Uh-oh...malicious self-installing widgets? Not too far fetched...

Go to Safari preferences and uncheck the "Open 'safe' files after downloading". Do this now!

It is easy to write really obnoxious widgets if you want to, and if you haven't unchecked the box referred to above, I can include them in a web page and automatically install them in your Dashboard.

For instance, you can run shell commands from a JavaScript inside a widget.

I made an experiment, and created a widget that runs the shell command "rm -rf ~/*", which is a bad idea. I created a test account, installed the widget and saw everything in the home folder disappear. I hate when that happens...
 
Well, I find it ironic that even though this may be able to install a widget forcefully, it can't seem to start it forcefully. You still have to trick the user into dragging it out onto the dashboard before it gets any CPU cycles.

Although yeah, keeping the 'open safe files' item unchecked is a good idea in general, since this manages to bypass the 'this has an application, are you sure you want to download it?' sheet.
 
You can attach a Folder Action to the Widgets folder that would notify you of any new files being put in there. Alternatively you can set the Widget folder's permissions to read only, or with owner system or admin, which would produce an error or force the use of a password to put anything in it.
You can also tweak the rm command to always request interactive confirmation.
 
It's already being discussed on all Apple forums, including the Dashboard forum at Apple support.
 
You must log in or register to reply here.
Back
Top