Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

Silly me, forgot to add error checking. Adjusted script: set plistContents to "" set x to (path to startup disk) as text set pathToAppFolder to x & "Applications:" as alias set infoFilePath to "Contents:info.plist" set theApp to "" set sparkleAppsList to {} set theAppList to do shell script

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

What I “think” (...read: “hope", cos I really need to be getting on with other stuff, like updating the Sparkle version in my own apps…) is my final version of the script to check for vulnerable Sparkle frameworks and prefPanes (system wide, including backups if connected): Script version

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

> On 12 Feb 2016, at 17:14, sqwarqDev wrote: > > What I “think” (...read: “hope", cos I really need to be getting on with > other stuff, like updating the Sparkle version in my own apps…) is my final > version of the script to check for vulnerable Sparkle frameworks and

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

> Le 11 févr. 2016 à 02:16, Ben Kennedy a écrit : > >> On 10 Feb 2016, at 5:00 pm, Gary L. Wade >> wrote: >> >> You've made my point. None of my friends would even bother with looking at >> the certificate for his site (assuming that's his site

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

Thanks largely to folks over on the AppleScript users list, the rough script I was providing yesterday has been significantly improved. Here’s the latest version. Credits go to Al Varnell and Yvan Koenig for suggestions and rewriting of my earlier drafts. Added: apps in /Applications

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

OK, I've started adding version numbers to this script now to avoid confusion. :~! Latest 'update' is v1.3 (fixed: the 'choose folder' option now works correctly): I don't think this is the last version...there's at least one outstanding problem one person's having that I'm waiting to here

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

On Feb 10, 2016, at 07:39, diede...@tenhorses.com wrote: You can do that in the terminal, I found this terminal command online: find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}' Here’s an AppleScript that will output the insecure http apps from

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

On Feb 10, 2016, at 07:39, diede...@tenhorses.com wrote: You can do that in the terminal, I found this terminal command online: find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}' Sorry, some posting problems. Here’s the latest version of the

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

I've removed some duplications in the code, but functionally identical to the last version. Again, I'll point out that this is only going to show you apps in /Applications, and it's not going to find those that hide the appcast url in the binary (DriveDx, for one, but there are others). Bear

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

On 10 Feb 2016, at 22:55, Peter Teeson wrote: find /Applications -path '*Autoupdate.app/Contents/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString That produces a list of apps that are on earlier

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

This worked for me: find /Applications -path '*Autoupdate.app/Contents/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString and I got it from this link:

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

> On Feb 10, 2016, at 12:17 PM, brodhage wrote: > > Why? Because any application accessing web content via the WebView framework > (Sparkle, Safari and many other apps) might allow to "launch special / > default behaviour" (for example "file://" or "ftp://; or Safari which

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

May be I am wrong (or it is off-topic) - but is this (just) a Sparkle problem? I have read "Vulnerable Security - There's a lot of vulnerable OS X applications out there" (https://vulnsec.com/2016/osx-apps-vulnerabilities/) - and if I got the idea then browsing the web is insecure. Why?

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

> Le 10 févr. 2016 à 05:48, Trygve Inda a écrit : > >> If your hosting provider still charges an arm and a leg for SSL, switch. > > I need SSL for multiple subdomains. My host (Pair Networks) charges $449/yr > for such a certificate. That seems really expensive. What

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

I just checked to see what happens when visiting your web site at https://xenonium.com and found on the current latest release of iOS and OS X under Safari I get a "Cannot Verify Server Identity" alert, so maybe you set it up wrong, support for that authority is forthcoming, or you get what you

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote: tell them how they can find out which apps use Sparkle?? On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote: tell them how they can find out which apps use Sparkle?? I was thinking of writing a script for this, checking for

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

You can do that in the terminal, I found this terminal command online: find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}' This returns: Cornerstone Sequel Pro on my Mac Book Pro... Important note: I did not come up with this myself and was a bit

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

An app could also have plugins or embedded frameworks that have distinct Sparkle updaters. Sent from my iPhone > On Feb 10, 2016, at 9:39 PM, diede...@tenhorses.com wrote: > > You can do that in the terminal, I found this terminal command online: > > find /Applications -name

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

It looks safe... > On Feb 10, 2016, at 07:39, diede...@tenhorses.com wrote: > > You can do that in the terminal, I found this terminal command online: > > find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk > -F'.' '{print $1}' This finds all files named Sparkle.framework

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

If you actually took a look at the details, you'd see that the cert is for "ssl13.ovh.net" rather than "xenonium.com". If you visit https://ssl13.ovh.net in Safari you will see no such problem. Jean-Daniel did not expressly state that he's trying to serve anything at https://xenonium.com. -b

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

> On Feb 10, 2016, at 4:35 PM, Gary L. Wade > wrote: > > I just checked to see what happens when visiting your web site at > https://xenonium.com and found on the current latest > release of iOS and OS X under Safari I get a "Cannot

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

You've made my point. None of my friends would even bother with looking at the certificate for his site (assuming that's his site from his email address) and move on. At worst, they'd call me and I'd say don't go there since I don't want them to screenshot that and text it to me to figure it

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

> On 10 Feb 2016, at 5:00 pm, Gary L. Wade wrote: > > You've made my point. None of my friends would even bother with looking at > the certificate for his site (assuming that's his site from his email > address) and move on. At worst, they'd call me and I'd say

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

OK. I did watch the POC and it appears this is not in the update process, but in the check for update that the attack occurs. > Le 9 févr. 2016 à 23:27, Jean-Daniel Dupas a écrit : > > I agree. I can’t see how that can work with a properly configured Sparkle, > that is

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

Yes, this is very important -- don't ignore this message! On Tuesday, February 9, 2016, Jens Alfke wrote: > Ars Technica has an article today about a vulnerability in the Sparkle > auto-update framework, which can allow an attacker to hijack an app update > check to install

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

Thanks for the heads-up Jens. Is it enough to change the SUFeedURL to https (if your server supports it, which ours does), or does it also require the library to be updated? The comment you link doesn’t clarify it for me - it mentions WebView, but I’m not clear about how Sparkle is using

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

I agree. I can’t see how that can work with a properly configured Sparkle, that is an App that accepts only properly signed update. > Le 9 févr. 2016 à 23:22, Graham Cox a écrit : > > Thanks for the heads-up Jens. > > Is it enough to change the SUFeedURL to https (if

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

> On Feb 9, 2016, at 2:22 PM, Graham Cox wrote: > > Is it enough to change the SUFeedURL to https (if your server supports it, > which ours does), or does it also require the library to be updated? Using HTTPS for the appcast RSS feed should be sufficient, because it

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

> On 10 Feb 2016, at 1:08 PM, Charles Srstka wrote: > > If your app is accessing your appcast via HTTP, that could be intercepted > just the same as your relnotes, and then the attacker could set the relnotes > URL to whatever s/he wants. Yep, I see that. Bugger.

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

> If your hosting provider still charges an arm and a leg for SSL, switch. I need SSL for multiple subdomains. My host (Pair Networks) charges $449/yr for such a certificate. That seems really expensive. What are others paying for this? I have been very happy with Pair as we run a complex server

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

If your app is accessing your appcast via HTTP, that could be intercepted just the same as your relnotes, and then the attacker could set the relnotes URL to whatever s/he wants. Charles > On Feb 9, 2016, at 7:53 PM, Graham Cox wrote: > > Wait a sec, I think I see an

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

AWS Certificate Manager provides multi-domain certificates (up to 100, I think) for free. You can serve an S3 bucket using CloudFront with a custom domain and SSL, and costs for this will be pretty minimal (probably well under $10 a month?). > On Feb 9, 2016, at 8:48 PM, Trygve Inda

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

> On 10 Feb 2016, at 12:22 PM, Jens Alfke wrote: > > It’s to display the release notes, which come from an RSS entry in the feed > and are in HTML format. And Sparkle had a couple of bugs relating to that: > (a) the WebView was configured to allow JavaScript, and (b) their

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

Wait a sec, I think I see an easy solution to this. The appcast supplies the URL for the release notes, so that can be updated to https without having to republish the app itself. That makes this a lot less trouble than it seems. Am I right? —Graham > On 10 Feb 2016, at 12:49 PM, Graham

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

On Feb 9, 2016, at 17:53 , Graham Cox wrote: > > The appcast supplies the URL for the release notes, so that can be updated to > https without having to republish the app itself. That makes this a lot less > trouble than it seems. Yes, but the appcast itself is

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

> On 10 Feb 2016, at 13:45, sqwarqDev wrote: > > >> On 10 Feb 2016, at 09:08, Charles Srstka wrote: >> >> If your app is accessing your appcast via HTTP, that could be intercepted >> just the same as your relnotes, and then the attacker could

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

On Feb 9, 2016, at 11:45 PM, sqwarqDev wrote: > > >> On 10 Feb 2016, at 09:08, Charles Srstka wrote: >> >> If your app is accessing your appcast via HTTP, that could be intercepted >> just the same as your relnotes, and then the attacker could

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

> On 10 Feb 2016, at 09:08, Charles Srstka wrote: > > If your app is accessing your appcast via HTTP, that could be intercepted > just the same as your relnotes, and then the attacker could set the relnotes > URL to whatever s/he wants. Can I just double-check my

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

About feedback to users and helping them avoid problems: So in order to avoid problems in the immediate short run, we should inform users to turn off automatic software updates and update checks with a current version and also tell them how they can find out which apps use Sparkle?? Once an