Here’s my response to the article on news.com regarding the potential for malicious Dashboard widgets. Quotes are taken directly from the article.

…but within days of its public release, one developer claims to have already found a way to turn widgets into potential malware.

Deep down, I think we were all aware that a new level of operability, based on web technologies, would be exploitable.

According to Stephan’s blog: “I happen to like (auto-install). I think it’s a great thing. But, as I have demonstrated here, it has the side effect of setting up a situation where a user can be given an application without their knowledge.

Perhaps Mac users have been more guilty of leaving default auto-install options on, because we thought we were (virtually) immune to malicious attacks. I know I have downloaded self-extracting zip files from what I believed to be reputable sites. Maybe it’s time to turn off that feature, useful though it is, particularly for widgets. My own review here says how easy it is for widgets to be installed (though not actually activated automatically)

“That’s not such a big deal; by default, widgets can’t do much damage, and they can’t run unless you drop them into your dashboard. The funny thing is that once that widget is there, according to Apple, you CANNOT remove it.”

I thought that was odd when I read it in the Apple help files – I hope that situation changes in a future Apple release of the Dashboard – if nothing else it sorts out clutter.

Widgets cannot be removed directly from the toolbar, but they can however be deleted from the Library folder.

This is true, but…

“The average user, who can’t find their Library folder with two mice and a spotlight, is stuck. It would take all of 30 seconds for me to pick out a nice porn image, make it the icon of a widget, drop it in your dashboard and you’re stuck with it. It doesn’t even need any Javascript,” Stephan added.

This I can believe.

Stephan has also created the zaptastic_evil widget, which redirects the user’s browser to a Web site every time the widget Dashboard is launched–and drops the user out of Dashboard, preventing the widget from being closed.

I wasn’t aware of widgets automatically launching actions without the user interacting with them in some way. This would be very irritating.

A fellow blogger, going by the name of Aaron, has created a series of widgets that closely resemble Apple’s own set of widgets and can be used to displace the genuine ones. One of these fake widgets can run with full system access without the user’s express permission.

We need to be very careful where we download these widgets from, and don’t let anything auto install, auto unpack. Learn how to check the Library folder frequently. I am guessing these things are not going to show up in Antivirus software any time soon, if at all.

Apple declined to comment for this report.

This is not unusual – they are potentially working on a patch already. I don’t have a problem with them not responding to these articles – what are they going to say except they are aware of it (of course they are) and they’re working on it (ditto)

Despite the potential for mayhem, Mac users can simply kill the widgets by deleting them from their Library folder, and using Activity Monitor to kill any instance of the widget already running.

Generally, it will be simple, but that will depend on the level of knowledge of the user. Any widget which can take control of the whole system (wouldn’t it need to know the administrator/superuser password? No-one actually does their day-to-day work in superuser mode or without a password, do they??) may pose a different threat. It could make itself effectively un-deleteable to all but the superuser.

Mac users need to step up their vigilance. There has been a culture of ‘it can’t happen to us’ which is, sadly, not true. It never was true, though the risks were minimal. Don’t take it for granted that everything you download for your Mac is safe, and won’t harm your system. Sensible PC users know this; all computer users should learn.