Sterling Ambivalence (sterlingnorth) wrote,
Sterling Ambivalence

The exact same mistake...

Imagine this.

You're using your computer, browsing the web. You land on a website, and it asks you to install some cool enhancement to your computer. You say "OK!", why not? Then you run it.


It now occasionally pops up some advertisement, commandeers your toolbars, and you can't figure out how to uninstall it.

Another day in the life of Windows?

Almost. This is a vulnerability in Apple's OS X 10.4 "Tiger". Particularly, the Dashboard feature.

Here's the funny thing: This is the exact same mistake Microsoft made when they integrated Windows into the web browser through ActiveX in 1997, making ActiveX the preferred way of installing spyware and trojans in Windows since 1998. Provide an incredibly easy way to install dangerous programs from the net, allow it too much access to the system, and make it exceedingly difficult to uninstall it.

As of right now, you cannot easily uninstall Apple widgets. It takes a trip to the ~/Library/Widgets/ folder and then rebooting Windows...I mean OS X to get the dread out.

You see, most spyware and adware gets installed by users clicking "YES" to something innocent-sounding, not by buffer-overflows or secret autoinstall flaws in IE. Users blindingly clicking OK. Now, widgets can't run unless told to by the user, but then all it is needed is to make the widget look like an innocent thing to run.

This is Apple making the exact same mistake Microsoft made, a mistake some Mac users gloat over when they say Windows is inherently insecure.

You can easily disable the automatic installation of bad widgets by turning off the "Open 'safe' files after download" feature in Safari, but now Mac users are going to have to be very careful with what they open. Much like us on the inferior OSes.

The proof of concept is at
Tags: apple
  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.