's browser to a Web site every time the widget
Dashboard is launched-?and drops the user out of Dashboard,
preventing the widget from being closed."
---- OK ... nice, but there IS a "spotlight", so users CAN easily
find them. In order for them to run, they have to be in the
library folder where Dashboard can find them. Again, no prob.
Hmmm have to try and get "infected", but I bet a simple app in
automater, can easily clean them out.
Oh yeah, if anyone has a problem, give me a call and I will post a
simple automater script. Peace Out.
nuff said.
preferences.
This is not a big deal.
inspected by Apple of course. That's the end of it right there.
damage, and they can't run unless you drop them into your
dashboard. The funny thing is that once that widget is there,
according to Apple, you CANNOT remove it."
Widgets cannot be removed directly from the toolbar, but they
can however be deleted from the Library folder.
"The average user, who can't find their Library folder with two
mice and a spotlight, is stuck. It would take all of 30 seconds for
me to pick out a nice porn image, make it the icon of a widget,
drop it in your dashboard and you're stuck with it. It doesn't
even need any Javascript," Stephan added.
Stephan has also created the zaptastic_evil widget, which
redirects the user's browser to a Web site every time the widget
Dashboard is launched-?and drops the user out of Dashboard,
preventing the widget from being closed."
---- OK ... nice, but there IS a "spotlight", so users CAN easily
find them. In order for them to run, they have to be in the
library folder where Dashboard can find them. Again, no prob.
Hmmm have to try and get "infected", but I bet a simple app in
automater, can easily clean them out.
Oh yeah, if anyone has a problem, give me a call and I will post a
simple automater script. Peace Out.
nuff said.
preferences.
This is not a big deal.
inspected by Apple of course. That's the end of it right there.
damage... they can execute shell scripts & unix commands, as well
as applescript... meaning they can delete your hard drive, etc.
Bad news.
damage... they can execute shell scripts & unix commands, as well
as applescript... meaning they can delete your hard drive, etc.
Bad news.
find it in Dashboard and open it yourself.
Widgets run in a sandbox. If it has any sophistication, it has an
application in it, and the system ASKS you if you want to run it. If
it does anything with the system, the system REQUIRES an
administrator password. Any bad widget has to be social
engineering based - the user needs to be tricked into running it.
Widgets can be easily closed, you don't need Activity Viewer or
any such thing. Click the big "X" in the corner of the screen and
all widgets get close buttons. Or, simply hold down Option and
mouse over a widget, and a close button will appear - no matter
if it was programmed to show one or not.
No system can protect a user from a Trojan Horse where they
are tricked into authorizing something bad to happen. You can't
blame the system software authors. The system does all it can -
makes you open it, asks if you really wanted to run an app,
requires admin authorization to do system stuff, even lets you
turn off automatically making the widget available at all.
This is another tempest in a teapot.
are tricked into authorizing something bad to happen. You can't
blame the system software authors. "
Seems everyone blames MS when that happens.
find it in Dashboard and open it yourself.
Widgets run in a sandbox. If it has any sophistication, it has an
application in it, and the system ASKS you if you want to run it. If
it does anything with the system, the system REQUIRES an
administrator password. Any bad widget has to be social
engineering based - the user needs to be tricked into running it.
Widgets can be easily closed, you don't need Activity Viewer or
any such thing. Click the big "X" in the corner of the screen and
all widgets get close buttons. Or, simply hold down Option and
mouse over a widget, and a close button will appear - no matter
if it was programmed to show one or not.
No system can protect a user from a Trojan Horse where they
are tricked into authorizing something bad to happen. You can't
blame the system software authors. The system does all it can -
makes you open it, asks if you really wanted to run an app,
requires admin authorization to do system stuff, even lets you
turn off automatically making the widget available at all.
This is another tempest in a teapot.
are tricked into authorizing something bad to happen. You can't
blame the system software authors. "
Seems everyone blames MS when that happens.
find feature of Tiger), that is another matter. Using Spotlight, a user
can find their widgets. In the Search box, if you type in "widget"
you'll quickly find the pesky widget to delete.
find feature of Tiger), that is another matter. Using Spotlight, a user
can find their widgets. In the Search box, if you type in "widget"
you'll quickly find the pesky widget to delete.
preference panes and allows you to turn off widgets you don't want
to have loaded or remove them (moves the widget to the trash).
Pretty handy.
preference panes and allows you to turn off widgets you don't want
to have loaded or remove them (moves the widget to the trash).
Pretty handy.
That is all it takes. Do that to the widget directory and there is no way to get mal-widge installed without admin ok.
Next chicken little story!
The VAST MAJORITY of Apple users have no idea what chmod even is, let alone how to use it.
If this same situation were to arise on Windows, everyone would be all over MS for this "security hole", yet when it happens to beloved Apple it's a "chicken little" story.
Hypocrites.
That is all it takes. Do that to the widget directory and there is no way to get mal-widge installed without admin ok.
Next chicken little story!
The VAST MAJORITY of Apple users have no idea what chmod even is, let alone how to use it.
If this same situation were to arise on Windows, everyone would be all over MS for this "security hole", yet when it happens to beloved Apple it's a "chicken little" story.
Hypocrites.
stuff. I haven't gotten around to writing my own yet but I do
understand the architecture and I HIGHLY doubt his assertion.
Widgets are basically web pages. I believe the perferred
language is javascript. The underlying architecture is Apple's
webcore.
So, unless you can craft a web page that can run arbitrary code
on your Mac, you shouldn't be able to create a widget that runs
arbitrary code on your mac. The dashboard vulnerability
REQUIRES another vulnerability to take advantage of. This is, as
yet, a 'sky is falling' story.
with the widget. architecture Apple built for them. In addition,
widgets can also make use of Cocoa for even more extensive
functionality. While this makes them as dangerous as applications,
it also makes them as powerful as applications. As I've commented
above, this has been blown completely out of proportion.
stuff. I haven't gotten around to writing my own yet but I do
understand the architecture and I HIGHLY doubt his assertion.
Widgets are basically web pages. I believe the perferred
language is javascript. The underlying architecture is Apple's
webcore.
So, unless you can craft a web page that can run arbitrary code
on your Mac, you shouldn't be able to create a widget that runs
arbitrary code on your mac. The dashboard vulnerability
REQUIRES another vulnerability to take advantage of. This is, as
yet, a 'sky is falling' story.
with the widget. architecture Apple built for them. In addition,
widgets can also make use of Cocoa for even more extensive
functionality. While this makes them as dangerous as applications,
it also makes them as powerful as applications. As I've commented
above, this has been blown completely out of proportion.
First of all, you HAVE to intentionally drag the darn things into
your Dashboard. Second, you have to authorize it. Third even
if you do ALL of that, then any devious actions are
compartmentalized. DOH ... windows can't even do that!
The part of the story that kind of REALLY pissed me off were the
blatantly false and misleading statements. Coloring a statement
by leaving out its original context is flat out lying. I don't play
that stupid child games. News stories are supposed to be about
facts, not twists on words. #1 -- You cannot remove a widget
from the Dashboard. Of course the next statement they tell you
where it is located. ??? *** ???
- NOT A BIG DEAL
- by Thomas, David May 10, 2005 7:37 AM PDT
- Look the article contradicts itself ... see my previous post.
- Like this Reply to this comment
-
-
- WHY?!
- by Thomas, David May 10, 2005 7:39 AM PDT
- Because the article is pure sensationalism
- Like this
-
Showing 1 of 2 pages (102 Comments)First of all, you HAVE to intentionally drag the darn things into
your Dashboard. Second, you have to authorize it. Third even
if you do ALL of that, then any devious actions are
compartmentalized. DOH ... windows can't even do that!
The part of the story that kind of REALLY pissed me off were the
blatantly false and misleading statements. Coloring a statement
by leaving out its original context is flat out lying. I don't play
that stupid child games. News stories are supposed to be about
facts, not twists on words. #1 -- You cannot remove a widget
from the Dashboard. Of course the next statement they tell you
where it is located. ??? *** ???