updated 08:45 am EDT, Mon May 23, 2005
Despite a recent patch to address a security exploit involving Dashboard widgets, with the Mac OS X feature, software engineer Jonathan Zdziarski says. By allowing widgets to run with "sudo privileges," Apple has taken a "Microsoft stance" to security. "Those widgets should never be allowed to get administrative access on the system," Zdziarski said in an interview. "It is one of the few tools that is completely built into the operating system." A malicious widget, after it is installed, can run in the background and wait until a time when the user logs in as administrator. It can then hijack those credentials to deliver its payload, Zdziarski said. The Mac OS X 10.4.1 update adds a confirmation message for widget downloads, but does not change the potential for a malicious widget if downloaded, Zdziarski says.