Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- From: Shane Stanley <email@hidden>
- Date: Thu, 11 Feb 2016 09:52:39 +1100
On 11 Feb 2016, at 8:25 AM, Yvan KOENIG <email@hidden> wrote:
>
> And here is a script doing the entire job :
Almost -- it's possible that plug-ins and other bits and bobs could also be using Sparkle. And it's possible that an app is using https for the appcast, and http for the release notes. You should probably be getting the version of the framework, too: according to the person who found the vulnerability, Sparkle v1.13.1 and later are *not* vulnerable.
It's also worth pointing out that this sort of attack is far from trivial to mount.
(ASObjC Explorer was updated to version 1.13.1 last weekend. If anyone using it is worried and doesn't want to update, they can download the latest version from my Web site.)
--
Shane Stanley <email@hidden>
<www.macosxautomation.com/applescript/apps/>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users
This email sent to email@hidden