Thanks for the heads-up Jens. Is it enough to change the SUFeedURL to https (if your server supports it, which ours does), or does it also require the library to be updated? The comment you link doesn’t clarify it for me - it mentions WebView, but I’m not clear about how Sparkle is using Webview - wouldn’t it just request the appcast directly, parse it and then download the update notes if it finds an update BEFORE opening a webview? Other than displaying the update notes I don’t see why Sparkle would open a Webview, but my understanding of how it works could well be wrong.
There’s another thing too. Even if the appcast feed were compromised and an “update” containing malware were injected, it would still have to be signed correctly using the developers private key which Sparkle checks before installing the update. So even if it got that far it would surely fail at that step? —Graham > On 10 Feb 2016, at 8:10 AM, Jens Alfke <j...@mooseyard.com> wrote: > > Ars Technica has an article today about a vulnerability in the Sparkle > auto-update framework, which can allow an attacker to hijack an app update > check to install malware on the user’s Mac: > > http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/ > > The clearest description of the bug is in this comment: > > http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/?comments=1&post=30615427#comment-30615427 > > Basically: If your app uses a version of Sparkle older than 1.13 — like every > single Sparkle-using app on my computer :( — and the updates are delivered > over a non-HTTPS connection, you’re vulnerable (or rather, your users are.) > > The attack’s not trivial: it requires someone to tamper with the appcast RSS > feed being received by Sparkle, at the time that it checks for an update. > Most likely this would be by poisoning the DNS on a shared router and > pointing your domain to their server; or else they could compromise the > router to sniff the HTTP traffic and inject the payload into the stream. > > The best fix is to upgrade your server to use HTTPS. If your hosting provider > still charges an arm and a leg for SSL, switch. > In addition (or as the second-best fix if you can’t go SSL), download the > latest Sparkle and update your app project to use it. > > —Jens _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
