[prev] [thread] [next] [lurker] [Date index for 2005/05/20]
On 20/05/2005 at 16:29 -0500, Peter da Silva wrote: >> * and of course security >> >> See, here: http://earthlingsoft.net/ssp/blog/2005/05/x4_dashboard > >There is a security problem, but it's not in Dashboard, it's in Safari. Point, and Sven correctly identifies it, even if I didn't: "With Safari automatically moving downloaded widgets into your Library folder, we start feeling uneasy about being faced with Windows like situations where evil code can find an easy way onto people's machines. It might still take a user action to activate a widget, but the barrier has just become lower. I wonder why Apple considered this a good strategy in a time where they start cashing in on the higher perceived security of their OS" However, the Safari auto-download bug (which is, admittedly, fixed in 10.4.1) is compounded by the fact that user-domain widgets can impersonate, and will get run instead of, system-domain ones, whereas, say, ~/Applications/iTunes.app isn't going to fool anyone. http://www1.cs.columbia.edu/~aaron/files/widgets/ documents this "bad design choice", for the interested. -- :: paul :: historic light coneThere's stuff above here
Generated at 10:00 on 23 May 2005 by mariachi 0.52