sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
 ·Optimum Online
| reply to rjackson
Re: Widget Security
said by rjackson  :said by bobrk :So it's sort of up to the Dashboard to do security duties? No, It's Up To You™. Some people might think it's unfair but you shouldn't trust a widget you downloaded any more than you would trust a shell script, Automator workflow, or AppleScript. The good news is it's fairly easy to audit a widget simply because they're scripts, rather than a binary that isn't very human-readable. Eek! That sounds like something you'd overhear in the Windows Help forum.
--
Bush/Cheney '04! - Scared Straight
"Patriotism is supporting your country all the time and your government when it deserves it." |
|
jDyno
Premium
join:2001-02-20
Washington, DC
clubs:
| reply to rjackson
said by rjackson :said by bobrk :So it's sort of up to the Dashboard to do security duties? No, It's Up To You™. Some people might think it's unfair but you shouldn't trust a widget you downloaded any more than you would trust a shell script, Automator workflow, or AppleScript. The good news is it's fairly easy to audit a widget simply because they're scripts, rather than a binary that isn't very human-readable. Tell that to my 60-year old mother, for whom I'll be updating her new iBook to Tiger in the coming weeks.
Hell, tell that to my 36-year old sister, who is a very computer-savvy graphic designer, but wouldn't know what the code meant if you forced her to read it like a EULA every time the widget launched!
It's just not practical, rjackson. Even for me, and I write webdev code for a living. It would be really easy to hide some nefarious stuff in benign-looking code. And tell me, have you opened every single Widget you downloaded before loading it and thoroughly examined every single line to make sure it doesn't do anything you don't expect? C'mon.
And at this point, I'm not even asking for anything too advanced from Dashboard or Automator. I just want even the barest programmatic protections against nefarious stuff, like explicitly telling me that an app requires System or Net access (the current warning is too vague and I even missed that it was asking for access to the SYSTEM, rather than just telling me I'm running something for the first time) and ALSO telling me in idiot terms, why I should care about this.
This isn't about protecting those that know better or can do things to protect themselves. Apple is getting more and more into an uneducated consumer space, and that's a good thing, so they need to do more to protect those that can't protect themselves.
--
Smart Marketing |
|
rjackson
Premium,Mod
join:2002-04-02
Ringgold, GA
clubs:
Host:
SMC Networks
Automotive
VOIP Tech Chat
ViaTalk
Teleblend
| reply to bobrk
said by bobrk :So it's sort of up to the Dashboard to do security duties? No, It's Up To You™. Some people might think it's unfair but you shouldn't trust a widget you downloaded any more than you would trust a shell script, Automator workflow, or AppleScript. The good news is it's fairly easy to audit a widget simply because they're scripts, rather than a binary that isn't very human-readable. |
|
bobrk
You kids get offa my lawn
Premium
join:2000-02-02
San Jose, CA | reply to rjackson
So it's sort of up to the Dashboard to do security duties?
--
bobrk |
|
rjackson
Premium,Mod
join:2002-04-02
Ringgold, GA
clubs:
Host:
SMC Networks
Automotive
VOIP Tech Chat
ViaTalk
Teleblend
1 edit | reply to sporkme
Yeah, widgets can be debugged/ran in Safari but they won't have their full capabilities. The widget object is specific to Dashboard and as such none of its methods or properties are valid in Safari, so they wouldn't work anyways. That includes widget.system() for executing system commands.
Testing if window.widget exists is just a matter of good programming practices, there's no reason to execute code if you know it's going to fail or produce unexpected results. |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| reply to rjackson
said by rjackson :The widget object is only available in Dashboard, it doesn't have any properties in Safari. In fact most widgets will test to see if they're in the Dashboard environment before doing anything with the widget object: if(window.widget) {
// do widget-only stuff here
} I'm confused here, as I thought you were able to debug/run widgets in Safari 2.x?
If I were a betting man, I'd say the first big Mac "trojan" will be a malicious widget. If they can be loaded in Safari, look out, then browsing becomes Active-X dangerous.
--
Bush/Cheney '04! - Scared Straight
"Patriotism is supporting your country all the time and your government when it deserves it." |
|
Nighttime
join:2001-11-30 | reply to rjackson
I guess a widget could be cooked up to check that file. |
|
rjackson
Premium,Mod
join:2002-04-02
Ringgold, GA
clubs:
Host:
SMC Networks
Automotive
VOIP Tech Chat
ViaTalk
Teleblend
2 edits | reply to shavano
said by shavano :I was hoping they might only be able to execute informational commands, not execute any arbitrary command like "rm -Rf". I'd like them to not be able to do anything that writes or modifies a file via Unix command. Maybe there's something down in the bowels that prevents it? If you're concerned about a widget accessing the system open it up by right-clicking (or cmd-clicking) on the widget and go to "Show package contents". Open up the widget's Info.plist and look for a key that says "AllowSystem" or "AllowFullAccess". Without either of these keys set to "Yes" the widget has no authority to run system commands.
Likewise the absence of the "AllowNetwork" key prevents the widget from using network resources.
said by shavano :But if not, and if they actuallly are just mini-browsers, then did this make Safari vulnerable as well? That is, the widget object with all it's power, is now available to any Javascript? Or is it "limited" to just widgets executing via the Widget Server? The widget object is only available in Dashboard, it doesn't have any properties in Safari. In fact most widgets will test to see if they're in the Dashboard environment before doing anything with the widget object:
if(window.widget) {
// do widget-only stuff here
} |
|
