• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

  • Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • From: SevenBits <email@hidden>
  • Date: Tue, 09 Feb 2016 16:42:44 -0500
Yes, this is very important -- don't ignore this message!

On Tuesday, February 9, 2016, Jens Alfke <email@hidden> wrote:

> Ars Technica has an article today about a vulnerability in the Sparkle
> auto-update framework, which can allow an attacker to hijack an app update
> check to install malware on the user’s Mac:
>
> http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/
>
> The clearest description of the bug is in this comment:
>
> http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/?comments=1&post=30615427#comment-30615427
>
> Basically: If your app uses a version of Sparkle older than 1.13 — like
> every single Sparkle-using app on my computer :( — and the updates are
> delivered over a non-HTTPS connection, you’re vulnerable (or rather, your
> users are.)
>
> The attack’s not trivial: it requires someone to tamper with the appcast
> RSS feed being received by Sparkle, at the time that it checks for an
> update. Most likely this would be by poisoning the DNS on a shared router
> and pointing your domain to their server; or else they could compromise the
> router to sniff the HTTP traffic and inject the payload into the stream.
>
> The best fix is to upgrade your server to use HTTPS. If your hosting
> provider still charges an arm and a leg for SSL, switch.
> In addition (or as the second-best fix if you can’t go SSL), download the
> latest Sparkle and update your app project to use it.
>
> —Jens
> _______________________________________________
>
> Cocoa-dev mailing list (email@hidden <javascript:;>)
>
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden <javascript:;>
_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Jens Alfke <email@hidden>)

  • Prev by Date: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Next by Date: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Previous by thread: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Next by thread: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Index(es):
    • Date
    • Thread