Re: Weather Dashboard Widget

[prev] [thread] [next] [lurker] [Date index for 2005/05/20]

From: Paul Mison
Subject: Re: Weather Dashboard Widget
Date: 22:52 on 20 May 2005
On 20/05/2005 at 16:29 -0500, Peter da Silva wrote:
>>  * and of course security
>>
>>  See, here: http://earthlingsoft.net/ssp/blog/2005/05/x4_dashboard
>
>There is a security problem, but it's not in Dashboard, it's in Safari.

Point, and Sven correctly identifies it, even if I didn't:

"With Safari automatically moving downloaded widgets into your 
Library folder, we start feeling uneasy about being faced with 
Windows like situations where evil code can find an easy way onto 
people's machines. It might still take a user action to activate a 
widget, but the barrier has just become lower. I wonder why Apple 
considered this a good strategy in a time where they start cashing in 
on the higher perceived security of their OS"

However, the Safari auto-download bug (which is, admittedly, fixed in 
10.4.1) is compounded by the fact that user-domain widgets can 
impersonate, and will get run instead of, system-domain ones, 
whereas, say, ~/Applications/iTunes.app isn't going to fool anyone.

http://www1.cs.columbia.edu/~aaron/files/widgets/ documents this "bad 
design choice", for the interested.

-- 
:: paul
:: historic light cone
There's stuff above here

Generated at 10:00 on 23 May 2005 by mariachi 0.52