Dashboard Widgets: Danger

Windows is regarded as an insecure system, but the biggest problem Windows has is that users are routinely tricked into running malicious code.

When I was implementing my SNL Widget, I ran across something disturbing in the JavaScript samples I was looking at:

outString = widget.system("/usr/bin/uptime", null).outputString;

When you see a shiny new widget on a website and you're thinking about downloading it, keep in mind that widget can execute any command on your system. Mac OS doesn't warn you that the widget has this power; it simply asks if you're sure you want to run it.

This seems incredibly ripe for abuse to me. I'm surprised that Apple didn't insist on requiring that widgets be signed, or run in a sandbox, or, well, something.. but instead, they've given every widget the ability to run shell commands.

Be careful out there.