Widgets, Security, and Freedom of Choice
Dashboard is one of the new features in Tiger that is capturing the imagination of upgraders. Dashboard runs when you click on the new Dashboard icon (mounted on the Dock during the Tiger installation) or punch the F12 key. When you do, the screen dims and up pops widgets, small applications that hunt down the weather forecast, access your address book, perform calculations or almost anything else you can imagine. While Tiger comes with a little over a dozen of them loaded, you can download more at the Apple website.
Installing a widget is easy. You just double-click the Widget after you download it, and it’s done. You won’t see it install, but next time you run Dashboard it will be there. But after that, they’re most un-Mac-like. You can uninstall most Mac applications by dragging them to the Trash. According to Apple, though, you can’t uninstall Widgets at all.
That’s not exactly true. You can uninstall a widget manually by navigating to the ~/Library/Widgets folder and dragging it to the Trash. The ones from Apple are located in the “Main Volume”/Library/Widgets folder. ("Main Volume" is what I'm calling my boot disk; on my machine, it's named "Macintosh HD".) The ones you load after installing Tiger are in the User/Library/Widgets folder, where “User” is your account name.
I haven’t tried taking any of them out of either folder; so, especially when removing them out of the "Main Volume/Library/Widget" folder, it would not surprise me if you need root access to accomplish it.
Several Mac newsites today carried an article about a demonstrated security vulnerability that widgets can be used to exploit. Unlike everything else you install on a Mac, you are not asked for your password when installing a widget. This opens the door to a malevolent widget being installed that could perform an unwanted function. Apple needs to fix this problem by having everything that can be installed on the computer request a password. Including widgets. Especially widgets!
This is no time to get sloppy, Apple. When it comes to Widgets, though, the execution looks like a page out of the Microsoft playbook.
Who needs that?
Installing a widget is easy. You just double-click the Widget after you download it, and it’s done. You won’t see it install, but next time you run Dashboard it will be there. But after that, they’re most un-Mac-like. You can uninstall most Mac applications by dragging them to the Trash. According to Apple, though, you can’t uninstall Widgets at all.
That’s not exactly true. You can uninstall a widget manually by navigating to the ~/Library/Widgets folder and dragging it to the Trash. The ones from Apple are located in the “Main Volume”/Library/Widgets folder. ("Main Volume" is what I'm calling my boot disk; on my machine, it's named "Macintosh HD".) The ones you load after installing Tiger are in the User/Library/Widgets folder, where “User” is your account name.
I haven’t tried taking any of them out of either folder; so, especially when removing them out of the "Main Volume/Library/Widget" folder, it would not surprise me if you need root access to accomplish it.
Several Mac newsites today carried an article about a demonstrated security vulnerability that widgets can be used to exploit. Unlike everything else you install on a Mac, you are not asked for your password when installing a widget. This opens the door to a malevolent widget being installed that could perform an unwanted function. Apple needs to fix this problem by having everything that can be installed on the computer request a password. Including widgets. Especially widgets!
This is no time to get sloppy, Apple. When it comes to Widgets, though, the execution looks like a page out of the Microsoft playbook.
Who needs that?
posted by Andy Foster at
9:12 PM
0 Comments:
Post a Comment
<< Home