On May 11, 2005, at 10:03 PM, Lee Larson wrote:
> It looks as though Apple has gotten caught in an uncomfortable place
> with Dashboard. It turns out that the default install of Tiger+Safari
> has opened up a potentially nasty security hole. Several people have
> demonstrated that Safari can be used to install a Widget in the
> Dashboard in the background while you are looking at a Web page. If
> you're running Tiger, go into your Safari preferences and turn off the
> feature letting it run "safe" files.
>
> Here's an example of one of the wicked widgets. (I have put in an
> extra xxx- to make sure nobody blindly clicks it.) It's safe to look
> at the page with non-Safari browsers.
>
> <html://xxx-stephan.com/widgets/zaptastic/>
>
It is a bit surprising this was not caught in testing with all of the
recent attention being paid to script 'sploits.
> From the beginning the Dashboard looked like a pretty lame feature to
> me, but now I'm very underwhelmed with its security. For some reason
> Apple is going out of its way to avoid putting multiple/extended
> desktops in Mac OS X, and is instead relying on flashy, dubious
> desktop layering with Dashboard and Expos?. Every other Unix desktop
> has this right, and Apple is stubbornly refusing to admit a mistake.
>
> Or maybe The Steve thinks multiple desktops are too complicated for
> his users.
Ah shucks Lee, that's an easy one. Just create five (or more) users
with the same admin privies, and same root-level app database access
and then use fast user switching (really big grin). Maybe Apple is
going to release the Aqua hooks so that 3rd party folks can do this
similar to the multi-dock doo-hickies that are out there. But, yup, KDE
and Gnome had this right a long time ago.
Jerry
-----------------------------------
Someday, I will come up with a clever signature line. I am not sure if
I will use it or not, but I will come up with one.
| The next meeting of the Louisville Computer Society will
| be May 24. The LCS Web page is <http://www.kymac.org>.
| List posting address: <mailto:macgroup at erdos.math.louisville.edu>
| List Web page: <http://erdos.math.louisville.edu/macgroup>
