OK. I did watch the POC and it appears this is not in the update process, but in the check for update that the attack occurs.
> Le 9 févr. 2016 à 23:27, Jean-Daniel Dupas <mail...@xenonium.com> a écrit : > > I agree. I can’t see how that can work with a properly configured Sparkle, > that is an App that accepts only properly signed update. > > >> Le 9 févr. 2016 à 23:22, Graham Cox <graham....@bigpond.com> a écrit : >> >> Thanks for the heads-up Jens. >> >> Is it enough to change the SUFeedURL to https (if your server supports it, >> which ours does), or does it also require the library to be updated? The >> comment you link doesn’t clarify it for me - it mentions WebView, but I’m >> not clear about how Sparkle is using Webview - wouldn’t it just request the >> appcast directly, parse it and then download the update notes if it finds an >> update BEFORE opening a webview? Other than displaying the update notes I >> don’t see why Sparkle would open a Webview, but my understanding of how it >> works could well be wrong. >> >> There’s another thing too. Even if the appcast feed were compromised and an >> “update” containing malware were injected, it would still have to be signed >> correctly using the developers private key which Sparkle checks before >> installing the update. So even if it got that far it would surely fail at >> that step? >> >> —Graham >> >> >> >>> On 10 Feb 2016, at 8:10 AM, Jens Alfke <j...@mooseyard.com> wrote: >>> >>> Ars Technica has an article today about a vulnerability in the Sparkle >>> auto-update framework, which can allow an attacker to hijack an app update >>> check to install malware on the user’s Mac: >>> >>> http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/ >>> >>> The clearest description of the bug is in this comment: >>> >>> http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/?comments=1&post=30615427#comment-30615427 >>> >>> Basically: If your app uses a version of Sparkle older than 1.13 — like >>> every single Sparkle-using app on my computer :( — and the updates are >>> delivered over a non-HTTPS connection, you’re vulnerable (or rather, your >>> users are.) >>> >>> The attack’s not trivial: it requires someone to tamper with the appcast >>> RSS feed being received by Sparkle, at the time that it checks for an >>> update. Most likely this would be by poisoning the DNS on a shared router >>> and pointing your domain to their server; or else they could compromise the >>> router to sniff the HTTP traffic and inject the payload into the stream. >>> >>> The best fix is to upgrade your server to use HTTPS. If your hosting >>> provider still charges an arm and a leg for SSL, switch. >>> In addition (or as the second-best fix if you can’t go SSL), download the >>> latest Sparkle and update your app project to use it. >>> >>> —Jens >> >> >> _______________________________________________ >> >> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) >> >> Please do not post admin requests or moderator comments to the list. >> Contact the moderators at cocoa-dev-admins(at)lists.apple.com >> >> Help/Unsubscribe/Update your Subscription: >> https://lists.apple.com/mailman/options/cocoa-dev/mailing%40xenonium.com >> >> This email sent to mail...@xenonium.com > > > _______________________________________________ > > Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) > > Please do not post admin requests or moderator comments to the list. > Contact the moderators at cocoa-dev-admins(at)lists.apple.com > > Help/Unsubscribe/Update your Subscription: > https://lists.apple.com/mailman/options/cocoa-dev/mailing%40xenonium.com > > This email sent to mail...@xenonium.com _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
