• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

  • Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • From: Charles Srstka <email@hidden>
  • Date: Tue, 09 Feb 2016 20:08:40 -0600
If your app is accessing your appcast via HTTP, that could be intercepted just the same as your relnotes, and then the attacker could set the relnotes URL to whatever s/he wants.

Charles

> On Feb 9, 2016, at 7:53 PM, Graham Cox <email@hidden> wrote:
>
> Wait a sec, I think I see an easy solution to this.
>
> The appcast supplies the URL for the release notes, so that can be updated to https without having to republish the app itself. That makes this a lot less trouble than it seems.
>
> Am I right?
>
> —Graham
>
>
>
>
>
>> On 10 Feb 2016, at 12:49 PM, Graham Cox <email@hidden> wrote:
>>
>>
>>> On 10 Feb 2016, at 12:22 PM, Jens Alfke <email@hidden> wrote:
>>>
>>> It’s to display the release notes, which come from an RSS entry in the feed and are in HTML format. And Sparkle had a couple of bugs relating to that: (a) the WebView was configured to allow JavaScript, and (b) their delegate handled navigation requests to file: URLs by sending them to the Finder. This meant that a malicious feed entry could run a script to download some malware and then tell the Finder to launch the downloaded malware installer.
>>>
>>
>>
>> Got it, so the signing aspect is irrelevant.
>>
>> Already updated to use https, but of course the problem is that in itself requires a Sparkle update…
>
>
> _______________________________________________
>
> Cocoa-dev mailing list (email@hidden)
>
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden


_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
      • From: sqwarqDev <email@hidden>
    • Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
      • From: Graham Cox <email@hidden>
References: 
 >PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Jens Alfke <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Graham Cox <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Jens Alfke <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Graham Cox <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Graham Cox <email@hidden>)

  • Prev by Date: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Next by Date: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Previous by thread: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Next by thread: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Index(es):
    • Date
    • Thread