Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- From: Jens Alfke <email@hidden>
- Date: Tue, 09 Feb 2016 17:22:38 -0800
> On Feb 9, 2016, at 2:22 PM, Graham Cox <email@hidden> wrote:
>
> Is it enough to change the SUFeedURL to https (if your server supports it, which ours does), or does it also require the library to be updated?
Using HTTPS for the appcast RSS feed should be sufficient, because it prevents an attacker from tampering with the contents of the feed.
> The comment you link doesn’t clarify it for me - it mentions WebView, but I’m not clear about how Sparkle is using Webview
It’s to display the release notes, which come from an RSS entry in the feed and are in HTML format. And Sparkle had a couple of bugs relating to that: (a) the WebView was configured to allow JavaScript, and (b) their delegate handled navigation requests to file: URLs by sending them to the Finder. This meant that a malicious feed entry could run a script to download some malware and then tell the Finder to launch the downloaded malware installer.
Full details are here:
https://vulnsec.com/2016/osx-apps-vulnerabilities/
One of the takeaways from this for Mac developers is that WebViews can be really dangerous, and if you use one in your app, you should give it the minimum possible privileges and be really careful about how you respond to any requests the loaded web page makes.
—Jens
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden