Title: Security Hole: Dashboard Post by: Civrock on May 09, 2005, 12:04:46 am http://discussions.info.apple.com/webx?128...SOt.2@.68aed1b6
http://forums.macnn.com/showthread.php?t=255388 http://episteme.arstechnica.com/eve/ubb.x/.../m/200006323731 when you download a Dashboard Widget with your browser, it normally gets auto-installed. in these three threads a relatively big security hole is explained and also tested how far it can cause damage if exploited. although i'm personally not too paranoid about this, i just disabled the feature "auto-open -safe- files after downloading" (directly translated from german, could be slightly different) in the general preferences of Safari. i hope Apple already knows about it and stuffs this security risk asap. Title: Re: Security Hole: Dashboard Post by: BTs_Mysterio on May 09, 2005, 01:10:13 am I bet on a update within 2 weeks.
Title: Re: Security Hole: Dashboard Post by: Ethion on May 09, 2005, 09:45:39 am it's not directly a security hole, because when you download an widget, it might install itself.
But it goes directly to the dashboard thingi, so you shouldn't be that concerend about it. Title: Re: Security Hole: Dashboard Post by: BTs_Mysterio on May 09, 2005, 01:15:44 pm You should be generally concerned, however, if you are foolish enough to leave on open safe files.
Title: Re: Security Hole: Dashboard Post by: Civrock on May 09, 2005, 01:51:47 pm it's not directly a security hole, because when you download an widget, it might install itself. But it goes directly to the dashboard thingi, so you shouldn't be that concerend about it. it goes directly into the dashbord and therefore auto-installs itself. check out the links... there is a (harmless) widget that blocks all others when it's only in the widget folder. it has been created just to see the potential in this hole... and if you go further into the threads, people already created pretty evil widgets that can destroy your whole system. basically you can put pretty bad stuff into widgets... shell scripts etc and you can't do much about it without a clue. Apple left too much possibilities open in this case although that's usually a good thing. |