Tiger's Widgets could leave OSX users smarting

Author: Jason Cundall
Published: 11th May 2005

OSX's widgets may contain malicious payloads that get automatically installed.

Mac users that have upgraded to Tiger - beware of widgets bearing gifts. Several sites on the web have been reporting on the possible use of 'malicious widgets', after Stephan Meyers created a pseudo-malicious widget to hilight the dual issues of OSX's auto installation of the small progettes, and the fact you can't remove them from the dashboard. Wired has this:

A security hole in Dashboard could expose users of Apple Computer's new Tiger operating system to attack, and may put personal information like passwords and credit card data at risk.

A new feature of Mac OS X Tiger, Dashboard is a suite of simple programs called widgets that often access information on the internet. Tiger comes preloaded with 14 widgets, including a world clock, a dictionary and a weather station.

For the convenience of users, most widgets automatically install themselves. But experts fear any program that auto-installs is ripe for exploitation.

More here

Apparently, as a workaround, you can eliminate a rogue widget from your drive by deleting it's file in the the /Library/Widgets/ folder, or you can use the Widget Manager that is mentioned in the article. However, it's not the best situation for many users. After upgrading to Tiger I downloaded widgets left right and centre (I couldn't do without a hula-girl or two on my desktop), but this will make me think twice before downloading any more unless I'm sure of the source. What about you?