Wild Widgets could send a security wake-up call to Mac users, claims a developer at Stephan.com.
The developer has taken a look at Dashboard, and realised that the way that Apple has given the Widget-management application the capacity to automatically download and install Widgets may create a chance for distributing malicious Widgets.
Widgets at war
These 'Widgets at war' could theoretically be unleashed to collect people's user names, destroy data held on hard drives or just simply to endlessly open windows, the developer notes.,
"Apple has significantly lowered the bar for malicious entities to install and execute damaging code in OS X. Honestly, I don't think this is that big of a deal - causing real damage is likely a bit harder than I make it sound," he states.
All the same, the developer could let malicious third-party sites auto-install Widgets - and to prove this the developer has set-up his site so that if someone running Tiger visits it, they automatically download a Widget as a proof of concept piece.
Widget rethink recommended
"Dashboard Widget will be automatically downloaded and installed and can't be removed without manually removing the file from the Library folder and rebooting the computer."
Despite his reservations, and his exhortation to Apple that it "stop the autoinstall" function, Stephan.com says of Apple's treatment of security: "Apple has done a pretty good job of it - the only real change I would consider is re-thinking the logic behind autoinstall, and for heaven's sake, please provide a way to remove widgets, ideally from outside the Dashboard.