Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-03-15 Thread sqwarqDev
Silly me, forgot to add error checking. Adjusted script: set plistContents to "" set x to (path to startup disk) as text set pathToAppFolder to x & "Applications:" as alias set infoFilePath to "Contents:info.plist" set theApp to "" set sparkleAppsList to {} set theAppList to do shell script "find

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-12 Thread Roland King
> On 12 Feb 2016, at 17:14, sqwarqDev wrote: > > What I “think” (...read: “hope", cos I really need to be getting on with > other stuff, like updating the Sparkle version in my own apps…) is my final > version of the script to check for vulnerable Sparkle frameworks and > prefPanes (system wi

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-12 Thread sqwarqDev
What I “think” (...read: “hope", cos I really need to be getting on with other stuff, like updating the Sparkle version in my own apps…) is my final version of the script to check for vulnerable Sparkle frameworks and prefPanes (system wide, including backups if connected): Script version 1.6:

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-11 Thread Jean-Daniel Dupas
> Le 11 févr. 2016 à 02:16, Ben Kennedy a écrit : > >> On 10 Feb 2016, at 5:00 pm, Gary L. Wade >> wrote: >> >> You've made my point. None of my friends would even bother with looking at >> the certificate for his site (assuming that's his site from his email >> address) and move on. At wor

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-11 Thread sqwarqDev
Thanks largely to folks over on the AppleScript users list, the rough script I was providing yesterday has been significantly improved. Here’s the latest version. Credits go to Al Varnell and Yvan Koenig for suggestions and rewriting of my earlier drafts. Added: apps in /Applications subfold

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread Ben Kennedy
> On 10 Feb 2016, at 5:00 pm, Gary L. Wade wrote: > > You've made my point. None of my friends would even bother with looking at > the certificate for his site (assuming that's his site from his email > address) and move on. At worst, they'd call me and I'd say don't go there > since I don't w

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread Gary L. Wade
You've made my point. None of my friends would even bother with looking at the certificate for his site (assuming that's his site from his email address) and move on. At worst, they'd call me and I'd say don't go there since I don't want them to screenshot that and text it to me to figure it out

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread Jens Alfke
> On Feb 10, 2016, at 4:35 PM, Gary L. Wade > wrote: > > I just checked to see what happens when visiting your web site at > https://xenonium.com and found on the current latest > release of iOS and OS X under Safari I get a "Cannot Verify Server Identity" > alert, so

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread Ben Kennedy
If you actually took a look at the details, you'd see that the cert is for "ssl13.ovh.net" rather than "xenonium.com". If you visit https://ssl13.ovh.net in Safari you will see no such problem. Jean-Daniel did not expressly state that he's trying to serve anything at https://xenonium.com. -b

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread Gary L. Wade
I just checked to see what happens when visiting your web site at https://xenonium.com and found on the current latest release of iOS and OS X under Safari I get a "Cannot Verify Server Identity" alert, so maybe you set it up wrong, support for that authority is forthcoming, or you get what you

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread Jean-Daniel Dupas
> Le 10 févr. 2016 à 05:48, Trygve Inda a écrit : > >> If your hosting provider still charges an arm and a leg for SSL, switch. > > I need SSL for multiple subdomains. My host (Pair Networks) charges $449/yr > for such a certificate. That seems really expensive. What are others paying > for thi

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread Jens Alfke
> On Feb 10, 2016, at 12:17 PM, brodhage wrote: > > Why? Because any application accessing web content via the WebView framework > (Sparkle, Safari and many other apps) might allow to "launch special / > default behaviour" (for example "file://" or "ftp://"; or Safari which starts > iTunes if

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread brodhage
May be I am wrong (or it is off-topic) - but is this (just) a Sparkle problem? I have read "Vulnerable Security - There's a lot of vulnerable OS X applications out there" (https://vulnsec.com/2016/osx-apps-vulnerabilities/) - and if I got the idea then browsing the web is insecure. Why? Because

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread Peter Teeson
This worked for me: find /Applications -path '*Autoupdate.app/Contents/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString and I got it from this link:

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread sqwarqDev
I've removed some duplications in the code, but functionally identical to the last version. Again, I'll point out that this is only going to show you apps in /Applications, and it's not going to find those that hide the appcast url in the binary (DriveDx, for one, but there are others). Bear i

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread sqwarqDev
On 10 Feb 2016, at 22:55, Peter Teeson wrote: find /Applications -path '*Autoupdate.app/Contents/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString That produces a list of apps that are on earlier versions of Sparkle than 1.13.

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread sqwarqDev
OK, I've started adding version numbers to this script now to avoid confusion. :~! Latest 'update' is v1.3 (fixed: the 'choose folder' option now works correctly): I don't think this is the last version...there's at least one outstanding problem one person's having that I'm waiting to here mor

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread sqwarqDev
On Feb 10, 2016, at 07:39, diede...@tenhorses.com wrote: You can do that in the terminal, I found this terminal command online: find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}' Sorry, some posting problems. Here’s the latest version of the scrip

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread sqwarqDev
On Feb 10, 2016, at 07:39, diede...@tenhorses.com wrote: You can do that in the terminal, I found this terminal command online: find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}' Here’s an AppleScript that will output the insecure http apps from your

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread Sandor Szatmari
It looks safe... > On Feb 10, 2016, at 07:39, diede...@tenhorses.com wrote: > > You can do that in the terminal, I found this terminal command online: > > find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk > -F'.' '{print $1}' This finds all files named Sparkle.framework

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread dangerwillrobinsondanger
An app could also have plugins or embedded frameworks that have distinct Sparkle updaters. Sent from my iPhone > On Feb 10, 2016, at 9:39 PM, diede...@tenhorses.com wrote: > > You can do that in the terminal, I found this terminal command online: > > find /Applications -name Sparkle.framework

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread diederik
You can do that in the terminal, I found this terminal command online: find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}' This returns: Cornerstone Sequel Pro on my Mac Book Pro... Important note: I did not come up with this myself and was a bit nervous

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-10 Thread sqwarqDev
On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote: tell them how they can find out which apps use Sparkle?? On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote: tell them how they can find out which apps use Sparkle?? I was thinking of writing a script for this, checking for SUFeedURL

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-09 Thread diederik
About feedback to users and helping them avoid problems: So in order to avoid problems in the immediate short run, we should inform users to turn off automatic software updates and update checks with a current version and also tell them how they can find out which apps use Sparkle?? Once an updat

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-09 Thread Ken Thomases
On Feb 9, 2016, at 11:45 PM, sqwarqDev wrote: > > >> On 10 Feb 2016, at 09:08, Charles Srstka wrote: >> >> If your app is accessing your appcast via HTTP, that could be intercepted >> just the same as your relnotes, and then the attacker could set the relnotes >> URL to whatever s/he wants.

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-09 Thread Roland King
> On 10 Feb 2016, at 13:45, sqwarqDev wrote: > > >> On 10 Feb 2016, at 09:08, Charles Srstka wrote: >> >> If your app is accessing your appcast via HTTP, that could be intercepted >> just the same as your relnotes, and then the attacker could set the relnotes >> URL to whatever s/he wants.

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-09 Thread sqwarqDev
> On 10 Feb 2016, at 09:08, Charles Srstka wrote: > > If your app is accessing your appcast via HTTP, that could be intercepted > just the same as your relnotes, and then the attacker could set the relnotes > URL to whatever s/he wants. Can I just double-check my understanding here: 1. If t

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-09 Thread Jake Petroules
AWS Certificate Manager provides multi-domain certificates (up to 100, I think) for free. You can serve an S3 bucket using CloudFront with a custom domain and SSL, and costs for this will be pretty minimal (probably well under $10 a month?). > On Feb 9, 2016, at 8:48 PM, Trygve Inda wrote: >

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-09 Thread Trygve Inda
> If your hosting provider still charges an arm and a leg for SSL, switch. I need SSL for multiple subdomains. My host (Pair Networks) charges $449/yr for such a certificate. That seems really expensive. What are others paying for this? I have been very happy with Pair as we run a complex server s

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-09 Thread Graham Cox
> On 10 Feb 2016, at 1:08 PM, Charles Srstka wrote: > > If your app is accessing your appcast via HTTP, that could be intercepted > just the same as your relnotes, and then the attacker could set the relnotes > URL to whatever s/he wants. Yep, I see that. Bugger. —G. ___

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-09 Thread Charles Srstka
If your app is accessing your appcast via HTTP, that could be intercepted just the same as your relnotes, and then the attacker could set the relnotes URL to whatever s/he wants. Charles > On Feb 9, 2016, at 7:53 PM, Graham Cox wrote: > > Wait a sec, I think I see an easy solution to this. >

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-09 Thread Quincey Morris
On Feb 9, 2016, at 17:53 , Graham Cox wrote: > > The appcast supplies the URL for the release notes, so that can be updated to > https without having to republish the app itself. That makes this a lot less > trouble than it seems. Yes, but the appcast itself is vulnerable to separate attack, i

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-09 Thread Graham Cox
Wait a sec, I think I see an easy solution to this. The appcast supplies the URL for the release notes, so that can be updated to https without having to republish the app itself. That makes this a lot less trouble than it seems. Am I right? —Graham > On 10 Feb 2016, at 12:49 PM, Graham C

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-09 Thread Graham Cox
> On 10 Feb 2016, at 12:22 PM, Jens Alfke wrote: > > It’s to display the release notes, which come from an RSS entry in the feed > and are in HTML format. And Sparkle had a couple of bugs relating to that: > (a) the WebView was configured to allow JavaScript, and (b) their delegate > handled

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-09 Thread Jens Alfke
> On Feb 9, 2016, at 2:22 PM, Graham Cox wrote: > > Is it enough to change the SUFeedURL to https (if your server supports it, > which ours does), or does it also require the library to be updated? Using HTTPS for the appcast RSS feed should be sufficient, because it prevents an attacker from

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-09 Thread Jean-Daniel Dupas
OK. I did watch the POC and it appears this is not in the update process, but in the check for update that the attack occurs. > Le 9 févr. 2016 à 23:27, Jean-Daniel Dupas a écrit : > > I agree. I can’t see how that can work with a properly configured Sparkle, > that is an App that accepts only

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-09 Thread Jean-Daniel Dupas
I agree. I can’t see how that can work with a properly configured Sparkle, that is an App that accepts only properly signed update. > Le 9 févr. 2016 à 23:22, Graham Cox a écrit : > > Thanks for the heads-up Jens. > > Is it enough to change the SUFeedURL to https (if your server supports it,

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-09 Thread Graham Cox
Thanks for the heads-up Jens. Is it enough to change the SUFeedURL to https (if your server supports it, which ours does), or does it also require the library to be updated? The comment you link doesn’t clarify it for me - it mentions WebView, but I’m not clear about how Sparkle is using Webvie

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

2016-02-09 Thread SevenBits
Yes, this is very important -- don't ignore this message! On Tuesday, February 9, 2016, Jens Alfke wrote: > Ars Technica has an article today about a vulnerability in the Sparkle > auto-update framework, which can allow an attacker to hijack an app update > check to install malware on the user’s