Posted by Jonathan
Apple just released OS X 10.4.2 that includes a Widget Manager. There has been some criticism because there was no way to deactivate or deinstall a widget from the Dashboard or another GUI tool. Apple now introduces the Widget Manager to address these issues.
The Widget Manager is Widget itself. You can use it like any other Widget by clicking on it or dragging it to the Dashboard. Further there is now a new button besides the ”+” button for the Widget Board.
The Widget Manager will list every installed Widget (System and user installed in ~/Library/Widgets) and will show you if it is an Apple shipped one or not. 3rd party Widget are marked by a red sign. Further you can deactivate each Widget.
3rd party Widgets can be deinstalled by clicking on the red graphic:
UPDATE:
If you double-click on a new downloaded Widget, you are asked if you want to install it:
When the Widget starts you are asked if you want to keep or delete it.
Posted by Jonathan
There were some issues with Apple’s Dashboard like auto-installation and the absence of controls for deinstallation and management. EGO Systems, Inc released a Widgets Preference Pane for Mac OS X. This Preference Pane enables you to see and deactivate all Widgets on the system as well as set ACL permissions on the Widget folders in order to prevent installation. You can also change the Dashboard self graphic and completely disable Dashboard.
You can download it here. The software software is donationware and is provided without license or warranty of any kind.
Apple should have shipped something like this in Tiger.
UPDATE:
It seems like Build 8C40 (10.4.2) now includes a Widget Manager accourding to thinksecret.com.
Posted by Jonathan
Somebody on Full-Disclosure posted that there is a new vulnerability with Dashboard. He describes a malicious Widget that waits until the user uses sudo and than the Widget uses sudo too to get superuser rights.
This is not a “first-class” vulnerability like a buffer overflow or format-string vulnerability. This could happen with any other application on any other Unix. Just remember that Widgets are (or can be) full-featured applications. They run as the local user and therefore have only his rights. But as any other application they can use sudo and the password grace period in /etc/sudoers to obtain root privileges (see timestamp_timeout in the man page).
The only thing that Apple can be “accused” of is that they enabled the password grace option. Disable it if you are paranoid. Do not load and install every Widget on the net just like you do not load and run every application out there.
With 10.4.1 Apple repaired the auto-install feature of Widgets. Now malicious Widgets cannot get on you computer without user-interaction.
If the user behaves stupid, it is not Apple’s fault. But they should remind the user of the possible evil of new downloaded files and they do it with 10.4.1.
Posted by Jonathan
It was only a matter of time until somebody found out how to misuse Dashboard Widgets.
If you download a Widget with Safari, Safari will install it automatically for you if you do not disable the “Open safe files after downloading” option. Safari will install it into ~/Library/Widgets.
Actually Widgets can get really nasty as there is no way to deinstall them other than deleting the Widget in ~/Library/Widgets. No way to do this out of DashBoard. You can do some bad with Widgets and one guy made a proof-of-concept. Imagine, porn Widgets that automatically load sites and log your password…
DO NOT CLICK ON THIS PAGE unless you have disabled the “Open safe files” feature or you do not use Safari. This page will autoinstall a Widget that can only be removed with deleting it and reboot.
Hopefully Apple will react and change the recent MS-like behaviour of “default-install-without-asking”.
Discussion and more on Slashdot
