Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- From: Jean-Daniel Dupas <email@hidden>
- Date: Tue, 09 Feb 2016 23:31:14 +0100
OK. I did watch the POC and it appears this is not in the update process, but in the check for update that the attack occurs.
> Le 9 févr. 2016 à 23:27, Jean-Daniel Dupas <email@hidden> a écrit :
>
> I agree. I can’t see how that can work with a properly configured Sparkle, that is an App that accepts only properly signed update.
>
>
>> Le 9 févr. 2016 à 23:22, Graham Cox <email@hidden> a écrit :
>>
>> Thanks for the heads-up Jens.
>>
>> Is it enough to change the SUFeedURL to https (if your server supports it, which ours does), or does it also require the library to be updated? The comment you link doesn’t clarify it for me - it mentions WebView, but I’m not clear about how Sparkle is using Webview - wouldn’t it just request the appcast directly, parse it and then download the update notes if it finds an update BEFORE opening a webview? Other than displaying the update notes I don’t see why Sparkle would open a Webview, but my understanding of how it works could well be wrong.
>>
>> There’s another thing too. Even if the appcast feed were compromised and an “update” containing malware were injected, it would still have to be signed correctly using the developers private key which Sparkle checks before installing the update. So even if it got that far it would surely fail at that step?
>>
>> —Graham
>>
>>
>>
>>> On 10 Feb 2016, at 8:10 AM, Jens Alfke <email@hidden> wrote:
>>>
>>> Ars Technica has an article today about a vulnerability in the Sparkle auto-update framework, which can allow an attacker to hijack an app update check to install malware on the user’s Mac:
>>> http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/
>>>
>>> The clearest description of the bug is in this comment:
>>> http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/?comments=1&post=30615427#comment-30615427
>>>
>>> Basically: If your app uses a version of Sparkle older than 1.13 — like every single Sparkle-using app on my computer :( — and the updates are delivered over a non-HTTPS connection, you’re vulnerable (or rather, your users are.)
>>>
>>> The attack’s not trivial: it requires someone to tamper with the appcast RSS feed being received by Sparkle, at the time that it checks for an update. Most likely this would be by poisoning the DNS on a shared router and pointing your domain to their server; or else they could compromise the router to sniff the HTTP traffic and inject the payload into the stream.
>>>
>>> The best fix is to upgrade your server to use HTTPS. If your hosting provider still charges an arm and a leg for SSL, switch.
>>> In addition (or as the second-best fix if you can’t go SSL), download the latest Sparkle and update your app project to use it.
>>>
>>> —Jens
>>
>>
>> _______________________________________________
>>
>> Cocoa-dev mailing list (email@hidden)
>>
>> Please do not post admin requests or moderator comments to the list.
>> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>>
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
>
> _______________________________________________
>
> Cocoa-dev mailing list (email@hidden)
>
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden