I am new to Mac and have puchased an Emac with Tiger software installed. I am wanting to learn best practice in using my new computer

Reply

just activating my comments

Reply

One could set ~/Library/Widgets to read-only and still enjoy "Open safe files after downloading." The offending widget will still be downloaded, but not installed in the Widgets folder since it doesn't have permission. Then just look in your default downloads location and delete the unwanted widget.

That's one idea.

Reply

Well the point is apple didn't see this coming, they should have a place where we can remove widgets without using the dashboard. Apple should also allow us to customize the "safe" files that safari will open automatically.

Reply

There is a way to remove widgets without going to the dashboard. It's called activity viewer.
The author does have a point however. Safari should not launch anything automatically.

Reply

The really ironic thing about this is that now Apple created some annoying message (that you can't disable) which warns you each time you download some file that could potential contain malicious code.
But they don't display that message when you download some arbitrary little widget.
Granted, based on your definition, this is not particularly malicious. I mean, it's not trying to gain admin rights to my system.... at least not yet.
But, at the very least, this could lead to some of the same adware/spyware problems that plague that "other" well-known OS.

Reply

C.K., that is a great find....and very scary. It's also surprising, given how we all know Apple prides itself on being the "safer" OS. What is even scarier is that this widget (not to give anyone any ideas) could be combined with automator to wreck all kinds of havoc.

Apple, plug the hole!

Reply

would littlesnitch help prevent this from occuring?

Reply

I have been using Tiger for a few days and I can honestly say without a doubt that while the system on a whole does feel faster in many situations it did not previously, Dashboard is a major annoyance and pain in many ways. Now learning about this, I really have to ask what the Apple IT guys were smoking? This Dashboard feature was hyped to death. And now it's a security risk? Good lord!

Reply

Jack - if you dont like it then dont use it, simple huh?

Reply

Now, a better question yet, is just how the heck do you get rid of a Widget?

I mean, without going to ~/Library/Widgets, that is. After all, the MacOS is supposed to be about user-friendliness, but if you have a Widget that you don't want anymore, you're relegated to Widget Hell.

To quote from Apple's own help file on the matter:

"You cannot remove widgets from the Widget Bar or change their order."

That pretty well sucks.

I'm thinking, by the way, of writing a Widget called "Self-Installing Annoying Widget from Hell That Will Do Nothing but Clutter Up Your Widget Bar (and Duplicate Itself Until You Have Thirty Bars of Widgets With the Widgets You Want Interspersed Randomly Throughout)."

Then again, I have better things to do.

Reply

I was under the assumption that widget were just xml, javascript, html, and other web tech. Also, don't all these play in their own sandbox under one process? I don't see how given these circumstances that any widget could get access to critical system files or key logging, etc.

Reply

The 'main' widgets are installed at the root level widgets directory, and thus useable by all users. The ones you download, go to your user folder of widgets (in Library). Just wanted to make that distinction. The only thing you need to be aware of, just don't go widget crazy. Each one can take up 20MB of RAM. Use wisely!

Reply

Ever since Dashboard was announced this has been something I've been worried about, because a widget is just a special kind of web page, but widgets can run Cocoa (native code) elements. Being able to run native code elements from a browser window has been the BIG security hole at Microsoft for getting on for a decade now.

Being able to run a widget that doesn't contain any native code elements from a browser is not inherently any more dangerous than displaying a web page from a browser. Because a widget is just a packaged fancy web page. It would have been surprising if you couldn't run at least some widgets from the browser. Because, again, it's just a web page.

But... as far as I have been able to tell, you can only run the special kinds of widgets that include native code elements from Dashboard. So what you're looking at isn't a security hole. That doesn't mean there is one, or there isn't one, but this isn't a sign one way or the other.

Reply

Bryan, yes I don't have to use them. But the fact that there is a hole that allows acess to them is disturbing. And if you've ever done tech support you would know that sometimes users who are complaining about a bogged down system won't do the obvious thing like disabling something as silly as Widgets.

At 200MB of RAM per widget, 'that's a spicy meatball' to say the least.

Reply

Whoa.

Whoa.

Let me unconditionally reverse everything I said there. I didn't go through to the site because I didn't want an annoying widget in my browser. I didn't realise that this thing was installing an annoying widget in Dashboard.

In Dashboard.

OK, Apple, that's bad. That's really bad. A widget can do anything it wants to, once it's been accepted, and people are used to accepting them. This is just asking for abuse.

Apple needs to back out of considering widgets as "safe" files, *and* they need to make "open safe files" an option, not the default behaviour.

And they need to do it now.

Reply

Has anyone noticed that widgets consume rather large amounts of RAM?

Flight Tracker: 25.5 MB
Weather: 10.5 MB
Yahoo Traffic: 10.12 MB

Even the world clock uses 5.3 MB.

Load up a page of widgets and watch your system going to swap.

Reply

Talk about a storm in a teacup. How is a widget redirecting you to a porn site any different to a link in a web browser redirecting you to a porn site?

As the article notes, even porn sites stop you closing browser windows ie the equivalent of not removing a widget from the Dashboard interface.

Are you complaining about browsers as well?

Dashboard widgets run in their own process ('sandbox') and Apple have put limits on what a widget can do. They're also subject to the normal security precautions built in to Mac OS X accounts ie they can't run as root, etc. Did you even read the developer documentation before scaremongering like this?

Please get some facts and get back to us if you want us to take you or this developer seriously.

Reply

bistrojack: If your Mac has to swap memory because you're running 3 widgets that consume 40MB of RAM then you need to either get more RAM or buy a new Mac.

Mac OS X's virtual memory subsystem can easily cope with 40MB RAM allocated to 3 widgets who sit in the background not using your CPU. Mac OS X simply moves this 'not being used' RAM out of the way and uses your real RAM for what you're doing at the moment.

Apple were aware of this when making Dashboard, and they designed Dashboard to have little impact when not active. They also strongly encourage Dashboard developers to do the same.

This isn't a real problem.

Reply

ooooh... finally you mac users will stop bragging about macos being invulnerable to viruses...
uhmmm, wait a minute, i'm a mac user too!
oh, well...

anyway, this kind of things are typical of the micro$oft world, and are exactly the kind of things that mac zealots point out when they're bragging about how cool their systems are and how smart apple is... well, this is the demonstration that apple is not much different from any other software developing company.

regards,
Marcello

Reply