If your app is accessing your appcast via HTTP, that could be intercepted just the same as your relnotes, and then the attacker could set the relnotes URL to whatever s/he wants.
Charles > On Feb 9, 2016, at 7:53 PM, Graham Cox <graham....@bigpond.com> wrote: > > Wait a sec, I think I see an easy solution to this. > > The appcast supplies the URL for the release notes, so that can be updated to > https without having to republish the app itself. That makes this a lot less > trouble than it seems. > > Am I right? > > —Graham > > > > > >> On 10 Feb 2016, at 12:49 PM, Graham Cox <graham....@bigpond.com> wrote: >> >> >>> On 10 Feb 2016, at 12:22 PM, Jens Alfke <j...@mooseyard.com> wrote: >>> >>> It’s to display the release notes, which come from an RSS entry in the feed >>> and are in HTML format. And Sparkle had a couple of bugs relating to that: >>> (a) the WebView was configured to allow JavaScript, and (b) their delegate >>> handled navigation requests to file: URLs by sending them to the Finder. >>> This meant that a malicious feed entry could run a script to download some >>> malware and then tell the Finder to launch the downloaded malware installer. >>> >> >> >> Got it, so the signing aspect is irrelevant. >> >> Already updated to use https, but of course the problem is that in itself >> requires a Sparkle update… > > > _______________________________________________ > > Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) > > Please do not post admin requests or moderator comments to the list. > Contact the moderators at cocoa-dev-admins(at)lists.apple.com > > Help/Unsubscribe/Update your Subscription: > https://lists.apple.com/mailman/options/cocoa-dev/cocoadev%40charlessoft.com > > This email sent to cocoa...@charlessoft.com _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
