> On Feb 9, 2016, at 2:22 PM, Graham Cox <graham....@bigpond.com> wrote:
>
> Is it enough to change the SUFeedURL to https (if your server supports it,
> which ours does), or does it also require the library to be updated?
Using HTTPS for the appcast RSS feed should be sufficient, because it prevents
an attacker from tampering with the contents of the feed.
> The comment you link doesn’t clarify it for me - it mentions WebView, but I’m
> not clear about how Sparkle is using Webview
It’s to display the release notes, which come from an RSS entry in the feed and
are in HTML format. And Sparkle had a couple of bugs relating to that: (a) the
WebView was configured to allow JavaScript, and (b) their delegate handled
navigation requests to file: URLs by sending them to the Finder. This meant
that a malicious feed entry could run a script to download some malware and
then tell the Finder to launch the downloaded malware installer.
Full details are here:
https://vulnsec.com/2016/osx-apps-vulnerabilities/
One of the takeaways from this for Mac developers is that WebViews can be
really dangerous, and if you use one in your app, you should give it the
minimum possible privileges and be really careful about how you respond to any
requests the loaded web page makes.
—Jens
_______________________________________________
Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com
This email sent to arch...@mail-archive.com
