Welcome to the MacNN Forums.

CharlesS · 12:10 AM

sorry, double post

CharlesS · 12:10 AM

Sorry, triple post. Database being "interesting" again?

CharlesS · May 10, 2005, 11:46 PM

^ My God, it just gets better and better.

Anyone want to try to claim that this isn't a serious issue?

alphasubzero949 · May 10, 2005, 11:49 PM

The rabbit hole just goes deeper.

TETENAL · May 11, 2005, 12:11 AM

Originally Posted by CharlesS

Anyone want to try to claim that this isn't a serious issue?

That's a serious issue.

alphasubzero949 · May 11, 2005, 12:47 AM

Posted information about this new discovery to Apple's discussion board (someone else made a new thread); countdown to lockination in T minus 10...9...8....

alphasubzero949 · May 11, 2005, 02:36 PM

Holy shit...say it ain't so...

From the Ars thread:

quote:
Originally posted by Stef:
quote:
Originally posted by mithras:
So an evil look-alike widget can completely displace the Apple widget from the Dashboard Bar -- there will be no trace of your original Stickies widget in the Bar -- and as before, acquires full system access with no prompt.

Now make that widget start Apache, publish itself on the web and email the link to the whole address book and

Example updated.

Say it ain't so?

CharlesS · May 11, 2005, 03:07 PM

Originally Posted by alphasubzero949

Say it ain't so?

Well, I think you might need root access to start Apache, but other than that, it can easily do all the things that Mithras said.

Everyone, send e-mail to Apple, letting them know about this!

Mithras · May 11, 2005, 03:12 PM

You could just run Apache as the user, on a port > 1024.

romeosc · May 11, 2005, 03:42 PM

Unfortunately the Genie is out of the bottle... We can no longer feel safe downloading that neat new widget someone told you about. It may be a Trojan that doesn't activate until more poor suckers download and install!

Never be on cutting edge..... you leave bleading!

I'm waiting until everyone else gets screwed before I try anything new!

Big Mac · May 11, 2005, 03:51 PM

Originally Posted by romeosc

Unfortunately the Genie is out of the bottle... We can no longer feel safe downloading that neat new widget someone told you about. It may be a Trojan that doesn't activate until more poor suckers download and install!

Never be on cutting edge..... you leave bleading!

I'm waiting until everyone else gets screwed before I try anything new!

Now wait, romeosc, let's not panic here. The thing that people are worried about most is the surreptitious auto-installation of malicious widgets. People are not nearly as concerned about the prospect of regular widgets containing malicious code. For years now we have gotten accustomed to downloading Mac shareware and freeware from various people and companies, and the truth is that any of those programs could contain malicious code. They could, but they don't. In fact, aside from the auto-install vulnerability, widgets are actually safer than regular applications because they are sandboxed, and the user is prompted the first time a widget tries to get out of that sandbox and gain wider access to the system. While it's prudent to exercise some caution with all untrusted applications, let's not blow things out of proportion.

CharlesS · May 11, 2005, 11:38 PM

^ What he said. Just turn off "safe" files and you're safe from this particular exploit.

alphasubzero949 · May 12, 2005, 03:35 AM

Nice to see that Apple is repeatedly deleting any threads about this security issue on their boards as if they're trying to sweep this under their rug. The level 3 and 4 peeps over there don't seem to fully understand the ramifications of this exploit, as they keep drowning out the concerned with the canned "just turn off 'safe' file downloading and all will be well" responses.

My posts about the latest issues related to this exploit (loading order and ability to run system commands) have also been deleted.

workerbee · May 12, 2005, 06:56 AM

Originally Posted by alphasubzero949

My posts about the latest issues related to this exploit (loading order and ability to run system commands) have also been deleted.

This explains why I haven't been able to find 'em...

Maybe it's time someone tell Apple that the "cat is out of the bag", as we say here, and that deleting discussion threads about it won't keep it secret or anything... it's been quite widely discussed on the web

theolein · May 12, 2005, 12:15 PM

That is one of the reasons why I almost never visit Apple's site for bug resolution. If it's a small bug, one can usually find help elsewhere just as quickly as on that site, and if it's a serious problem, like this is, then they just delete it.

Bloody useless. Once something hit's slashdot, the entire world knows about it.

workerbee · May 12, 2005, 02:33 PM

Originally Posted by theolein

Bloody useless. Once something hit's slashdot, the entire world knows about it.

Bye bye OS X security reputation: another vulnerability found, this time in QT7 / Quartz Composer.

I wonder if you'd find that for long on discussions.info.apple.com?

alphasubzero949 · May 12, 2005, 02:46 PM

Heh.

piracy · May 12, 2005, 03:05 PM

Mac OS X 10.4.1 adds widgets to the standard "<File> contains an application. Are you sure you want to download <file>?" prompting process if "Open 'safe' files after downloading" is still enabled.

If the user chooses to answer yes, the widget will still be downloaded and moved to ~/Library/Widgets. It still must also be manually run by the user. This removes the "notificationless" nature of the default widget download process; it's up to the user as to whether they trust the download, as is the case with every other download on all platforms.

piracy · May 12, 2005, 03:15 PM

Originally Posted by workerbee

Bye bye OS X security reputation: another vulnerability found, this time in QT7 / Quartz Composer.

I wonder if you'd find that for long on discussions.info.apple.com?

*Sigh*

Bye bye indeed.

I'm sorry to tell you this, but there are numerous theoretical and applied vulnerabilities in various components of Mac OS X. What matters is Apple's response.

To say nothing of the fact that NONE of these comes anywhere close to rising to the level of the malware for Windows, particularly the automated vector worms and remote attacks. Not to mention that the QuickTime exploit doesn't actually provide system access; it can just send certain local information (NOT including anything that can grant system access) to a URL. A flaw? Yes. An even remotely big one? LOL! F*ck no, not even close.

Mithras · May 12, 2005, 03:28 PM

Originally Posted by piracy

Mac OS X 10.4.1 adds widgets to the standard "<File> contains an application. Are you sure you want to download <file>?" prompting process if "Open 'safe' files after downloading" is still enabled.

If the user chooses to answer yes, the widget will still be downloaded and moved to ~/Library/Widgets. It still must also be manually run by the user. This removes the "notificationless" nature of the default widget download process; it's up to the user as to whether they trust the download, as is the case with every other download on all platforms.

Sounds like the appropriate fix. All the other flaws were downstream, and irrelevant if the auto-install flaw is fixed.

It's been awhile since the last major automatic worm on WIndows, hasn't it?

JLL · May 12, 2005, 05:04 PM

Yep, it's been a while since Sober.P haunted the net - last weekend

alphasubzero949 · May 12, 2005, 08:27 PM

According to AI, 10.4.1 fixes the Dashboard issue:
http://www.appleinsider.com/article.php?id=1073

Person Man · May 12, 2005, 09:02 PM

Originally Posted by alphasubzero949

According to AI, 10.4.1 fixes the Dashboard issue:
http://www.appleinsider.com/article.php?id=1073

Just as piracy pointed out three posts above.

sieb · May 12, 2005, 09:41 PM

I think this is all blown way out of proportion, just like every other vulnerability announced anymore. "Firefox has a SERIOUS vulnerability..." "IE has a SERIOUS vulnerability that can take over your WHOLE MACHINE.." "OSX Widgets can ruin your machine!.." Why does EVERYONE get all so worked up over every single vulnerability announced as if its something new? I have more important things to worry about instead of listening to all the worthless FUD that prevails the internet.. There is nothing different than safari downloading a script or Mail.APP downloading an attatchment that can possibly attemtp to rm -r *.* your drive.. Everytime you get on the internet, you walk into the fire, why is this any different... Everyone on the internet is out to get you... *rolls eyes*

*changes the channel*

chris v · May 12, 2005, 09:52 PM

Originally Posted by sieb

I think this is all blown way out of proportion, just like every other vulnerability announced anymore. "Firefox has a SERIOUS vulnerability..." "IE has a SERIOUS vulnerability that can take over your WHOLE MACHINE.." "OSX Widgets can ruin your machine!.." Why does EVERYONE get all so worked up over every single vulnerability announced as if its something new? I have more important things to worry about instead of listening to all the worthless FUD that prevails the internet.. There is nothing different than safari downloading a script or Mail.APP downloading an attatchment that can possibly attemtp to rm -r *.* your drive.. Everytime you get on the internet, you walk into the fire, why is this any different... Everyone on the internet is out to get you... *rolls eyes*

*changes the channel*

Good luck with that reading disability.

There has been some overreaction, but we're discussing an issue here. And it looks as though, thanks to the noise, Apple plans to fix it soon. Hooray for us noisemakers, I say.

Mithras · May 12, 2005, 10:34 PM

Boston Globe contacted me for a short piece, so the story still has some legs, apparently. Apple does deserve a rap on the knuckles for this -- it wasn't just some buffer overflow that was overlooked, it was an intentional -- and obviously hazard-prone -- feature that wasn't thought through.

sieb · May 12, 2005, 11:02 PM

Has anyone actually tried to make a malicious widget? I thought they were nothing more than webcode? If that were the case, there's nothing different between them and regular malicious web code. There is nothing new here, just a different package. If this is so glaring, why wasn't anything said during beta testing? If no one said anything during beta, then its not solely Apples fault. I hardly see this as intentional. If Apple is deleting threads they are only trying to control the situation so it doesn't boil over while they are working on a fix. Live in fear, Apples are not invulnerable! Welcome to the party..

Peter B. · May 13, 2005, 12:21 AM

Mithras:

(As if you needed telling...)

Please post a link to the Globe piece as soon as it's available.

Thanks.

Peter B.

-----

CharlesS · May 13, 2005, 01:00 AM

Originally Posted by sieb

Has anyone actually tried to make a malicious widget? I thought they were nothing more than webcode? If that were the case, there's nothing different between them and regular malicious web code. There is nothing new here, just a different package. If this is so glaring, why wasn't anything said during beta testing? If no one said anything during beta, then its not solely Apples fault. I hardly see this as intentional. If Apple is deleting threads they are only trying to control the situation so it doesn't boil over while they are working on a fix. Live in fear, Apples are not invulnerable! Welcome to the party..

It's been explained enough times already in this thread that if you do not understand it by now, you are beyond help.

workerbee · May 13, 2005, 01:12 AM

Originally Posted by sieb

Has anyone actually tried to make a malicious widget?

If you'd read threads before posting, you'd already set Safari preferences to Open "safe" files after downloading -- the default setting -- and been here *.

After that, open the "Stickies" widget.

Still reading? Good:
* = This page explains what will happen to you, and how you can kill the "evil" sticky. You may want to read it beforehand, especially the big red bold bit at the bottom.

TETENAL · May 13, 2005, 02:33 AM

Originally Posted by sieb

Has anyone actually tried to make a malicious widget? I thought they were nothing more than webcode?

No, they are not "nothing more than webcode". Widgets are basically applications and they need to be treated by the user as such.

sieb · May 13, 2005, 03:39 AM

Originally Posted by CharlesS

It's been explained enough times already in this thread that if you do not understand it by now, you are beyond help.

My bad, just reread through the whole thread again.

theolein · May 13, 2005, 05:17 AM

Originally Posted by JLL

Yep, it's been a while since Sober.P haunted the net - last weekend

Sober.P isn't an automatic worm. It is a zipped mail attachment that you have to run yourself. While it is wildly destructive (it overwrites AV files amongst other things) it requires the user to get it to run. This is no different than it would be if someone included an attachment to a mail to OSX users with executable content.

While there are people who will laugh at so called clueless newbies who would open and run such an attachment, and possibly even be arrogant enough to say that it could only happen on Windows, there are, in reality, just as many people on OSX, percentage wise, who don't understand computers or security. The number of imbecilic responses in this thread (i.e. all those saying LOUDLY that it was no problem) prove that.

Sooner or later there is going to be a major exploit out in the wild for OSX which will reap havoc. And Apple really isn't helping, IMO, with their recent attitude to security. Mithras is right. Apple needs a rap on the knuckles for allowing the widget hole to go through. It should have been obvious.

macintologist · May 13, 2005, 05:47 AM

Could somebody summarize this thread?

chris v · May 13, 2005, 08:13 AM

Originally Posted by macintologist

Could somebody summarize this thread?

"OMG!!!!!11 WTF APLLE??/??"

"YOU ARE RONG!"

"NO YUO!1!!"

fisherKing · May 13, 2005, 05:52 PM

i also, i admit, have not read everything in this thread.
but i simply set my user/library/widgets folder to read only, and widgets sit on the desktop.
then i move them to my hard drive/library/widgets folder.

of course, wouldn't work for mutliple-user situations...

piracy · May 13, 2005, 10:03 PM

Originally Posted by fisherKing

i also, i admit, have not read everything in this thread.
but i simply set my user/library/widgets folder to read only, and widgets sit on the desktop.
then i move them to my hard drive/library/widgets folder.

of course, wouldn't work for mutliple-user situations...

Or, you could just disable "Open 'safe' files after downloading", which solves this and all other potential problems related to Safari downloads

Or, not run Dashboard widgets that have been downloaded (which requires you to notice a web page has downloaded something, which, I dare say, isn't really a feat)

Or, wait for 10.4.1, which prompts for all widget downloads.

loki74 · May 14, 2005, 03:56 AM

This is pretty interesting... From a development standpoint, it seems to me that Widgets are little more than webcode. Under that pretense, it is easy to see why Apple would not regard them as having the damage potential of a full application. As it was stated earlier in the thread... they are essentially equal to applications. From what I've read of 10.4.1 Apple is beginning to realize this.

And this is just another reason why, as I may have said in other threads, I plan on sticking with good ol' Panther for a while. Once all these little things blow over and the other various changes occur I'll go ahead and get Tiger.

While I don't think it will be for long, this is indeed something to be alarmed about, simply because there was an underestimation of what Widgets are capable of. Once they are regarded as literally full-fledged applications, this should resolve, I predict (and hope) faily smoothly.

Big Mac · May 14, 2005, 04:26 AM

The vulnerability is resolved with 10.4.1 (when it is released), loki, because Safari now prompts before auto-install when the "safe files" option is chosen. But I do agree with your assessment that Apple's geniuses screwed the pooch when they allowed this vulnerability to slip in to the GM.

piracy · May 14, 2005, 11:59 AM

Originally Posted by loki74

This is pretty interesting... From a development standpoint, it seems to me that Widgets are little more than webcode. Under that pretense, it is easy to see why Apple would not regard them as having the damage potential of a full application. As it was stated earlier in the thread... they are essentially equal to applications. From what I've read of 10.4.1 Apple is beginning to realize this.

No one at Apple is "beginning" to realize anything. The autodownload and autoinstall behavior (ONLY when "Open 'safe' files after downloading" is checked, which is the default) was always the intended behavior.

However, since:

- Safari now prompts for all downloads containing an executable that will be autoexpanded, and

- Dashboard prompts for all widgets that have been run the first time (except for in this circumstance),

it was merely an oversight there there was no prompting behavior. Yes, it was ridiculous to let something like that slip, but since:

- A one-checkbox change, i.e., disabling "Open 'safe' files after downloading", COMPLETELY solves the "issue", and

- The widget must still regardless be manually and deliberately run by the user (and yes, there are ways of making it look like an Apple widget, or obfuscating it, etc., but that is beside the point), and

- The problem will be resolved in 10.4.1, which will likely be available within a couple of weeks after the issue was publicized, and

- No actual malicious attacks have occurred,

I would say this is a big, fat, non-issue.

Mac OS X will have vulnerabilities, and issues that may make social engineering exploits easier (which seems about the only way people can think of to attack Mac OS X, but that's another story...).

The issue is not whether or not there will be vulnerabilities. The issue is:

- How SEVERE the vulnerabilities are (Hint: this one isn't. Like, at all.), and

- How Apple responds

I'd say that since the problem was so easy to mitigate, and will be solved before the vast majority of installed base of Macs even *have* Tiger, this is yet another in a long string of sky-is-falling panics about some "grave" vulnerability in Mac OS X that ends up getting fixed with not one real-world person, or a statistically negligible number, at all being affected.

Keep your pants on, guys. Seriously.

reneb · 01:32 PM

Besides what you folks have been discussion, the link on this page demonstrates how bad it can be for your box!

"This page discusses a security flaw resulting from a series of bad design choices in Safari and Dashboard in OS X 10.4, and links to a demonstration exploit."
<http://www1.cs.columbia.edu/~aaron/files/widgets/>

As you can see from the demonstration, this can be very BAD. Ok, maybe the typical user of these forums would be savvy enough to avoid the problem, but your average joe blow computer user probably won't. All Apple needs is something like this to blow up in their face and all the folks calling (waiting, hoping) for the demise of Apple will be on this like flies on sh*t.

Also, see the other relevant info at:
<http://64.70.134.217/widgets/zaptastic/>
<http://it.slashdot.org/article.pl?sid=05/05/08/2131208>
<http://rixstep.com/1/20050509,01.html>
<http://rixstep.com/2/20050510,00.html>

These latter two give a good overview of the big picture.

cheers,

rene

Schmidlapper · May 14, 2005, 01:31 PM

I sent the following to Apple feedback. I hope the 10.4.1 does have a real fix though.

"Firstly I have disabled the open "safe" files after downloading option as this seems to be the only defense available for this issue. I had to learn this from other than Apple. If by clicking a web link a widget can be added to my dashboard that looks just like an Apple widget without my knowledge (and it can) How in the world can you predict I wouldn't execute the Widget? I assume you know what a widget is capable of doing in OS X more than I. I have seen sample widgets that can erase the home directory, disable dashboard, hog the system and these were just proof of concept samples. Please fix this by First and most importantly make an announcement that people should uncheck the default open safe file or by patch. Then ultimately remove widgets from safe list. And do not let them install to the widget directory by themselves. If you are planning a certification process that will help but is not a complete solution alone. Again the fact that by clicking a web link a widget is added to the dashboard that can look exactly like an Apple supplied widget completely invisible to the user by default should scare somebody at Apple. Please do not treat with silence as you are getting ripped a new one all over the web and your silence is deafening. "

I hope everyone sends something in other than just posting here.

piracy · May 14, 2005, 03:08 PM

Can you people stop bitching about this already?

It is FIXED in 10.4.1.

End of story.

(And yes, I am fully aware that 10.4.1 is not out yet, but it will be soon. So please stop repetitively posting the same URL that has been posted a hundred times already saying how terrible this is. This is pretty tame as far as general social engineering exploits go, so please, for the love of God, calm down.)

REPEAT: this is FIXED in 10.4.1. Apple does NOT not any more feedback, as the issue is FIXED. Get it now? Christ.

Further, "Open 'safe' files after downloading" will NOT be disabled, and Apple will NOT issue a statement or warning to disable it. The fix is in 10.4.1, period. Also, the widget auto-installation will continue exactly as intended, with the exception that you will now get a prompt before it downloads (and thus subsequently installs). That is all Apple can or should do, and the rest is up to the user. After 10.4.1, this is NO DIFFERENT, fundamentally, than downloading any other type of software on your computer.

Schmidlapper · May 14, 2005, 07:19 PM

Mr. or Ms. piracy sir or mame, As this is a public forum (by definition a place to discuss issues) and I am a registered member to boot, I will as you so eloquently called it continue to bitch as long as I do not break any forum rules.
Mr. piracy's words: "It is FIXED in 10.4.1."
It may be fixed in 10.4.1 is the best I can say as I do not yet put my faith in your remarkable insight.

"By end of story." I hope you mean your story and not everyone else.

Until a fix is out wouldn't it seem wise to let the users of Tiger know of the problem and how to fix it? I believe the people who might take advantage of this would call this a window of opportunity.

"Further, "Open 'safe' files after downloading" will NOT be disabled, and Apple will NOT issue a statement or warning to disable it."

Again you speak for Apple, and didn't you yourself say earlier,
"A one-checkbox change, i.e., disabling "Open 'safe' files after downloading", COMPLETELY solves the "issue"".
And wouldn't an official announcement by Apple to do what you yourself said to do in the interim till 10.4.1 appears, carry more weight than stumbling across it on a forum as I had to do?

And finally from your Elite Member words of wisdom I can see that you must be a religious man or woman.
There I go Bitchen some more. Sorry!

Oh and if any one else wishes to continue Bitchen please feel free to do so, or shut this damn place down.

ApeInTheShell · May 14, 2005, 08:14 PM

This thread should have been closed two pages ago. It has nonsense and bickering and the only real solution is to report this security hole to Apple. Select users are posting their own versions of this malware widget and I do not see how this helps us understand the situation if there is one.
The website where this is posted already discusses the methods to remove the widgets, the effects, and contains the widget in question. What was your point?

loki74 · May 14, 2005, 08:50 PM

piracy... it seems to me that you are one of those types that assumes that anyone pointing out any slightest flaw with Apple is some sort of Mac-hater and as a Mac user you are righteously obligated to jump in their defense, guns blazing. ...And I've been accused of being a zealot. ha.

The point of my post, particularly the phrase "beginning to realize" is by no means to harp on Apple. Now, I will repeat my point--er, my bitching . All I was trying to say is that It is undertsandable why Apple would not consider widgets "unsafe" given that from a development standpoint they are little more than webcode. So if anything I was defending Apples decision as best I could while maintaining the fact that it is a problem. And before you say that "ITS FIXED!!!!" ok I know that, but has 10.4.1 been released yet? And before you say "JUST UNCKECK ONE THING!!" ok I know that too, but does that mean that every single Mac user does?

I'll tell you what would solve it now and make Apple look way better. They post on the site a warning about this potential so everyone is informed of the issue without looking for it or stumbling upon it, just like Schmidlapper said.

I'd be the first person to defent the security features of MacOS and the genius of the Apple design team if some PC touting brainless knowitall started to assert that this puts Macs on the same, lower, echelon of XP. But in this forum that is simply not whats happening.

piracy · May 14, 2005, 09:34 PM

loki74, I understood your point. But what I meant was that this wasn't ignorance on Apple's part; it was intended. That doesn't mean there wasn't an issue surrounding this; there was. And really all that needs to take place is a prompt/notification, which there will be.

As to the other points, Apple won't be posting any notice or alert. The mechanism by which this will be fixed will be 10.4.1, which EVERY Tiger user will at least have the option of getting via Software Update, compared to the infinitesimally small number of people who would even become aware of this via an announcement. Any "announcement" on something this insignificant (and make no mistake, it is *very* insignificant as far as security issues go) should not and will not happen. The "announcement"/acknowledgment will happen in the form of the release of Mac OS X 10.4.1. If people want to freak out about still being "exposed" in the meantime, they can go for it, but there will categorically be NO announcement of any type, no matter how much feedback Apple gets (and there shouldn't be). I'm simply just telling it how it is.

I don't think people understand this issue here: this is a *social engineering exploit*. Yes, it has some unique features and could be described as a special case. But any malicious application of this requires that the user:

- visit a malicious site delivering this widget in the window of time that it is still up
- not notice that a download has taken place
- enter Dashboard and manually execute the malicious widget

There is nothing wrong with awareness and diligence. But exposure is not only a function of an exploit or issue merely existing, it is also a function of TIME. And, in the general scheme of things, a couple of weeks of exposure to a minor, manual social engineering exploit before an OS update corrects it isn't even a blip. You're *way* overreacting to this. And if you think I'm an apologist, you obviously have no idea what you're talking about and/or haven't read one of my previous posts. The fact that this is fixed in 10.4.1 is MORE than sufficient, and NO further action on Apple's part should (or will) be taken, period.

resuna · May 15, 2005, 09:32 AM

"What more can you do than ask whether the user wants to allow this?"

You can not do it AT ALL until the user explicitly requests that the program be installed or run. Asking the user "oh, by the way, you didn't ask me to open this file, but I think you should, so I'm going to ask you if you really want me to" doesn't do NEARLY enough to stop the spread of viruses and trojans. Microsoft keeps adding annoying prompts like this when it thinks some program (not the user) is about to do something the user should be responsible for. ALL THIS DOES IS TRAIN THE USER TO ANSWER 'YES' TO SECURITY DIALOGS.

I'm serious. I see this over and over again at work, where I spent years supporting Windows. The same people would come to me over and over again, cap in hand, saying "Peter, I'm sorry, I did it again. The box came up and I clicked OK and now I've got a virus, can you help?" I've never had a user come to me twice saying "I'm sorry, I did it again, I downloaded and installed a virus in an attachment". Once, yes, but running a program is not something you can do accidentally by automatically clicking "yes" when a routine annoying dialog comes up.

A browser must never open files in an external program unless that external program is designed to have at least as strong a "sandbox" as the browser itself. Inpractice that means plugins for the browser, and programs registered WITH THE BROWSER. Dashboard's sandbox is particularly porous, and it needs to be porous to do what it's supposed to do. Even if "open safe files" wasn't a bad idea, a Dashboard Widget is EXACTLY as unsafe as any other plugin that can run native code or local commands. You wouldn't expect Safari to install iTunes Visualisers or Screen Effects or Audio Units. Dashboard Widgets are no different. Dashboard isn't a funny kind of web browser, it's an application development platform, and it's never going to be a place to "open safe files" into.

resuna · 09:42 AM

"Further, "Open 'safe' files after downloading" will NOT be disabled, and Apple will NOT issue a statement or warning to disable it."

I suspect you're right, but I have learned that you can't predict what Apple's going to do. Back in December I wrote: "I suspect you're right that [the $500 Mac] is a hoax. Not because [they can't do it], but because Steve Jobs irrational antipathy to 'ugly monitors on nice Macs' is too well known... he'd much rather force Apple users to put up with lousy monitors in pretty shells than lose face by backing down on something like this."

Obviously I was wrong, and Steve Jobs had a better grasp of what Apple should do than I cynically thought he did. So while I'll agree there's some justification for your skepticism... I won't rule the possibility out.

Big Mac · May 15, 2005, 09:40 AM

Perhaps people who are incapable of reading dialog boxes should be using typewriters, resuna.