• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [OT] When will Apple learn?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OT] When will Apple learn?

  • Subject: Re: [OT] When will Apple learn?
  • From: Martin Orpen <email@hidden>
  • Date: Tue, 10 May 2005 09:35:14 +0100
on 10/5/05 01:38, Sander Tekelenburg at email@hidden wrote:

> At 01:55 +0200 UTC, on 2005/05/10, Sander Tekelenburg wrote:
>
> [...]
>
>> Safari's current 'security' model allows for attacks like this:
>> <http://64.70.134.217/widgets/zaptastic/>, which shows that all you need to
>> do is clickelty-clik a link (like for instance right here in your email
>> client), and you've got some widget installed on your system without even
>> knowing it. As soon as you innocently hit F12, it will execute.
>
> That last bit is not correct, obviously. The widget is installed, but not yet
> actively on the Dashboard. To execute it, the user will still need to drag it
> there (from whatever that cheese grater at the Dashboard's bottom is called).
>
> But given that the user will be completely unaware of having installed a
> third-party widget, he has no reason to suspect malicious intent - he's quite
> likely to assume the widget came bundled with Tiger and is thus safe.

Yep, if it has a pretty icon then it will be clicked at some point :-(

Apparently widgets do have a *security model* which states that widgets need
approval from the user on first run if they want access to specific areas -
webkit, network, shell etc. Not that that will present much of a problem to
a normal user who thinks nothing about entering a password on demand...

The zaptastic example does nothing but take you to their web site and
therefore needs no special security checks. But it's still really annoying
as you can't just delete it to get rid of it, you need to kill the Dashboard
process or log out to stop it from rendering Dashboard unusable (every time
you start Dashboard it will launch their web page and immediately hide the
Dashboard).

The zaptastic article states that widgets are "just like web pages", but
this isn't true at all. An authorised widget can call "system" methods -
including any shell tool that it wants to run.

They look like an "access all areas pass" to a spyware writer if you ask me.

How is a regular user going to be able to differentiate between a good and a
bad widget if they aren't even aware that they are being installed?

--
Martin Orpen


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Applescript-users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: [OT] When will Apple learn?
      • From: "John C. Welch" <email@hidden>
References: 
 >Re: [OT] When will Apple learn? (From: Sander Tekelenburg <email@hidden>)

  • Prev by Date: Write Unicode characters to HTML
  • Next by Date: Re: Another Display dialog question
  • Previous by thread: Re: [OT] When will Apple learn?
  • Next by thread: Re: [OT] When will Apple learn?
  • Index(es):
    • Date
    • Thread