From zaptastic’s web site and article “Blueprint for a widget of mass destruction.”


Apple has significantly lowered the bar for malicious entities to install and execute damaging code in OSX. Honestly, I don’t think this is that big of a deal – causing real damage is likely a bit harder than I make it sound.

Ultimately, it all comes down to Gödel’s incompleteness theorem and Turing’s halting problem:


you can’t predict what a program will do until you run it. There is ultimately no solution for this, and you have to strike a balance between usability and security. There will always be viruses, both in the real world and in the information world; that’s why humans have immune systems, and that’s why we get sick anyway. If there was a way around the incompleteness problem, natural selection probably would have found it a few million years ago.

I think Apple has done a pretty good job of it – the only real change I would consider is re-thinking the logic behind autoinstall, and for heaven’s sake, PLEASE provide a way to remove widgets, ideally from OUTSIDE the Dashboard. That’s just stupid. Administrators concerned about security may wish to disable installation of new widgets; from my testing at an Apple store, it appears that they do it by denying write privileges to ~/Library/Widgets/

The rest of you… just watch your back.

This entry was posted on Wednesday, June 8th, 2005 at 5:40 am and is filed under Mac Tips. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.