According to one developer, the OS X Tiger dashboard has an exploit whereby a widget can do nasty things to the underlying OS. Of course, this is all fully documented by Apple (e.g. widget.system("rm -rf /", null) would be nasty, but is fully permitted if the right security entry is made in the widget's Info.plist file.)
The ability to run software is not a vulnerability - it's the goal of a general-purpose operating system. No less so with OS X Tiger's dashboard. Users running executable content need to know that this software content can, well, execute.
Posted by Ed at May 9, 2005 06:17 PM