Widget security: fact and fiction
The recent Dashboard: Widget (In)Security article raises some interesting and valid concerns about Tiger’s new Dashboard widgets. Of particular concern is the fact that a widget can do anything in your user space that you can do—including erasing files, changing ownership and permissions, running AppleScripts and command-line utilities, and so forth.
These are certainly scary things to consider, especially given Apple’s marketing focus on the “warm and fuzzy” nature of widgets. However, I worry that the article may spread a bit more concern over the dangers of widgets than there actually should be.
Why do I say that? Consider for a moment not a widget, but a regular application. Applications have the ability to do everything widgets can do… and much more. Recall the last time you installed an application. You probably put it in the system-wide Applications folder—so now any user can run it. You may have also been asked to provide your administrative password as part of the installation process. But did you stop to consider that this application could do anything at all it wants to when you double-click it? Perhaps you did, but most of us have become so accustomed to just downloading, installing, and using applications that we may not have given it a second thought.
But what if the application’s author had malicious intentions? In that case, you’re in big trouble. During installation, especially if you provided your admin password, the program could have installed, for instance, a background process that logs all your keystrokes and then sends them out to a collection server. Or it could have a time bomb coded inside the program, such that on your 35th launch of the application, it deletes your entire user’s directory. Many more such things are possible, especially given that application authors have access to the full power of OS X’s development environment. (François Joseph de Kermadec has a good write-up on this comparison of applications and widgets in his O’Reilly Developer Weblog if you’d like even more detail on the subject.)
And yet, despite the scary capabilities of third-party applications to completely destroy our machines, we continue to download and use them. And we probably do so without digging into their package contents or grepping files for commands that might erase files. Why? Because we trust the source of the program, and the programs do useful things for us. Widgets are exactly the same as applications in this sense: while they are truly useful, they have the power to damage our machines.
Second, trust your sources: don’t be the first on the block to download a new widget or application. Don’t get programs from peer-to-peer networks. Read the reviews on Macworld , check the comments on the various software update sites, use Google to research the program in question. If a program you’re installing is asking you for your administrative password, try to find out why—is it because it writes something to a protected directory? E-mailing the author is often the best way to get the answer to this question.
And finally, back up your key files! This is probably the most prudent advice of all—if you have a good, current backup, then even the most destructive of widgets or applications will only cause you a bit of lost time to restore your backup. Without a good backup, you’ll be in much worse shape.
I do think Apple needs to update Safari so that safe downloads are not enabled by default—enabling this feature was a very unwise move on the company’s part. I also think the system should notify you via a pop-up dialog box if a new widget or application is added to the Widgets or Applications directories, and you haven’t been involved in the process (that is, you didn’t initiate the process nor respond to a dialog box). And there should be an easy way to remove a widget from the Dashboard bar, so users don’t have to dig into folders in the Finder to do so.
But I don’t want Apple to start limiting the power of widgets, because if they do, widgets will be less useful. What’s more, overall system security won’t be much better—applications will still have the ability to do whatever they want, for example. Do we then start limiting applications’ capabilities, for fear of malicious programs?
But even if Apple doesn’t change anything, am I going to lose any sleep over the apparent malicious capabilities of an evil widget? Certainly not any more than I lose worrying about malicious applications—which is to say, none.
Update: After posting this blog entry, I saw a new page with some additional Dashboard concerns. While this doesn’t change my overall conclusion that widgets are not inherently more dangerous than any application, it does point out a couple of new things that Apple really must address.
First, a malicious widget can replace a system-provided widget simply by using the same name—the user’s widgets take precedence over the stock widgets. Second, and even worse, if a widget has been auto-installed via Safari, there’s no warning about the privileged nature of the widget. Finally, the page discusses a method of privilege escalation that could theoretically allow a widget to run with root privileges without any user intervention. Taken together, these bugs would allow a malicious developer to do some nasty stuff, especially for those who haven’t disabled Safari’s auto-install feature.
If you do nothing else, please disable Safari’s auto-install option. Until Apple releases some updates, that (or using another browser that won’t auto-install) is your best protection, short of not adding any new widgets to your system.