Yes, this is very important -- don't ignore this message! On Tuesday, February 9, 2016, Jens Alfke <j...@mooseyard.com> wrote:
> Ars Technica has an article today about a vulnerability in the Sparkle > auto-update framework, which can allow an attacker to hijack an app update > check to install malware on the user’s Mac: > > http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/ > > The clearest description of the bug is in this comment: > > http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/?comments=1&post=30615427#comment-30615427 > > Basically: If your app uses a version of Sparkle older than 1.13 — like > every single Sparkle-using app on my computer :( — and the updates are > delivered over a non-HTTPS connection, you’re vulnerable (or rather, your > users are.) > > The attack’s not trivial: it requires someone to tamper with the appcast > RSS feed being received by Sparkle, at the time that it checks for an > update. Most likely this would be by poisoning the DNS on a shared router > and pointing your domain to their server; or else they could compromise the > router to sniff the HTTP traffic and inject the payload into the stream. > > The best fix is to upgrade your server to use HTTPS. If your hosting > provider still charges an arm and a leg for SSL, switch. > In addition (or as the second-best fix if you can’t go SSL), download the > latest Sparkle and update your app project to use it. > > —Jens > _______________________________________________ > > Cocoa-dev mailing list (Cocoa-dev@lists.apple.com <javascript:;>) > > Please do not post admin requests or moderator comments to the list. > Contact the moderators at cocoa-dev-admins(at)lists.apple.com > > Help/Unsubscribe/Update your Subscription: > https://lists.apple.com/mailman/options/cocoa-dev/sevenbitstech%40gmail.com > > This email sent to sevenbitst...@gmail.com <javascript:;> _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
