Saft, the must-have plug-in for Safari, has just been updated to version 8.0.1 and the long list of features just keeps getting longer.
In light of our recent discussion of the problem with widgets, it's nice to see that the new version of Saft features both the option to stop download warnings (while keeping the option to auto-unpack 'safe' downloads) and adds warnings before Safari auto-installs Dashboard widgets.
It looks like Tiger has a serious problem with disk image data integrity:Repeat after me. 10.4.1.
[Dave Nanian, Shirt Pocket Software forum]
We've just reproduced a bug in Tiger's image handling that any SuperDuper! users should be aware of.
Basically, if you create a sparse image in Tiger and back up to it, everything is fine. You can unmount it, and the file size is as you'd expect.
If, however, the image is larger than about 1GB and you try to mount it, Tiger will destroy it, and set its size to 1008MB.
I cannot recommend that you rely on any application, including SuperDuper!, that uses images until this Tiger bug is fixed. Please, be careful -- and tell others to be careful too!
[Uwe Kempf] I'm experiencing serious problems with Tiger and Sparse Images:
- Create a new Sparse Image with AES128
- When it's finished, copy some JPGs onto it
- Eject the image volume
- Re-mount it
- All JPGs are broken
I could reproduce it on three machines (German Version of Tiger 8A428)
[Follow-up] I found a workaround for this problem:
- Create a new Sparse Image with AES128
- When it's finished, first UNMOUNT IT
- Re-mount it
- Then start to use it...
Don't use the image directly when it is automatically mounted after creation. First unmount it and remount it.
The PocketDocks are little dongles that attach to the bottom of your iPod replacing the dock with regular USB and Firewire cables. They've had PocketDocks that support both USB and Firewire connections, and one that supports Firewire and a Line out (this is the model I own, along with the original Firewire only model), but now they have a brand new model: The PocketDock Line Out USB, which offers both a Line Out and a USB port. $29.95 USD with cables included.The web site describes even more bennies:
The PocketDock Line Out Pack includes two 6 ft. ultralight and ultra-compact white audio cables: One with 3.5 mm (1/8") stereo plugs on both ends, one with stereo RCA and 3.5 mm plugs. They are slim enough to fit into the palm of your hand and come with detachable velcro straps for convenient storage and cable management. Their beautiful design is a perfect match for both iPod and iPod mini — just like the PocketDock itself.This is a far better deal than the bulky and ridiculous USB cables Apple shipped for the 3G iPods. NOTE, however, that 3G iPods can't charge via USB. SendStation is good enough to note this, albeit in very small print. Later iPods will charge with this cable.
What good is a PocketDock, if you don’t have it at hand when you actually need it? Well, if there’s one thing you always carry with you, it’s probably your keys. That’s why your PocketDock now comes with a free detachable keyring dock.
10:50 EDT A question we posed previously about abuse of Tiger desktop "widgets" by malware has suddenly turned into a hot topic:
[Randy B. Singer] There is a grave concern that Tiger's new Dashboard feature, combined with Tiger's auto-installation of widgets, could provide a wide open door for malware. See: http://64.70.134.217/widgets/zaptastic/ but be prepared that just visiting this site installs a fairly innocuous proof-of-concept widget.
[Jim Vonkas] This link [at Slashdot] has a description about a web page that downloads and installs a Dashboard Widget by simply going to the page with Safari. All this happens completely WITHOUT any user interference! This behavior is worse than any danger you can encounter when browsing with the latest Windows XP!
[follow-up] ... It would have been easy enough to disable automatic downloads by default - it's an unforgivable oversight, I think, and if Apple gets a bit stirred up about it, perhaps it will be more careful in the future. ...
[Dave Schroeder] When Safari is in its default state, i.e., with "Open 'safe' files after downloading", what happens is the following:
* The widget is downloaded, unpacked, and moved to ~/Library/Widgets (a website could do this automatically)
* The next time you run Dashboard, the widget is in your shelf (when you press the "+")
* You must deliberately run the widget
Mac OS X likely assumes that if you click it, you intend to run it. The only problem I see here is that a widget could be auto-downloaded (and installed) somewhat surreptitiously, and you might not notice it for a while. There probably should be some sort of prompt in Safari at download time (which it now does for applications).
In the meantime, the sure fix for this any many other past questionable download situations is to always uncheck "Open 'safe' files after downloading" in Safari's preferences. This way, the file is downloaded, but it remains in its packed/compressed form.
[Peter da Silva] Last June [Apple] "fixed" the hole in LaunchServices by popping up an occasional warning dialog, a technique that doesn't address the real problem - the fact that they're using the same set of helper applications for trusted and untrusted references. I put up an article on it, and predicted that there would be more of these problems until they fixed the real problem.
Because popping up a dialog that's almost always answered "yes" is just getting people used to answering "yes", so by the time they need to say "no" they don't realize it until too late. Microsoft has this problem in spades, and I've had to dig viruses and spyware out of people's computers because they got used to saying "yes" one time too often. This dialog is no different.
The latest security update for Panther... what does it do? Why, it patches another example of the same problem. And it's going to happen again and again, though hopefully Apple won't take ten years to realize that they've got a deeper problem, like Microsoft has.
Dashboard. I've been worried about Dashboard. A Dashboard widget is a web page, basically, that can include native code. Native code objects for Internet Explorer - ActiveX - have been the biggest security problem there. For a while it looked like Apple had dodged the bullet... you can't run native code objects in Safari even if you're displaying a widget in Safari. No mechanism to run native code, no potential hole in Safari. I thought.
But, no, they went and decided that widgets are safe for opening and opening installs them in Dashboard. Not only that, but Dashboard doesn't have the equivalent of a popup blocker, so they can write a widget that makes your computer useless if you don't know how to remove it. So now that's TWO potential attacks. First, you can include native code in the widget and see how many punters just click "OK". Second, you can leave the native code out and they don't even get a chance to say "OK".
Bad idea all around.
First, Safari shouldn't consider Widgets "safe".
Second, it shouldn't default to opening "safe" objects anyway. Let people explicitly take an extra step, so they don't automatically get compromised when someone finds a hole in Expander (for one example).
Third, Dashboard shouldn't automatically run any widgets, it should wait until you ask it to do something with it. Oh, and it really needs some better widget management tools.
We'll see what 10.4.1 does, and in the meantime... don't let them get away with this electronic equivalent of overprescribing antibiotics. Tell them, "Don't pop up a dialog unless the user is doing something that has the immediate possibility of launching an exploit, and if you can't tell... don't do whatever it is you were about to do, let the user ask to run the application or install the widget."
[Gregory Lawhorn] Leaving the philosophical issues behind for a moment (i.e., whether Apple SHOULD allow automatic downloads or automatic installation of widgets), here's how to safeguard your system.
High Security: Disable 'Open "safe" files after downloading' in the General tab of Safari preferences. Files might be downloaded, but they will remain archived and on your desktop.
Medium Security: My preference for the moment (I happen to like having a widget automatically installed - when I know about it, that it is). Go to the ~/Library/Widgets folder. Command-click on it, and select Enable Folder Actions. Command-click on it again, and select Attach a Folder Action. Select "Add - new item alert.scpt". Repeat this for Home/Library/Widgets for each and every user account on your computer.
Now when a new widget is added, intentionally or secretly, an informative dialog box will notify you that that the folder contents have changed, and even give you the option of looking at the new item. If you didn't intentionally add the widget, trash it, and you're safe. At least I'm pretty sure you're safe.
[Mike Jackson] There is one really quick way to disable the auto install of widgets. Run the following command in terminal:
chmod 0550 ~/Library/Widgets/
This puts READ ONLY protection on the Widgets folder. Now going back out to http://64.70.134.217/widgets/zaptastic/ will put the auto downloaded widget onto the desktop. You can then use the finder to move it to the ~/Library/Widgets Folder. The finder will ask you to authenticate. Once the new widget is in place, you can double click the widget to run it in Dashboard.
