PSA: Does your app use Sparkle? Update it, or use an HTTPS server
PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- Subject: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- From: Jens Alfke <email@hidden>
- Date: Tue, 09 Feb 2016 13:10:51 -0800
Ars Technica has an article today about a vulnerability in the Sparkle auto-update framework, which can allow an attacker to hijack an app update check to install malware on the user’s Mac:
http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/
The clearest description of the bug is in this comment:
http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/?comments=1&post=30615427#comment-30615427
Basically: If your app uses a version of Sparkle older than 1.13 — like every single Sparkle-using app on my computer :( — and the updates are delivered over a non-HTTPS connection, you’re vulnerable (or rather, your users are.)
The attack’s not trivial: it requires someone to tamper with the appcast RSS feed being received by Sparkle, at the time that it checks for an update. Most likely this would be by poisoning the DNS on a shared router and pointing your domain to their server; or else they could compromise the router to sniff the HTTP traffic and inject the payload into the stream.
The best fix is to upgrade your server to use HTTPS. If your hosting provider still charges an arm and a leg for SSL, switch.
In addition (or as the second-best fix if you can’t go SSL), download the latest Sparkle and update your app project to use it.
—Jens
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden