Security Hole: Dashboard

[Civrock]

http://discussions.info.apple.com/webx?128...SOt.2@.68aed1b6

http://forums.macnn.com/showthread.php?t=255388

http://episteme.arstechnica.com/eve/ubb.x/.../m/200006323731


when you download a Dashboard Widget with your browser, it normally gets auto-installed. in these three threads a relatively big security hole is explained and also tested how far it can cause damage if exploited.

although i'm personally not too paranoid about this, i just disabled the feature "auto-open -safe- files after downloading" (directly translated from german, could be slightly different) in the general preferences of Safari. i hope Apple already knows about it and stuffs this security risk asap.

[BTs_Mysterio]

I bet on a update within 2 weeks.

[Ethion]

it's not directly a security hole, because when you download an widget, it might install itself.
But it goes directly to the dashboard thingi, so you shouldn't be that concerend about it.

[BTs_Mysterio]

You should be generally concerned, however, if you are foolish enough to leave on open safe files.

[Civrock]

it's not directly a security hole, because when you download an widget, it might install itself.
But it goes directly to the dashboard thingi, so you shouldn't be that concerend about it.

it goes directly into the dashbord and therefore auto-installs itself. check out the links... there is a (harmless) widget that blocks all others when it's only in the widget folder. it has been created just to see the potential in this hole... and if you go further into the threads, people already created pretty evil widgets that can destroy your whole system. basically you can put pretty bad stuff into widgets... shell scripts etc and you can't do much about it without a clue. Apple left too much possibilities open in this case although that's usually a good thing.