|
Some people have suggested that the threat is lessened because there are warnings about running newly-installed widgets, or that the user is responsible for 'running' the widget by dragging it out of the widgets bar. I wanted to clarify *exactly* what happened when I tried out this exploit on my machine.
Here's what happened, step-by-step.
1. In Safari, I opened http://stephan.com/widgets/zaptastic/
2. The page loaded, and the Downloads window opened, showing that a file had been downloaded.
3. I invoked Dashboard, and found a new widget listed called 'Zaptastic'. I dragged it out of the widgets bar, and it ran immediately - there was no warning of any kind, nothing asked me if I intended this to happen - and caused my default browser (Firefox, in this instance) to open a new tab at the GreenZap web site.
4. Further investigation showed that the file 'zaptastic.wdgt' had been installed in ~/Library/Widgets. The widgets that come with Tiger are in the /Library/Widgets directory (ie, not within my User space).
The *install* was automatic. User intervention was required to run the widget, but if the user has been informed that the widget does something cool or useful, that isn't hard to bring about.
What's more, if I were a newbie, someone who had only recently switched to OS X, I would *not* have known where to look for the offending widget. I would not know how to remove it from the system.
It seems clear to me that the opportunity exists for so-inclined people to release malicious .wdgt files that auto-install, fool the user into activation, and are, at the very least, intrusive and annoying.
|
