• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
PSA: Does your app use Sparkle? Update it, or use an HTTPS server
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSA: Does your app use Sparkle? Update it, or use an HTTPS server


  • Subject: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • From: Jens Alfke <email@hidden>
  • Date: Tue, 09 Feb 2016 13:10:51 -0800

Ars Technica has an article today about a vulnerability in the Sparkle auto-update framework, which can allow an attacker to hijack an app update check to install malware on the user’s Mac:
	http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/

The clearest description of the bug is in this comment:
	http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/?comments=1&post=30615427#comment-30615427

Basically: If your app uses a version of Sparkle older than 1.13 — like every single Sparkle-using app on my computer :( — and the updates are delivered over a non-HTTPS connection, you’re vulnerable (or rather, your users are.)

The attack’s not trivial: it requires someone to tamper with the appcast RSS feed being received by Sparkle, at the time that it checks for an update. Most likely this would be by poisoning the DNS on a shared router and pointing your domain to their server; or else they could compromise the router to sniff the HTTP traffic and inject the payload into the stream.

The best fix is to upgrade your server to use HTTPS. If your hosting provider still charges an arm and a leg for SSL, switch.
In addition (or as the second-best fix if you can’t go SSL), download the latest Sparkle and update your app project to use it.

—Jens
_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden


  • Follow-Ups:
    • Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
      • From: Trygve Inda <email@hidden>
    • Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
      • From: Graham Cox <email@hidden>
    • Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
      • From: SevenBits <email@hidden>
  • Prev by Date: Re: An API for Airplane mode on iOS?
  • Next by Date: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Previous by thread: Re: Hierarchical split views and auto layout
  • Next by thread: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Index(es):
    • Date
    • Thread