Re: Sparkle updater check vulnerability script
Re: Sparkle updater check vulnerability script
- Subject: Re: Sparkle updater check vulnerability script
- From: Shane Stanley <email@hidden>
- Date: Fri, 12 Feb 2016 13:26:01 +1100
Let me make a few points about this stuff.
* The Sparkle exploit involves a man-in-the-middle attack, which is far from trivial to carry out. It means something like getting access to your LAN, perhaps using a fake wi-fi access point. That's not to say it can be ignored, but it should be kept in perspective. Especially because if someone has managed to do that, you've quite possibly got lots of other things to worry about.
* The fact that a lot of apps use Sparkle means a lot of apps may be at potential risk, but the exploit has to be application-specific. It's not like a MITM attack can just target *any* app that uses Sparkle; an attack has to crafted with a particular app in mind. You can draw your own conclusions about what that means in terms of which apps are at most risk.
* Sparkle is open-source. That means developers can modify it to suit their particular purposes, and many do. It follows from this that version numbers may or may not mean anything.
* The URL for the appcast does not have to be in the Info.plist file. It can be elsewhere, in which case you can't check.
* Even if the URL for the appcast uses https, there's no guarantee that the appcast file doesn't contain http links.
* In some cases there will be no practical way to update Sparkle and maintain compatibility with old versions of the OS. If you're seriously worried about security, you either keep up or unplug.
--
Shane Stanley <email@hidden>
<www.macosxautomation.com/applescript/apps/>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users
This email sent to email@hidden