The Null Device

Attack of the Dashboard Widgets

You know those nifty "Widgets" that MacOS X 10.4 supports; those lightweight HTML/JavaScript objects that sit on a special desktop layer and can show you the weather/train timetables/your iTunes playlist/how all those APPL shares you bought are doing? Well, they can automatically install themselves without your consent, as this page demonstrates. The author even provides a goatse.cx widget (not auto-installed, mercifully) to underscore the potential for mayhem.

Meanwhile, a carefully-constructed trick webpage can cause Firefox to execute arbitrary code on any platform (such as, say, installing rootkits or botnet clients). The Mozilla Foundation have patched this, though it's not in the Debian distro yet.

There are 2 comments on "Attack of the Dashboard Widgets":

Posted by: datakid http:// Sun May 8 23:06:47 2005

It's odd that you would mention debian - is that what you are running? Or is that what dev\null is served from?

Posted by: acb http://dev.null.org Mon May 9 10:32:53 2005

That's my distro of choice, and is used both on dev.null.org and my desktop Linux box.

Want to say something? Do so here.

Post pseudonymously

Display name:
URL:(optional)
To prove that you are not a bot, please enter the text in the image into the field below it.

Your Comment:

Please keep comments on topic and to the point. Inappropriate comments may be deleted.

Note that markup is stripped from comments; URLs will be automatically converted into links.