Dashboard and widget installation security

A lot of articles have been published this past week about Dashboard, the new widget utility in Apple’s new operating system, 10.4. Unfortunately, most of these articles have contained inacurate and misleading information. I am not sure if the authors of these articles did this intentionally or not, but I wish that people would keep their mouth shut unless they know what they are talking about. FUD doesn’t help the industry, uninformed readers, or those publishing the information. In this article I will address and debunk the two major concerns making up the so-called “malicious exploit” surroudning Dashboard and it’s widgets: that they “cannot be removed” and that they “auo-install without the users knowledge.”

MYTH 1: Widgets can auto-install themselves without the user’s knowledge

An important point must be made here: This insecurity is only present if the user allows it to be. Widgets can only be auto-installed if you are…

1. using Safari
2. you have “Open safe files after downloading” enabled

So, I would not consider this an exploit because it can only happen with the user’s knowledge. Widgets are just like applications, you must always be aware of what you are installing on your system—where it is from and what it does.

Granted, there is more that Apple can (and should) do to make the process of installing Widgets more secure, but I would not consider the current state a vulnerability. My recommendations are thus:

1. Widgets need to be classified into two categories: ones that are applications and ones that are not. The difference being wether they use XHTML/CSS/javascript only, or if they utilize system processes, tools, and technologies (such as UNIX commands and anything that is beyond the scope of a non-administrative user).
2. If a widget is in the application class, it should require an administrator password to be installed.

MYTH 2: Widgets cannot be removed

It depends on what you mean by “removed.” If you mean that they cannot be uninstalled, this is incorrect. If you mean that they cannot be uninstalled from within Dashboard, then this is true. This (uninstalling widgets from within Dashboard) is how Apple intended it and there is nothing insecure about it. Unfortunately, many articles have stated that “widgets cannot be removed,” communicating to their audience (whether intentional or not) that widgets cannot be uninstalled. Apple’s documentation states that you “cannot remove widgets from the Widget Bar or change their order,” but it doesn’t say that they cannot be uninstalled. The official way to uninstall a widget is to delete them from the widgets directories (system or users, respectively):

/Library/Widgets

~/Library/Widgets

Downtown Software House has also created a free Dashbaord preference pane for those desiring a graphical approach to managing widgets.

Conclusion

I don’t see anything to panic about. As stated above, I do not believe that this is anything insecure with Dashboard or the widget installation process, unless a user chooses to make it so. A user can interact with widgets in an insecure manner no easily than they can with any other software or system. The first rule when using a computer and the internet is to know what you are doing—look before you leap. You are only as insecure as you allow yourself to be.

So, let’s hope that Apple takes this excellent new feature and enhances it making it even more user-friendly, more secure, and more intuitive for the average user to use.

In the mean time, there is a third-party utility that you can install that will allow you to leave Safari’s “Open safe files after downloading” and yet be prompting you for permission to install a widget.