Hey! That first link automatically downloaded a widget to my Mac!
posted by ArsncHeart at 9:32 AM on May 8, 2005

I'm not running on a Mac so I was safe, but you should NEVER post a link that will autoinstall on someone's computer.

always give warning.
posted by sourwookie at 9:35 AM on May 8, 2005

It's strange, every widget I've downloaded before now gave a warning before it installed that you are installing an application. This autoinstall one did not.

You can find the installed file in your Home folder, Libraries, Widgets and delete it. It's called zaptastic.wdgt.
posted by teg at 9:47 AM on May 8, 2005

autoinstall is evil, but thankfully, Firefox doesn't do it. I got the popup box asking where i wanted it, and could cancel.
posted by amberglow at 9:49 AM on May 8, 2005

Thanks for your contribution Sourwookie. Would you like a free cup holder?
posted by armoured-ant at 9:49 AM on May 8, 2005

Konfabulator for Windows seems to be rocking muchly. I am pleased you shared that.

Now I think I'll run the Desktop X OSX theme with Winplosion and the "Macification" of my PC will be complete.

I'll just ignore all the ductape underneath the surface.
posted by sourwookie at 9:57 AM on May 8, 2005

I promised "a blueprint for a widget of mass destruction," so let's take this a bit further. Dashboard widgets are constrained to run in a very safe Javascript sandbox by default. However, a widget creator can make plugins for a widget that (I think) can do anything an app can do, not to mention being able to run any command line process

*Yawn*
posted by AlexReynolds at 9:58 AM on May 8, 2005

A page at Apple's Developer Connection seems to imply that a widget can't ask for any resources (or do anything to the filesystem) outside of its bundle.

That doesn't do a lot to make me feel any better, just because Windows people have been smiling, nodding, and giving permission to malware to run rampant through their machines for a decade now, but it makes me feel better than if there was no speedbump at all.

On Preview:
"a widget creator can make plugins for a widget that (I think) can do anything an app can do, not to mention being able to run any command line process"

That page I linked to implies that the same speedbump applies. You can't bootstrap something like "do shell script rm -rf ~/" via a plugin without the same warning/request for access.
posted by mph at 10:02 AM on May 8, 2005

What sourwookie said.

I'm totally pissed off that I've inadvertantly downloaded and installed some shit I don't want.
posted by marvin at 10:13 AM on May 8, 2005

While I agree that the "widget of mass destruction" is annoying (only if you use Safari), the post implies the widget is destructive or that clicking on the link will destroy your Mac, which is not the case.

Can we save the Mac bashing for Slashdot? Or at least, if you're going to bash the platform, do some homework first?
posted by AlexReynolds at 10:15 AM on May 8, 2005

Dag...I guess it's only a matter of time before Mac users have a little purple gorilla sitting on their desktops.
posted by deusdiabolus at 10:16 AM on May 8, 2005

I'd go one further and not include any links that install anything directly in an FPP but put it inside the thread instead, lavelled clearly; just in case people skimming and clicking from the front page click it any way. I'd have said this in the related MeTa thread, but it's closed already.
posted by nthdegx at 10:16 AM on May 8, 2005

i think the point of the zaptastic article is to educate mac users as to the posibilities that now lurk in Tiger and Dashboard (actions speak louder than words), and to further inform them about how to remove a widget (directions being contained in the article)... sorry for any discomfort i may have caused; when i found the article (i use firefox) the download happened to me too, and i considered it a good lesson.
posted by indices at 10:26 AM on May 8, 2005

If I'm not mistaken, you could do this kind of thing with Applescript or, I suppose, the new Automator feature. Just claim that your script would do one thing and have it actually do another, like move an application folder to the trash then empty the trash.
posted by boymilo at 10:32 AM on May 8, 2005

oh, and firefox stopped it for me, too.
posted by boymilo at 10:33 AM on May 8, 2005

I learned about this exploit over on the The Unofficial Apple Weblog. The advice at TUAW was before following the link was to disable Safari's "Open 'safe' files after downloading".

This is actually good advice all the way around for my Mac brothers and sisters.
posted by birdherder at 10:49 AM on May 8, 2005

I don't think this is a huge issue. Like it's been said, Firefox will stop it and you can easily delete these from ~/Library/Widgets.

If someone comes up with a Widget that can use the sudo piggyback exploit and run rm -rf /, then we'll have a problem.

Autoinstall aside, careful use of your computer will result in no spyware or viruses on Windows or on Mac. RPC exploits aside, I never had a virus installed on my Windows PC that I didn't intentionally install.
posted by johnjreiser at 11:25 AM on May 8, 2005

I already have "Open Safe Files after Downloading" turned off, birdherder, and I still ended up with a .zip file on my desktop. But I don't have Tiger yet, so with that off would the file have just downloaded automatically, but not installed?

This is an annoying oversight. Perhaps there are major security impediments built into the Dashboard infrastructure, I don't know anything about it, but you'd think Apple would be a little more wary. Didn't they notice the trouble that ActiveX causes?
posted by teece at 11:40 AM on May 8, 2005

Being a zombie requires no root resources...

The more popular you become, the larger your attack surface.
posted by PissOnYourParade at 11:51 AM on May 8, 2005

Can we save the Mac bashing for Slashdot?

Have you read Slashdot? That's not the operating system they spend time bashing. It's against the genentic makeup of a /. reader to criticize a version of BSD.
posted by eyeballkid at 12:22 PM on May 8, 2005

It's against the genentic makeup of a /. reader to criticize a version of BSD.

Other then the part where BSD is dying?
posted by catachresoid at 12:48 PM on May 8, 2005

eyeballkid says::
Have you read Slashdot? That's not the operating system they spend time bashing. It's against the genentic makeup of a /. reader to criticize a version of BSD.

I have read Slashdot lately (of course, you weren't asking me, but what do I care?). Granted, I read at +5 only, and even then rarely, but there is plenty of Mac bashing going on. Indeed, there is a very large contigent of Windows geeks that like /. but feel defensive about the anti-Windows tilt of that site, and thus are quite quick to bash away when it comes to non-Windows OSes, whether they be Mac, Linux of some kind, or any other.
posted by teece at 1:05 PM on May 8, 2005

Thank god I'm running Windows so I don't have to worry about security flaws like that. [/sarcasm]

Seriously though, this makes me think twice about switching to Mac. I had assumed that Apple, with all the attention to security, wouldn't be that straight up Stupid. To echo Teece, didn't they learn a goddamned thing from ActiveX?
posted by mullingitover at 1:42 PM on May 8, 2005

There's a very clear preventative measure you can take and it'll almost certainly be enabled by default in 10.4.1.

Chill people, it's not the end of the world.
posted by bshort at 1:48 PM on May 8, 2005

Is there anything just slightly computer-related you can't find someone on Slashdot bashing? Slashdot is so full of trolls it's not even funny sometimes.
posted by sveskemus at 1:48 PM on May 8, 2005

Seriously though, this makes me think twice about switching to Mac.

You might want to look up the word "overreaction".

How you can live in a windows world and look at this as a reason for not switching is bizarre.

Seriously.
posted by justgary at 1:56 PM on May 8, 2005

I've read all the links, and I still (running Panther), can't see what the deal is. Clicking a link in Safari 2.0 automatically installs a widget. OK, that's annoying, but if widgets don't have access to my hard drive, why is this so worrisome?
posted by Popular Ethics at 2:10 PM on May 8, 2005

I agree with the other posters: autoinstall links on Metafilter is bad. Extremely bad, whether warned or not, for someone could always accidently click on it -- which happens more often than one might think. With me at least.

Also, the article doesn't describe what the hell a "widget" is supposed to be, which apparently is something Mac-specific, so even the warning is vague: "Don't click on this link or something you probably won't know about will happen."
posted by JHarris at 2:11 PM on May 8, 2005

odinsdream - TUAW has directions, which have already been referred to.
posted by bshort at 2:38 PM on May 8, 2005

OK, I have to confess, I didn't read the first link for fear of causing irreperable harm to my computer, and I didn't find anything on the root site: stephan.com/widgets

However, having now read the article, I think this is a tempest in a teapot: Malicious widgets might open popups, or jump away from your mouse, but they cannot do any more serious damage without asking for an administrator password first.

The author's main critique is that there isn't an obvious way to uninstall annoying dashboard widgets. Except there is. You drag the bundle to the trash. The same way you uninstall any annoying program. The only salient point here is that should update their documentation.
posted by Popular Ethics at 3:02 PM on May 8, 2005

there's apparently a warning on the post now, but i'd also like to point out that the link also showed up in the XML feed -- so it also appeared in my aggregator i wrote on my own site. doesn't make me happy, regardless of the warning, b/c it puts my users at risk as well. agree wholeheartedly w/ the poster who suggested that the link go in a comment in the thread. even the warning isn't sufficient.
posted by spiderwire at 3:15 PM on May 8, 2005

Bet I could write a DDOS client in a Dashboard Widget that needs no authorized system resources...

Or maybe even a Spam Zombie...

Surely a spyware Ad PopUnder client.

Sure you want me on your desktop?
posted by PissOnYourParade at 3:25 PM on May 8, 2005

Also, the article doesn't describe what the hell a "widget" is supposed to be, which apparently is something Mac-specific, so even the warning is vague: "Don't click on this link or something you probably won't know about will happen."

If you're not on a Mac there's nothing to worry about if you click the link. And if you're on a Mac running Tiger you will know what a widget is.
posted by sveskemus at 3:30 PM on May 8, 2005

Bet I could write a DDOS client in a Dashboard Widget that needs no authorized system resources...
Or maybe even a Spam Zombie...
Surely a spyware Ad PopUnder client.

OK, good points. But one has always been able to write those things as a regular application, so what's different here? I agree Apple should add a warning to Safari that a widget is being installed. (Didn't they add this to executable disk images not too long ago?) Other than that, what could Apple (or any other OS maker) do to prevent a user from being tricked into installing malicious software?
posted by Popular Ethics at 3:43 PM on May 8, 2005

Mr. G**tse, wherever you are, I tip my hat. And I hope you can sit down now.

Comedy gold!

Seriously, "quiet" autoinstallation is bad. As in, "this idea was proposed by a brain-dead monkey" bad. Has Apple just decided to deliberately ignore the security lessons even Microsoft has managed to learn?
posted by clevershark at 5:29 PM on May 8, 2005

johnjreiser, as far as rm commands are concerned, I suppose I'd be concerned if there was any evidence that a widget could call an external program. As for the rest, if the widget ends up in your widget library, you still have to launch it from the widget bar. Widgets have a title and an icon in the widget bar; an unasked-for widget will stand out relatively clearly. And if, at that point, a widget has been spoofed to look like Free Puppies 2005 when really it's Cydoor or some such, I suppose it falls on the head of the user not to fall victim to the lure of free puppies when they know they didn't ask for any.
posted by rebirtha at 5:31 PM on May 8, 2005

I was under the impression that widgets were just HTML/XML/Javascript/etc. If so, isn't the "autoinstall" in this case really no different than opening a page in Safari? And if not, well, disregard.
posted by aaronetc at 5:35 PM on May 8, 2005

i'm not running Tiger yet, but this free Widget Manager pref pane (webpage; no downloads until you ask for one) may be of interest to those who are
posted by indices at 6:09 PM on May 8, 2005

and what's this fellow up to? (just a webpage, but read fully before clicking anything if you're running Tiger... perhaps not for the faint of heart)
posted by indices at 9:26 PM on May 8, 2005

If you're not on a Mac there's nothing to worry about if you click the link. And if you're on a Mac running Tiger you will know what a widget is.

This was not well explained in the post. When you post something potentially system-altering in a post, more information be better than less, and I'd think it'd be the poster's responsibility to go out of his way to make sure the needed information is there. (Of course, I have issues in general with poorly-explicated FPPs....)

Keep in mind, I'm fairly new here as a member, so multiply my comment by youi own personal Newbie Salt Grain Constant (NSGC).
posted by JHarris at 10:54 PM on May 8, 2005

This is actually fairly nasty; far nastier than some previous posters seem to think.

It starts with Safari auto-installing widgets, unless you change the default settings.

It continues with privilege escalation - a widget can give itself access to files across the filesystem!

It concludes when you realise that Safari hides the normal "Do you want to ..." security warning when auto-installing widgets with escalated privileges.

So, on the face of it, it seems to be possible - in a language as simple as JavaScript - to write a malicious program that near-silently downloads when visiting a webpage and can read/write/delete/transmit files.

Bad, no? And I'm typing this from my eMac running Tiger...
posted by Pinback at 1:23 AM on May 9, 2005

I did forget one thing, though - widgets can't be auto-installed to run immediately; they must be started by the user. But that's nothing a little social engineering can't fix...
posted by Pinback at 1:32 AM on May 9, 2005

It continues with privilege escalation - a widget can give itself access to files across the filesystem!

Christ, did you bother to read the link? It doesn't work that way. A user has to log in for privilege escalation. The widget can't do anything on its own. Period.
posted by AlexReynolds at 5:35 AM on May 9, 2005

The thing to remember with bugs and security holes is that they happen. Period, regardless of the system.

The important thing is really how the OS builders respond to the hole. Some people (like those fine folks over at Gentoo Linux) constantly publish their bug reports, and set about fixing holes as quickly as possible, in an open, honest way. Others (like Microsoft) keep security leaks to themselves (and the cracking community which certainly knows about it), releasing a patch on average six months after the discovery of a hole. Microsoft fixes a very small proportion of the holes in their system, and generally only after much griping.

I'm not sure how Apple stacks up, but I doubt it's as bad as M$.

My money (or lack thereof!) is on Linux. The small user-base means its unlikely anyone will bother to attack, and the system for dealing with security holes is very robust. Ra Ra Ra!
posted by kaibutsu at 9:14 AM on May 9, 2005

The important thing is that nobody should really feel 100% secure about their operating system environment. As much as you Mac users love your systems, there is one little problem that crops up occasionally: Learning to implicitly trust that your computer is safe and secure is a bad thing. Just because you've never had something unexpected happen when opening or running a file or web page doesn't mean it will always be that way, and it is far better to be more security-conscious now than to learn the hard way. A lot of Windows users have been bitten in the ass by going to a specific web page or getting an email from a friend. Many Windows users have become more careful about their computing habits as a result of this. You can say what you want about MS or Apple's commitment (or lack thereof) to security, but you can't really complain about your own willingness to click on a link and assume that it is safe to do so.

I'm not saying it was right to post the FPP without a warning, I'm just saying that learning to be more careful because of a harmless test download is a lot better than not hearing about this and then getting hit with something a little more sinister later on down the road. It doesn't matter what kind of security measures your OS has out of the box - the real truth is that your computer is really only ever as secure as the person using it.
posted by caution live frogs at 9:31 AM on May 9, 2005

The essential plugin Saft for Safari just came out with an update that allows you to disable autoinstall of widgets. It also allows you to turn off the pesky download warning, auto-saves any tabs open when you quit safari or if it crashes, lets you set the browser to full screen, and has many, many more features.

It's hands down the most useful broser plug-in in existence, although sadly it is not free. But considering how often it's updated and how useful it is, I find it a worthy investment. That along with Pithhelmet (ad/flash blocker and style modifier) and Acidsearch (add customized search channels to the Google field of the toolbar) make Safari 2.0 the greatest browser I've ever used. I don't even bother with Firefox any more (though I'm not slamming it... it's excellent in its own right).
posted by the_savage_mind at 5:52 AM on May 10, 2005