Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[sqwarqDev]

Silly me, forgot to add error checking. Adjusted script:

set plistContents to ""
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set infoFilePath to "Contents:info.plist"
set theApp to ""
set sparkleAppsList to {}
set theAppList to do shell script "find /Applications -name Sparkle.framework | awk 
-F'/' '{print $3}'"
set theAppList to paragraphs of theAppList
repeat with i from 1 to number of items in theAppList
set theApp to text of item i of theAppList
set this_item to item i of theAppList
set f to pathToAppFolder & this_item & ":" & infoFilePath as string
tell application "System Events"
if exists property list file f then
set thePlist to contents of property list file f
set theValue to value of thePlist

(*

if exists NoFeedURL then
display dialog "nfU"
end if

if exists SUFeedURL then
display dialog "SFU"
end if
*)

if exists SUFeedURL of theValue then

set thisSUFeedURL to SUFeedURL of theValue as text
if thisSUFeedURL contains "http:" then
set theResultString to "Application : " & my theApp & " : " & thisSUFeedURL as 
text
set end of my sparkleAppsList to theResultString & "

"
end if

end if
end if
end tell
end repeat
display dialog "The following apps do not use secure https connections for the 
Sparkle updater:

" & sparkleAppsList as string buttons "OK" default button "OK" with title "Sparkle 
Framework Vulnerability Check"

#EOF
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[sqwarqDev]

What I “think” (...read: “hope", cos I really need to be getting on with other 
stuff, like updating the Sparkle version in my own apps…) is my final version of the 
script to check for vulnerable Sparkle frameworks and prefPanes (system wide, 
including backups if connected):

Script version 1.6:

http://applehelpwriter.com/2016/02/10/how-to-check-for-sparkle-vulnerability/

A great deal of excellent contributions have been made by folks over on the 
AppleScript Users list and it is by no means solely my own work.



Best


Phil 

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Roland King]

> On 12 Feb 2016, at 17:14, sqwarqDev  wrote:
> 
> What I “think” (...read: “hope", cos I really need to be getting on with 
> other stuff, like updating the Sparkle version in my own apps…) is my final 
> version of the script to check for vulnerable Sparkle frameworks and 
> prefPanes (system wide, including backups if connected):
> 
> Script version 1.6:
> 
> http://applehelpwriter.com/2016/02/10/how-to-check-for-sparkle-vulnerability/
> 
> A great deal of excellent contributions have been made by folks over on the 
> AppleScript Users list and it is by no means solely my own work.
> 
> 
> 
> Best


That script reports things which use HTTP even if they are using a version of 
Sparkle > 1.13, even though that is one of the requirements in your list at the 
top. eg I’ve updated Hopper and VLC

> pwd
/Applications/Hopper Disassembler 
v3.app/Contents/Frameworks/Sparkle.framework/Resources

> less Info.plist 

…

CFBundleVersion
1.13.1

…

So Hopper according to me should be fine - but it shows in the list. 


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Jean-Daniel Dupas]

> Le 11 févr. 2016 à 02:16, Ben Kennedy  a écrit :
> 
>> On 10 Feb 2016, at 5:00 pm, Gary L. Wade  
>> wrote:
>> 
>> You've made my point. None of my friends would even bother with looking at 
>> the certificate for his site (assuming that's his site from his email 
>> address) and move on. At worst, they'd call me and I'd say don't go there 
>> since I don't want them to screenshot that and text it to me to figure it 
>> out.
> 
> No, you are misunderstanding me.  My point is that it may not be valid to 
> assume the web server at 213.186.33.24 (to which xenonium.com resolves) will 
> answer to HTTPS with a cert for "xenonium.com".
> 
> For example, https://213.186.33.24 presents the same "hostname mismatch" 
> alert, because the cert is not named for "213.186.33.24".
> 
> Conduct the same exercise for any A record returned for www.apple.com, and 
> you'll also get this result.  Completely expected.
> 
> Now, if Jean-Daniel has stated definitively that https://xenonium.com is 
> expected to serve up a matching certificate, you have an argument I would 
> agree with.  But for all we know (unless I've missed it), he's serving his 
> material at https://ssl13.ovh.net.
> 
> b

Sorry for the confusion. I’m not taking about that web site. It is on a 
mutualized hosting platform that forces me to pay to install a certificate that 
match my hostname.

If I need to distribute secure content from that site, I can use the 
alternative access URL https://ssl13.ovh.net/~xenonium/ 
.





___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[sqwarqDev]

Thanks largely to folks over on the AppleScript users list, the rough script I 
was providing yesterday has been significantly improved. Here’s the latest 
version. 

Credits go to Al Varnell and Yvan Koenig for suggestions and rewriting of my 
earlier drafts.

Added: apps in  /Applications subfolders 
Added: Pref Panes that use Sparkle
Added:  anything with .app extension outside of /Applications.
Added: counter showing number of vulnerable files found
Added: ability to view the compete list in TextExit, allowing saving and, more 
importantly, viewing the whole list, which could be truncated in the dialog box.




#script version 1.51
set foundCounter to 0
set infoFilePath to "/Contents/info.plist"

set theApps to do shell script "mdfind kMDItemFSName == '*.prefPane' & mdfind 
kMDItemFSName == '*.app'"
set theApps to theApps & (do shell script "mdfind -onlyin /Applications " & 
quote & "kMDItemFSName == '*.app'" & quote)
set theApps to paragraphs of theApps
set sparkleAppsList to {}
tell application "System Events"
repeat with anApp in theApps
set anApp to anApp as text
if exists disk item (anApp & 
"/Contents/Frameworks/Sparkle.framework") then
try
set thePlist to contents of property list file 
(anApp & infoFilePath)
set theValue to value of thePlist
try
set thisSUFeedURL to SUFeedURL of 
theValue as text
if thisSUFeedURL contains "http:" then
set end of sparkleAppsList to 
"Application : " & anApp & " : " & thisSUFeedURL & linefeed & linefeed
set foundCounter to 
foundCounter + 1
end if
end try
end try
end if
end repeat
end tell

display dialog "Found: " & foundCounter & " apps that do not use secure https 
connections for the Sparkle updater:

" & sparkleAppsList buttons {"Save List", "OK"} default button "OK" with title 
"Sparkle Framework Vulnerability Check"

set aResponse to text of the result

if aResponse contains "Save List" then
tell application "TextEdit"
activate
make new document
set text of document 1 to sparkleAppsList as text
end tell
end if
#EOF
















___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[sqwarqDev]

OK, I've started adding version numbers to this script now to avoid confusion. 
:~!

Latest 'update' is v1.3 (fixed: the 'choose folder' option now works correctly):

I don't think this is the last version...there's at least one outstanding 
problem one person's having that I'm waiting to here more about (I can't 
reproduce it myself, but will post an update if / when needed).


#script version 1.3
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set defaultAppsFolder to "/Applications"

#comment out the three lines above and uncomment the three lines below if you 
want to choose the folder yourself

#set pathToAppFolder to choose folder
#set defaultAppsFolder to POSIX path of pathToAppFolder
#set defaultAppsFolder to text 1 thru -2 of defaultAppsFolder


set plistContents to ""
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set infoFilePath to "Contents:info.plist"
set theApp to ""
set sparkleAppsList to {}
set theAppList to do shell script "find " & defaultAppsFolder & " -name 
Sparkle.framework | awk -F'/' '{print $3}'"
set theAppList to paragraphs of theAppList
repeat with i from 1 to number of items in theAppList
set theApp to text of item i of theAppList
set this_item to item i of theAppList
set f to pathToAppFolder & this_item & ":" & infoFilePath as string
tell application "System Events"
if exists property list file f then
set thePlist to contents of property list file f
set theValue to value of thePlist

if exists SUFeedURL of theValue then

set thisSUFeedURL to SUFeedURL of theValue as text
if thisSUFeedURL contains "http:" then
set theResultString to "Application : " & my theApp & " : " & thisSUFeedURL as 
text
set end of my sparkleAppsList to theResultString & "

"
end if

end if
end if
end tell
end repeat
display dialog "The following apps do not use secure https connections for the 
Sparkle updater:

" & sparkleAppsList as string buttons "OK" default button "OK" with title "Sparkle 
Framework Vulnerability Check"

#EOF


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[sqwarqDev]

On Feb 10, 2016, at 07:39, diede...@tenhorses.com wrote:

You can do that in the terminal, I found this terminal command online:

find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk
-F'.' '{print $1}'


Here’s an AppleScript that will output the insecure http apps from your 
Applications folder. Note two caveats:

i. it won’t catch apps not in your /Applications folder

ii. it won’t catch apps that don’t use the SUFeedURL in the info.plist (some 
hide it in the binary, DriveDx being one I know of). 

I’ve also posted this script and a summary of what’s been said here on my blog 
at:


http://applehelpwriter.com/2016/02/10/how-to-check-for-sparkle-vulnerability/


Here’s the script. Paste it into the Script Editor, compile and run. If there’s 
any compile problems, it’s just to formatting from your Email editor, so copy 
and paste as plain text.



set plistContents to ""
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set infoFilePath to "Contents:info.plist"
set theApp to ""
set sparkleAppsList to {}
set theAppList to do shell script "find /Applications -name Sparkle.framework | awk 
-F'/' '{print $3}' | awk -F'.' '{print $1}'"
set theAppList to paragraphs of theAppList
repeat with i from 1 to number of items in theAppList
set theApp to text of item i of theAppList
set this_item to item i of theAppList
set f to pathToAppFolder & this_item & ".app:" & infoFilePath as string
tell application "System Events"
set thePlist to contents of property list file f
set theValue to value of thePlist
set thisSUFeedURL to SUFeedURL of theValue as text
if thisSUFeedURL contains "http:" then
set theResultString to "Application : " & my theApp & " : " & thisSUFeedURL as 
text
set end of my sparkleAppsList to theResultString & "

"
end if
end tell
end repeat
display dialog "The following apps do not use secure https connections for the 
sparkle updater:

" & sparkleAppsList as string

#EOF




Best


Phil
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[sqwarqDev]

On Feb 10, 2016, at 07:39, diede...@tenhorses.com wrote:


You can do that in the terminal, I found this terminal command online:



find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk
-F'.' '{print $1}'


Sorry, some posting problems. Here’s the latest version of the script, with 
error checking. Also see the comments if you want to choose a subfolder or 
other folders aside from /Applications:



set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
#comment out the two lines above and uncomment the line below if you want to 
choose the folder yourself

#set pathToAppFolder to choose folder

set plistContents to ""
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set infoFilePath to "Contents:info.plist"
set theApp to ""
set sparkleAppsList to {}
set theAppList to do shell script "find /Applications -name Sparkle.framework | awk 
-F'/' '{print $3}'"
set theAppList to paragraphs of theAppList
repeat with i from 1 to number of items in theAppList
set theApp to text of item i of theAppList
set this_item to item i of theAppList
set f to pathToAppFolder & this_item & ":" & infoFilePath as string
tell application "System Events"
if exists property list file f then
set thePlist to contents of property list file f
set theValue to value of thePlist

if exists SUFeedURL of theValue then

set thisSUFeedURL to SUFeedURL of theValue as text
if thisSUFeedURL contains "http:" then
set theResultString to "Application : " & my theApp & " : " & thisSUFeedURL as 
text
set end of my sparkleAppsList to theResultString & "

"
end if

end if
end if
end tell
end repeat
display dialog "The following apps do not use secure https connections for the 
Sparkle updater:

" & sparkleAppsList as string buttons "OK" default button "OK" with title "Sparkle 
Framework Vulnerability Check"

#EOF

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[sqwarqDev]

I've removed some duplications in the code, but functionally identical to the 
last version.

Again, I'll point out that this is only going to show you apps in 
/Applications, and it's not going to find those that hide the appcast url in 
the binary (DriveDx, for one, but there are others). Bear in mind that it's a 
script that shows Sparkle apps that are definitely insecure, and doesn't imply 
that all the other apps that use Sparkle on your mac are secure.


#script version 1.41
set x to (path to startup disk) as text
set defaultAppsFolder to "/Applications"
set plistContents to ""
set pathToAppFolder to x & "Applications:"
set infoFilePath to "Contents:info.plist"
set theApp to ""
set sparkleAppsList to {}
set theAppList to do shell script "find " & defaultAppsFolder & " -name 
Sparkle.framework | awk -F'/' '{print $3}'"
set theAppList to paragraphs of theAppList
repeat with i from 1 to number of items in theAppList
set theApp to text of item i of theAppList
set this_item to item i of theAppList
set f to pathToAppFolder & this_item & ":" & infoFilePath as string
tell application "System Events"
if exists property list file f then
set thePlist to contents of property list file f
set theValue to value of thePlist
try
if exists SUFeedURL of theValue then

set thisSUFeedURL to SUFeedURL of theValue as text
if thisSUFeedURL contains "http:" then
set theResultString to "Application : " & my theApp & " : " & thisSUFeedURL as 
text
set end of my sparkleAppsList to theResultString & "

"
end if

end if
end try
end if
end tell
end repeat
display dialog "The following apps do not use secure https connections for the 
Sparkle updater:

" & sparkleAppsList as string buttons "OK" default button "OK" with title "Sparkle 
Framework Vulnerability Check"

#EOF
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[sqwarqDev]

On 10 Feb 2016, at 22:55, Peter Teeson  wrote:
find /Applications -path '*Autoupdate.app/Contents/Info.plist' -exec echo {} \; 
-exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v 
CFBundleShortVersionString


That produces a list of apps that are on earlier versions of Sparkle than 1.13. 
That’s not the same as a list of apps that are vulnerable to the exploit. Apps 
running 1.11 are safe if both the https urls and release notes urls are https 
secured (or so we established earlier in the thread, so I say that 
notwithstanding further info to the contrary). 

Here’s the latest version of the applescript that reveals any Sparkle app not 
using https. I had to abandon the attempt to implement choosing other folders. 
Too many problems trying to get it to work. 



#script version 1.4
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set defaultAppsFolder to "/Applications"


set plistContents to ""
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set infoFilePath to "Contents:info.plist"
set theApp to ""
set sparkleAppsList to {}
set theAppList to do shell script "find " & defaultAppsFolder & " -name 
Sparkle.framework | awk -F'/' '{print $3}'"
set theAppList to paragraphs of theAppList
repeat with i from 1 to number of items in theAppList
set theApp to text of item i of theAppList
set this_item to item i of theAppList
set f to pathToAppFolder & this_item & ":" & infoFilePath as string
tell application "System Events"
if exists property list file f then
set thePlist to contents of property list file f
set theValue to value of thePlist
try
if exists SUFeedURL of theValue then

set thisSUFeedURL to SUFeedURL of theValue as text
if thisSUFeedURL contains "http:" then
set theResultString to "Application : " & my theApp & " : " & thisSUFeedURL as 
text
set end of my sparkleAppsList to theResultString & "

"
end if

end if
end try
end if
end tell
end repeat
display dialog "The following apps do not use secure https connections for the 
Sparkle updater:

" & sparkleAppsList as string buttons "OK" default button "OK" with title "Sparkle 
Framework Vulnerability Check"

#EOF

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Peter Teeson]

This worked for me:

find /Applications -path '*Autoupdate.app/Contents/Info.plist' -exec echo {} \; 
-exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v 
CFBundleShortVersionString

and I got it from this link:

>

It found 6 apps in Applications….

respect…

Peter
> On Feb 10, 2016, at 10:43 AM, sqwarqDev  wrote:
> 
> OK, I've started adding version numbers to this script now to avoid 
> confusion. :~!
> 
> Latest 'update' is v1.3 (fixed: the 'choose folder' option now works 
> correctly):
> 
> I don't think this is the last version...there's at least one outstanding 
> problem one person's having that I'm waiting to here more about (I can't 
> reproduce it myself, but will post an update if / when needed).

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Jens Alfke]

> On Feb 10, 2016, at 12:17 PM, brodhage  wrote:
> 
> Why? Because any application accessing web content via the WebView framework 
> (Sparkle, Safari and many other apps) might allow to "launch special / 
> default behaviour" (for example "file://" or "ftp://; or Safari which starts 
> iTunes if you click a link to any app store resources) 

No, not if those apps are well-written. Denying navigation from a remote URL to 
a to file: URLs is a well-known part of the browser security model. I haven’t 
looked at the Sparkle source, but I suspect that the reason the WebView didn’t 
block that request completely was because Sparkle loaded the HTML into the view 
in a way that made it appear to be a local resource, not remote.

No offense, but browser security is a very big, very complex topic that a *lot* 
of effort goes into. It does not sound as though you’re an expert at it. (I’m 
certainly not, though I seem to know more about it than you.) As with most big 
complex topics, it's unlikely that someone who’s not an expert at it is going 
to come up with an insight on how to make it better.

> 1.) If a domain is accessed, then do not allow access to ANY other domain.

Um, no. This would completely break almost every real-world website, and not 
because of analytics/ads. It is extremely common to host page resources like 
images or scripts on different subdomains of a site, and also to use CDNs to 
optimize access time of static resources.

As an experiment you could build yourself a little browser with a WebView, 
implement such a policy in your delegate callbacks, and try browsing with it to 
see how broken the web would be.

> 2.) If a web content (or included resources) tries to access "unusual" 
> resources (like "file://" or "ftp://; or "http://192.0 ..." or 
> whatever) then ask the user for confirmation.

* Yes, browsers already block requests for file: URLs, if the request comes 
from a page not loaded from a file: URL.
* There’s nothing insecure with a page navigating to an ftp: URL, or other URL 
schemes that have apps registered to handle them, like itms:. It’s very common, 
especially on iOS.
* The security considerations for obviously-LAN domains like 192.168.*.* are 
probably pretty complex, and I won’t answer as I’m not an expert.

—Jens
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[brodhage]

May be I am wrong (or it is off-topic) - but is this (just) a Sparkle problem?

I have read "Vulnerable Security - There's a lot of vulnerable OS X 
applications out there" (https://vulnsec.com/2016/osx-apps-vulnerabilities/) - 
and if I got the idea then browsing the web is insecure.

Why? Because any application accessing web content via the WebView framework 
(Sparkle, Safari and many other apps) might allow to "launch special / default 
behaviour" (for example "file://" or "ftp://; or Safari which starts iTunes if 
you click a link to any app store resources) and access to "unknows domains" 
("other domains" or even worse included OS routines). Correct?

In my opinion, the solution (for the Sparkle problem and browsing the internet) 
would be to change the WebView framework itself:
1.) If a domain is accessed, then do not allow access to ANY other domain.
2.) If a web content (or included resources) tries to access "unusual" 
resources (like "file://" or "ftp://; or "http://192.0...; or whatever) then 
ask the user for confirmation.

This might not only fix the Sparkle problem, but would give us much more 
security. HTTP or HTTPS.
And it might stop all these (external) traffic analytics and ads we all do not 
want to join or see.
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Jean-Daniel Dupas]

> Le 10 févr. 2016 à 05:48, Trygve Inda  a écrit :
> 
>> If your hosting provider still charges an arm and a leg for SSL, switch.
> 
> I need SSL for multiple subdomains. My host (Pair Networks) charges $449/yr
> for such a certificate. That seems really expensive. What are others paying
> for this? I have been very happy with Pair as we run a complex server setup
> with multiple cron jobs, custom C programs etc.
> 

I pay 0$ and can have as many domains as I want on my certificactes. I’m using 
let'sencrypt  for all my servers. It requires some setup but it’s free and 
works very well.

https://letsencrypt.org 

> I also see no way to add an SSL certificate to a CNAME'd site at Amazon S3:
> 
> download.xericdesign.com CNAME
> s3.amazonaws.com/download.xericdesign.com/
> 
> Trygve
> 
> 
> 
> ___
> 
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
> 
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
> 
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/mailing%40xenonium.com
> 
> This email sent to mail...@xenonium.com

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Gary L. Wade]

I just checked to see what happens when visiting your web site at 
https://xenonium.com and found on the current latest release of iOS and OS X 
under Safari I get a "Cannot Verify Server Identity" alert, so maybe you set it 
up wrong, support for that authority is forthcoming, or you get what you pay 
for. Some users will say, "Whoa!" and run away fast.
--
Gary L. Wade (Sent from my iPhone)
http://www.garywade.com/

> On Feb 10, 2016, at 2:58 PM, Jean-Daniel Dupas  wrote:
> 
> 
>>> Le 10 févr. 2016 à 05:48, Trygve Inda  a écrit :
>>> 
>>> If your hosting provider still charges an arm and a leg for SSL, switch.
>> 
>> I need SSL for multiple subdomains. My host (Pair Networks) charges $449/yr
>> for such a certificate. That seems really expensive. What are others paying
>> for this? I have been very happy with Pair as we run a complex server setup
>> with multiple cron jobs, custom C programs etc.
> 
> I pay 0$ and can have as many domains as I want on my certificactes. I’m 
> using let'sencrypt  for all my servers. It requires some setup but it’s free 
> and works very well.
> 
> https://letsencrypt.org 
> 
>> I also see no way to add an SSL certificate to a CNAME'd site at Amazon S3:
>> 
>> download.xericdesign.com CNAME
>> s3.amazonaws.com/download.xericdesign.com/
>> 
>> Trygve
>> 

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[sqwarqDev]

On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote:
tell them how they can find out which apps use
Sparkle??


On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote:
tell them how they can find out which apps use
Sparkle??


I was thinking of writing a script for this, checking for SUFeedURL for every 
.app bundle, but

i. is there already an easy way to check which apps use Sparkle?

ii. I don’t see an easy way for users to tell what version of Sparkle is 
installed in an app. 
Does anyone know where the Sparkle version number is hidden in the bundle?

ii. given what Roland and Ken both say downthread, vis:

If the release notes are via a separate URL and that URL is HTTP rather than 
HTTPS, then the attacker can spoof it

it looks like just checking the SUFeedURL for http or https won’t be enough to 
determine if the app is safe for any app running older versions than Sparkle 
1.13. Of course, we should all update to the latest version, but I have one app 
that has to be 10.6 compatible and that can’t use anything but an  ***old*** 
version of Sparkle. The app cast and release notes are both https so I’m 
assuming this is secure (at least regarding this particular issue…). 



Best


Phil
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[diederik]

You can do that in the terminal, I found this terminal command online:

find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk
-F'.' '{print $1}'

This returns:
Cornerstone
Sequel Pro

on my Mac Book Pro...

Important note: I did not come up with this myself and was a bit nervous
running it in the terminal.

Any Linux guru's on this list that can say whether the above command is OK
to run in all circumstances?




>
> On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote:
> tell them how they can find out which apps use
> Sparkle??
>
>
> On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote:
> tell them how they can find out which apps use
> Sparkle??
>
>
> I was thinking of writing a script for this, checking for SUFeedURL for
> every .app bundle, but
>
> i. is there already an easy way to check which apps use Sparkle?
>
> ii. I don’t see an easy way for users to tell what version of Sparkle is
> installed in an app. 
> Does anyone know where the Sparkle version number is hidden in the bundle?
>
> ii. given what Roland and Ken both say downthread, vis:
>
> If the release notes are via a separate URL and that URL is HTTP rather
> than HTTPS, then the attacker can spoof it
>
> it looks like just checking the SUFeedURL for http or https won’t be
> enough to determine if the app is safe for any app running older versions
> than Sparkle 1.13. Of course, we should all update to the latest version,
> but I have one app that has to be 10.6 compatible and that can’t use
> anything but an  ***old*** version of Sparkle. The app cast and release
> notes are both https so I’m assuming this is secure (at least regarding
> this particular issue…). 
>
>
>
> Best
>
>
> Phil
> ___
>
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
>
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/diederik%40tenhorses.com
>
> This email sent to diede...@tenhorses.com

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[dangerwillrobinsondanger]

An app could also have plugins or embedded frameworks that have distinct 
Sparkle updaters. 

Sent from my iPhone

> On Feb 10, 2016, at 9:39 PM, diede...@tenhorses.com wrote:
> 
> You can do that in the terminal, I found this terminal command online:
> 
> find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk
> -F'.' '{print $1}'
> 
> This returns:
> Cornerstone
> Sequel Pro
> 
> on my Mac Book Pro...
> 
> Important note: I did not come up with this myself and was a bit nervous
> running it in the terminal.
> 
> Any Linux guru's on this list that can say whether the above command is OK
> to run in all circumstances?
> 
> 
> 
> 
>> 
>> On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote:
>> tell them how they can find out which apps use
>> Sparkle??
>> 
>> 
>> On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote:
>> tell them how they can find out which apps use
>> Sparkle??
>> 
>> 
>> I was thinking of writing a script for this, checking for SUFeedURL for
>> every .app bundle, but
>> 
>> i. is there already an easy way to check which apps use Sparkle?
>> 
>> ii. I don’t see an easy way for users to tell what version of Sparkle is
>> installed in an app. 
>> Does anyone know where the Sparkle version number is hidden in the bundle?
>> 
>> ii. given what Roland and Ken both say downthread, vis:
>> 
>> If the release notes are via a separate URL and that URL is HTTP rather
>> than HTTPS, then the attacker can spoof it
>> 
>> it looks like just checking the SUFeedURL for http or https won’t be
>> enough to determine if the app is safe for any app running older versions
>> than Sparkle 1.13. Of course, we should all update to the latest version,
>> but I have one app that has to be 10.6 compatible and that can’t use
>> anything but an  ***old*** version of Sparkle. The app cast and release
>> notes are both https so I’m assuming this is secure (at least regarding
>> this particular issue…). 
>> 
>> 
>> 
>> Best
>> 
>> 
>> Phil
>> ___
>> 
>> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
>> 
>> Please do not post admin requests or moderator comments to the list.
>> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>> 
>> Help/Unsubscribe/Update your Subscription:
>> https://lists.apple.com/mailman/options/cocoa-dev/diederik%40tenhorses.com
>> 
>> This email sent to diede...@tenhorses.com
> 
> ___
> 
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
> 
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
> 
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/dangerwillrobinsondanger%40gmail.com
> 
> This email sent to dangerwillrobinsondan...@gmail.com

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Sandor Szatmari]

It looks safe...

> On Feb 10, 2016, at 07:39, diede...@tenhorses.com wrote:
> 
> You can do that in the terminal, I found this terminal command online:
> 
> find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk
> -F'.' '{print $1}'

This finds all files named Sparkle.framework in your applications folder and 
pipes the path as a string to awk, which tokenizes the string first on '/' and 
prints the 3rd token which is piped to awk again which this time tokenizes on 
'.' (This is stripping of '.app') and prints the first token, the application 
name.

Sandor
> 
> This returns:
> Cornerstone
> Sequel Pro
> 
> on my Mac Book Pro...
> 
> Important note: I did not come up with this myself and was a bit nervous
> running it in the terminal.
> 
> Any Linux guru's on this list that can say whether the above command is OK
> to run in all circumstances?
> 
> 
> 
> 
>> 
>> On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote:
>> tell them how they can find out which apps use
>> Sparkle??
>> 
>> 
>> On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote:
>> tell them how they can find out which apps use
>> Sparkle??
>> 
>> 
>> I was thinking of writing a script for this, checking for SUFeedURL for
>> every .app bundle, but
>> 
>> i. is there already an easy way to check which apps use Sparkle?
>> 
>> ii. I don’t see an easy way for users to tell what version of Sparkle is
>> installed in an app. 
>> Does anyone know where the Sparkle version number is hidden in the bundle?
>> 
>> ii. given what Roland and Ken both say downthread, vis:
>> 
>> If the release notes are via a separate URL and that URL is HTTP rather
>> than HTTPS, then the attacker can spoof it
>> 
>> it looks like just checking the SUFeedURL for http or https won’t be
>> enough to determine if the app is safe for any app running older versions
>> than Sparkle 1.13. Of course, we should all update to the latest version,
>> but I have one app that has to be 10.6 compatible and that can’t use
>> anything but an  ***old*** version of Sparkle. The app cast and release
>> notes are both https so I’m assuming this is secure (at least regarding
>> this particular issue…). 
>> 
>> 
>> 
>> Best
>> 
>> 
>> Phil
>> ___
>> 
>> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
>> 
>> Please do not post admin requests or moderator comments to the list.
>> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>> 
>> Help/Unsubscribe/Update your Subscription:
>> https://lists.apple.com/mailman/options/cocoa-dev/diederik%40tenhorses.com
>> 
>> This email sent to diede...@tenhorses.com
> 
> ___
> 
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
> 
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
> 
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/admin.szatmari.net%40gmail.com
> 
> This email sent to admin.szatmari@gmail.com

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Ben Kennedy]

If you actually took a look at the details, you'd see that the cert is for 
"ssl13.ovh.net" rather than "xenonium.com".  If you visit https://ssl13.ovh.net 
in Safari you will see no such problem.

Jean-Daniel did not expressly state that he's trying to serve anything at 
https://xenonium.com.

-b

> On 10 Feb 2016, at 4:35 pm, Gary L. Wade  wrote:
> 
> I just checked to see what happens when visiting your web site at 
> https://xenonium.com and found on the current latest release of iOS and OS X 
> under Safari I get a "Cannot Verify Server Identity" alert, so maybe you set 
> it up wrong, support for that authority is forthcoming, or you get what you 
> pay for. Some users will say, "Whoa!" and run away fast.


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Jens Alfke]

> On Feb 10, 2016, at 4:35 PM, Gary L. Wade  
> wrote:
> 
> I just checked to see what happens when visiting your web site at 
> https://xenonium.com  and found on the current latest 
> release of iOS and OS X under Safari I get a "Cannot Verify Server Identity" 
> alert, so maybe you set it up wrong, support for that authority is 
> forthcoming, or you get what you pay for. Some users will say, "Whoa!" and 
> run away fast.

It’s a hostname mismatch — the cert is valid, but it's issued to ssl13.ovh.net, 
not xenonium.com.

I’m guessing that Jean-Daniel’s website is hosted on a shared server at 
ovh.net, but the server isn’t configured to return the matching SSL cert for 
the hostname in the client request, so it’s using its default “ssl13.ovh.net” 
one instead. So yeah, it’s set up wrong.

—Jens
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Gary L. Wade]

You've made my point. None of my friends would even bother with looking at the 
certificate for his site (assuming that's his site from his email address) and 
move on. At worst, they'd call me and I'd say don't go there since I don't want 
them to screenshot that and text it to me to figure it out.
--
Gary L. Wade (Sent from my iPhone)
http://www.garywade.com/

> On Feb 10, 2016, at 4:50 PM, Ben Kennedy  wrote:
> 
> If you actually took a look at the details, you'd see that the cert is for 
> "ssl13.ovh.net" rather than "xenonium.com".  If you visit 
> https://ssl13.ovh.net in Safari you will see no such problem.
> 
> Jean-Daniel did not expressly state that he's trying to serve anything at 
> https://xenonium.com.
> 
> -b
> 
>> On 10 Feb 2016, at 4:35 pm, Gary L. Wade  
>> wrote:
>> 
>> I just checked to see what happens when visiting your web site at 
>> https://xenonium.com and found on the current latest release of iOS and OS X 
>> under Safari I get a "Cannot Verify Server Identity" alert, so maybe you set 
>> it up wrong, support for that authority is forthcoming, or you get what you 
>> pay for. Some users will say, "Whoa!" and run away fast.
> 

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Ben Kennedy]

> On 10 Feb 2016, at 5:00 pm, Gary L. Wade  wrote:
> 
> You've made my point. None of my friends would even bother with looking at 
> the certificate for his site (assuming that's his site from his email 
> address) and move on. At worst, they'd call me and I'd say don't go there 
> since I don't want them to screenshot that and text it to me to figure it out.

No, you are misunderstanding me.  My point is that it may not be valid to 
assume the web server at 213.186.33.24 (to which xenonium.com resolves) will 
answer to HTTPS with a cert for "xenonium.com".

For example, https://213.186.33.24 presents the same "hostname mismatch" alert, 
because the cert is not named for "213.186.33.24".

Conduct the same exercise for any A record returned for www.apple.com, and 
you'll also get this result.  Completely expected.

Now, if Jean-Daniel has stated definitively that https://xenonium.com is 
expected to serve up a matching certificate, you have an argument I would agree 
with.  But for all we know (unless I've missed it), he's serving his material 
at https://ssl13.ovh.net.

b


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Jens Alfke]

Ars Technica has an article today about a vulnerability in the Sparkle 
auto-update framework, which can allow an attacker to hijack an app update 
check to install malware on the user’s Mac:

http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/

The clearest description of the bug is in this comment:

http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/?comments=1=30615427#comment-30615427

Basically: If your app uses a version of Sparkle older than 1.13 — like every 
single Sparkle-using app on my computer :( — and the updates are delivered over 
a non-HTTPS connection, you’re vulnerable (or rather, your users are.)

The attack’s not trivial: it requires someone to tamper with the appcast RSS 
feed being received by Sparkle, at the time that it checks for an update. Most 
likely this would be by poisoning the DNS on a shared router and pointing your 
domain to their server; or else they could compromise the router to sniff the 
HTTP traffic and inject the payload into the stream.

The best fix is to upgrade your server to use HTTPS. If your hosting provider 
still charges an arm and a leg for SSL, switch.
In addition (or as the second-best fix if you can’t go SSL), download the 
latest Sparkle and update your app project to use it.

—Jens
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Jean-Daniel Dupas]

OK. I did watch the POC and it appears this is not in the update process, but 
in the check for update that the attack occurs.

> Le 9 févr. 2016 à 23:27, Jean-Daniel Dupas  a écrit :
> 
> I agree. I can’t see how that can work with a properly configured Sparkle, 
> that is an App that accepts only properly signed update.
> 
> 
>> Le 9 févr. 2016 à 23:22, Graham Cox  a écrit :
>> 
>> Thanks for the heads-up Jens.
>> 
>> Is it enough to change the SUFeedURL to https (if your server supports it, 
>> which ours does), or does it also require the library to be updated? The 
>> comment you link doesn’t clarify it for me - it mentions WebView, but I’m 
>> not clear about how Sparkle is using Webview - wouldn’t it just request the 
>> appcast directly, parse it and then download the update notes if it finds an 
>> update BEFORE opening a webview? Other than displaying the update notes I 
>> don’t see why Sparkle would open a Webview, but my understanding of how it 
>> works could well be wrong.
>> 
>> There’s another thing too. Even if the appcast feed were compromised and an 
>> “update” containing malware were injected, it would still have to be signed 
>> correctly using the developers private key which Sparkle checks before 
>> installing the update. So even if it got that far it would surely fail at 
>> that step?
>> 
>> —Graham
>> 
>> 
>> 
>>> On 10 Feb 2016, at 8:10 AM, Jens Alfke  wrote:
>>> 
>>> Ars Technica has an article today about a vulnerability in the Sparkle 
>>> auto-update framework, which can allow an attacker to hijack an app update 
>>> check to install malware on the user’s Mac:
>>> 
>>> http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/
>>> 
>>> The clearest description of the bug is in this comment:
>>> 
>>> http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/?comments=1=30615427#comment-30615427
>>> 
>>> Basically: If your app uses a version of Sparkle older than 1.13 — like 
>>> every single Sparkle-using app on my computer :( — and the updates are 
>>> delivered over a non-HTTPS connection, you’re vulnerable (or rather, your 
>>> users are.)
>>> 
>>> The attack’s not trivial: it requires someone to tamper with the appcast 
>>> RSS feed being received by Sparkle, at the time that it checks for an 
>>> update. Most likely this would be by poisoning the DNS on a shared router 
>>> and pointing your domain to their server; or else they could compromise the 
>>> router to sniff the HTTP traffic and inject the payload into the stream.
>>> 
>>> The best fix is to upgrade your server to use HTTPS. If your hosting 
>>> provider still charges an arm and a leg for SSL, switch.
>>> In addition (or as the second-best fix if you can’t go SSL), download the 
>>> latest Sparkle and update your app project to use it.
>>> 
>>> —Jens
>> 
>> 
>> ___
>> 
>> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
>> 
>> Please do not post admin requests or moderator comments to the list.
>> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>> 
>> Help/Unsubscribe/Update your Subscription:
>> https://lists.apple.com/mailman/options/cocoa-dev/mailing%40xenonium.com
>> 
>> This email sent to mail...@xenonium.com
> 
> 
> ___
> 
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
> 
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
> 
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/mailing%40xenonium.com
> 
> This email sent to mail...@xenonium.com


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[SevenBits]

Yes, this is very important -- don't ignore this message!

On Tuesday, February 9, 2016, Jens Alfke  wrote:

> Ars Technica has an article today about a vulnerability in the Sparkle
> auto-update framework, which can allow an attacker to hijack an app update
> check to install malware on the user’s Mac:
>
> http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/
>
> The clearest description of the bug is in this comment:
>
> http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/?comments=1=30615427#comment-30615427
>
> Basically: If your app uses a version of Sparkle older than 1.13 — like
> every single Sparkle-using app on my computer :( — and the updates are
> delivered over a non-HTTPS connection, you’re vulnerable (or rather, your
> users are.)
>
> The attack’s not trivial: it requires someone to tamper with the appcast
> RSS feed being received by Sparkle, at the time that it checks for an
> update. Most likely this would be by poisoning the DNS on a shared router
> and pointing your domain to their server; or else they could compromise the
> router to sniff the HTTP traffic and inject the payload into the stream.
>
> The best fix is to upgrade your server to use HTTPS. If your hosting
> provider still charges an arm and a leg for SSL, switch.
> In addition (or as the second-best fix if you can’t go SSL), download the
> latest Sparkle and update your app project to use it.
>
> —Jens
> ___
>
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com )
>
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/sevenbitstech%40gmail.com
>
> This email sent to sevenbitst...@gmail.com 
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Graham Cox]

Thanks for the heads-up Jens.

Is it enough to change the SUFeedURL to https (if your server supports it, 
which ours does), or does it also require the library to be updated? The 
comment you link doesn’t clarify it for me - it mentions WebView, but I’m not 
clear about how Sparkle is using Webview - wouldn’t it just request the appcast 
directly, parse it and then download the update notes if it finds an update 
BEFORE opening a webview? Other than displaying the update notes I don’t see 
why Sparkle would open a Webview, but my understanding of how it works could 
well be wrong.

There’s another thing too. Even if the appcast feed were compromised and an 
“update” containing malware were injected, it would still have to be signed 
correctly using the developers private key which Sparkle checks before 
installing the update. So even if it got that far it would surely fail at that 
step?

—Graham



> On 10 Feb 2016, at 8:10 AM, Jens Alfke  wrote:
> 
> Ars Technica has an article today about a vulnerability in the Sparkle 
> auto-update framework, which can allow an attacker to hijack an app update 
> check to install malware on the user’s Mac:
>   
> http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/
> 
> The clearest description of the bug is in this comment:
>   
> http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/?comments=1=30615427#comment-30615427
> 
> Basically: If your app uses a version of Sparkle older than 1.13 — like every 
> single Sparkle-using app on my computer :( — and the updates are delivered 
> over a non-HTTPS connection, you’re vulnerable (or rather, your users are.)
> 
> The attack’s not trivial: it requires someone to tamper with the appcast RSS 
> feed being received by Sparkle, at the time that it checks for an update. 
> Most likely this would be by poisoning the DNS on a shared router and 
> pointing your domain to their server; or else they could compromise the 
> router to sniff the HTTP traffic and inject the payload into the stream.
> 
> The best fix is to upgrade your server to use HTTPS. If your hosting provider 
> still charges an arm and a leg for SSL, switch.
> In addition (or as the second-best fix if you can’t go SSL), download the 
> latest Sparkle and update your app project to use it.
> 
> —Jens


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Jean-Daniel Dupas]

I agree. I can’t see how that can work with a properly configured Sparkle, that 
is an App that accepts only properly signed update.


> Le 9 févr. 2016 à 23:22, Graham Cox  a écrit :
> 
> Thanks for the heads-up Jens.
> 
> Is it enough to change the SUFeedURL to https (if your server supports it, 
> which ours does), or does it also require the library to be updated? The 
> comment you link doesn’t clarify it for me - it mentions WebView, but I’m not 
> clear about how Sparkle is using Webview - wouldn’t it just request the 
> appcast directly, parse it and then download the update notes if it finds an 
> update BEFORE opening a webview? Other than displaying the update notes I 
> don’t see why Sparkle would open a Webview, but my understanding of how it 
> works could well be wrong.
> 
> There’s another thing too. Even if the appcast feed were compromised and an 
> “update” containing malware were injected, it would still have to be signed 
> correctly using the developers private key which Sparkle checks before 
> installing the update. So even if it got that far it would surely fail at 
> that step?
> 
> —Graham
> 
> 
> 
>> On 10 Feb 2016, at 8:10 AM, Jens Alfke  wrote:
>> 
>> Ars Technica has an article today about a vulnerability in the Sparkle 
>> auto-update framework, which can allow an attacker to hijack an app update 
>> check to install malware on the user’s Mac:
>>  
>> http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/
>> 
>> The clearest description of the bug is in this comment:
>>  
>> http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/?comments=1=30615427#comment-30615427
>> 
>> Basically: If your app uses a version of Sparkle older than 1.13 — like 
>> every single Sparkle-using app on my computer :( — and the updates are 
>> delivered over a non-HTTPS connection, you’re vulnerable (or rather, your 
>> users are.)
>> 
>> The attack’s not trivial: it requires someone to tamper with the appcast RSS 
>> feed being received by Sparkle, at the time that it checks for an update. 
>> Most likely this would be by poisoning the DNS on a shared router and 
>> pointing your domain to their server; or else they could compromise the 
>> router to sniff the HTTP traffic and inject the payload into the stream.
>> 
>> The best fix is to upgrade your server to use HTTPS. If your hosting 
>> provider still charges an arm and a leg for SSL, switch.
>> In addition (or as the second-best fix if you can’t go SSL), download the 
>> latest Sparkle and update your app project to use it.
>> 
>> —Jens
> 
> 
> ___
> 
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
> 
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
> 
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/mailing%40xenonium.com
> 
> This email sent to mail...@xenonium.com


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Jens Alfke]

> On Feb 9, 2016, at 2:22 PM, Graham Cox  wrote:
> 
> Is it enough to change the SUFeedURL to https (if your server supports it, 
> which ours does), or does it also require the library to be updated?

Using HTTPS for the appcast RSS feed should be sufficient, because it prevents 
an attacker from tampering with the contents of the feed.

> The comment you link doesn’t clarify it for me - it mentions WebView, but I’m 
> not clear about how Sparkle is using Webview

It’s to display the release notes, which come from an RSS entry in the feed and 
are in HTML format. And Sparkle had a couple of bugs relating to that: (a) the 
WebView was configured to allow JavaScript, and (b) their delegate handled 
navigation requests to file: URLs by sending them to the Finder. This meant 
that a malicious feed entry could run a script to download some malware and 
then tell the Finder to launch the downloaded malware installer.

Full details are here:
https://vulnsec.com/2016/osx-apps-vulnerabilities/

One of the takeaways from this for Mac developers is that WebViews can be 
really dangerous, and if you use one in your app, you should give it the 
minimum possible privileges and be really careful about how you respond to any 
requests the loaded web page makes.

—Jens
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Graham Cox]

> On 10 Feb 2016, at 1:08 PM, Charles Srstka  wrote:
> 
> If your app is accessing your appcast via HTTP, that could be intercepted 
> just the same as your relnotes, and then the attacker could set the relnotes 
> URL to whatever s/he wants.


Yep, I see that. Bugger.

—G.
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Trygve Inda]

> If your hosting provider still charges an arm and a leg for SSL, switch.

I need SSL for multiple subdomains. My host (Pair Networks) charges $449/yr
for such a certificate. That seems really expensive. What are others paying
for this? I have been very happy with Pair as we run a complex server setup
with multiple cron jobs, custom C programs etc.

I also see no way to add an SSL certificate to a CNAME'd site at Amazon S3:

download.xericdesign.com CNAME
s3.amazonaws.com/download.xericdesign.com/

Trygve



___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Charles Srstka]

If your app is accessing your appcast via HTTP, that could be intercepted just 
the same as your relnotes, and then the attacker could set the relnotes URL to 
whatever s/he wants.

Charles

> On Feb 9, 2016, at 7:53 PM, Graham Cox  wrote:
> 
> Wait a sec, I think I see an easy solution to this.
> 
> The appcast supplies the URL for the release notes, so that can be updated to 
> https without having to republish the app itself. That makes this a lot less 
> trouble than it seems.
> 
> Am I right?
> 
> —Graham
> 
> 
> 
> 
> 
>> On 10 Feb 2016, at 12:49 PM, Graham Cox  wrote:
>> 
>> 
>>> On 10 Feb 2016, at 12:22 PM, Jens Alfke  wrote:
>>> 
>>> It’s to display the release notes, which come from an RSS entry in the feed 
>>> and are in HTML format. And Sparkle had a couple of bugs relating to that: 
>>> (a) the WebView was configured to allow JavaScript, and (b) their delegate 
>>> handled navigation requests to file: URLs by sending them to the Finder. 
>>> This meant that a malicious feed entry could run a script to download some 
>>> malware and then tell the Finder to launch the downloaded malware installer.
>>> 
>> 
>> 
>> Got it, so the signing aspect is irrelevant.
>> 
>> Already updated to use https, but of course the problem is that in itself 
>> requires a Sparkle update… 
> 
> 
> ___
> 
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
> 
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
> 
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/cocoadev%40charlessoft.com
> 
> This email sent to cocoa...@charlessoft.com


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Jake Petroules]

AWS Certificate Manager provides multi-domain certificates (up to 100, I think) 
for free. You can serve an S3 bucket using CloudFront with a custom domain and 
SSL, and costs for this will be pretty minimal (probably well under $10 a 
month?).

> On Feb 9, 2016, at 8:48 PM, Trygve Inda  wrote:
> 
>> If your hosting provider still charges an arm and a leg for SSL, switch.
> 
> I need SSL for multiple subdomains. My host (Pair Networks) charges $449/yr
> for such a certificate. That seems really expensive. What are others paying
> for this? I have been very happy with Pair as we run a complex server setup
> with multiple cron jobs, custom C programs etc.
> 
> I also see no way to add an SSL certificate to a CNAME'd site at Amazon S3:
> 
> download.xericdesign.com CNAME
> s3.amazonaws.com/download.xericdesign.com/
> 
> Trygve
> 
> 
> 
> ___
> 
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
> 
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
> 
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/jake.petroules%40petroules.com
> 
> This email sent to jake.petrou...@petroules.com

-- 
Jake Petroules - jake.petroules at petroules.com

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Graham Cox]

> On 10 Feb 2016, at 12:22 PM, Jens Alfke  wrote:
> 
> It’s to display the release notes, which come from an RSS entry in the feed 
> and are in HTML format. And Sparkle had a couple of bugs relating to that: 
> (a) the WebView was configured to allow JavaScript, and (b) their delegate 
> handled navigation requests to file: URLs by sending them to the Finder. This 
> meant that a malicious feed entry could run a script to download some malware 
> and then tell the Finder to launch the downloaded malware installer.
> 


Got it, so the signing aspect is irrelevant.

Already updated to use https, but of course the problem is that in itself 
requires a Sparkle update… 

—Graham



___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Graham Cox]

Wait a sec, I think I see an easy solution to this.

The appcast supplies the URL for the release notes, so that can be updated to 
https without having to republish the app itself. That makes this a lot less 
trouble than it seems.

Am I right?

—Graham





> On 10 Feb 2016, at 12:49 PM, Graham Cox  wrote:
> 
> 
>> On 10 Feb 2016, at 12:22 PM, Jens Alfke  wrote:
>> 
>> It’s to display the release notes, which come from an RSS entry in the feed 
>> and are in HTML format. And Sparkle had a couple of bugs relating to that: 
>> (a) the WebView was configured to allow JavaScript, and (b) their delegate 
>> handled navigation requests to file: URLs by sending them to the Finder. 
>> This meant that a malicious feed entry could run a script to download some 
>> malware and then tell the Finder to launch the downloaded malware installer.
>> 
> 
> 
> Got it, so the signing aspect is irrelevant.
> 
> Already updated to use https, but of course the problem is that in itself 
> requires a Sparkle update… 


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Quincey Morris]

On Feb 9, 2016, at 17:53 , Graham Cox  wrote:
> 
> The appcast supplies the URL for the release notes, so that can be updated to 
> https without having to republish the app itself. That makes this a lot less 
> trouble than it seems.

Yes, but the appcast itself is vulnerable to separate attack, if your access to 
it is http. (Its URL is specified in the bundle plist.)

>> Already updated to use https, but of course the problem is that in itself 
>> requires a Sparkle update… 

Yes, but it’s no worse a problem than the one you started with.

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Roland King]

> On 10 Feb 2016, at 13:45, sqwarqDev  wrote:
> 
> 
>> On 10 Feb 2016, at 09:08, Charles Srstka  wrote:
>> 
>> If your app is accessing your appcast via HTTP, that could be intercepted 
>> just the same as your relnotes, and then the attacker could set the relnotes 
>> URL to whatever s/he wants.
> 
> 
> Can I just double-check my understanding here:
> 
> 1. If the SUFeedURL uses https, the app is not vulnerable.
> 
> 2. If 1 is true, neither of these matter:
>   2.1 the version of Sparkle
>   2.2 whether the release notes are http or https
> 
> 

1. true

2. By my reading, not true. if the app notes are http then they can be spoofed 
and inject javascript via the webkit widget to run nefarious code. 

Making both https works as neither can be spoofed, upgrading sparkle fixes the 
issue even if the notes are not https. Until someone finds the next exploit, 
thus meaning all https all the time is a better way to go. 


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Ken Thomases]

On Feb 9, 2016, at 11:45 PM, sqwarqDev  wrote:
> 
> 
>> On 10 Feb 2016, at 09:08, Charles Srstka  wrote:
>> 
>> If your app is accessing your appcast via HTTP, that could be intercepted 
>> just the same as your relnotes, and then the attacker could set the relnotes 
>> URL to whatever s/he wants.
> 
> 
> Can I just double-check my understanding here:
> 
> 1. If the SUFeedURL uses https, the app is not vulnerable.

Not quite, because of 2.2 below.

Also, in theory somebody could: a) compromise your server to serve a malicious 
appcast or b) get a Certificate Authority to issue them a certificate in error 
(e.g. via social hack), thus undermining HTTPS security.  These are less likely 
and fairly catastrophic, so may be deemed to eclipse the vulnerability in 
Sparkle.


> 2. If 1 is true, neither of these matter:
>   2.1 the version of Sparkle
>   2.2 whether the release notes are http or https

If the release notes are via a separate URL and that URL is HTTP rather than 
HTTPS, then the attacker can spoof it as easily as they could spoof an HTTP 
appcast.  If they do that, then your app is just as vulnerable.

You are mostly safe if the appcast URL is HTTPS _and_ the release notes are 
embedded in the appcast or accessed via HTTPS URL.

Regards,
Ken


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[sqwarqDev]

> On 10 Feb 2016, at 09:08, Charles Srstka  wrote:
> 
> If your app is accessing your appcast via HTTP, that could be intercepted 
> just the same as your relnotes, and then the attacker could set the relnotes 
> URL to whatever s/he wants.


Can I just double-check my understanding here:

1. If the SUFeedURL uses https, the app is not vulnerable.

2. If 1 is true, neither of these matter:
2.1 the version of Sparkle
2.2 whether the release notes are http or https


TIA


Phil


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[diederik]

About feedback to users and helping them avoid problems:

So in order to avoid problems in the immediate short run, we should inform
users to turn off automatic software updates and update checks with a
current version and also tell them how they can find out which apps use
Sparkle??

Once an updated version is available, inform them to update, but only
through a secure network?

Anything more we need to think off with regard to users?






> On Feb 9, 2016, at 11:45 PM, sqwarqDev  wrote:
>>
>>
>>> On 10 Feb 2016, at 09:08, Charles Srstka 
>>> wrote:
>>>
>>> If your app is accessing your appcast via HTTP, that could be
>>> intercepted just the same as your relnotes, and then the attacker could
>>> set the relnotes URL to whatever s/he wants.
>>
>>
>> Can I just double-check my understanding here:
>>
>> 1. If the SUFeedURL uses https, the app is not vulnerable.
>
> Not quite, because of 2.2 below.
>
> Also, in theory somebody could: a) compromise your server to serve a
> malicious appcast or b) get a Certificate Authority to issue them a
> certificate in error (e.g. via social hack), thus undermining HTTPS
> security.  These are less likely and fairly catastrophic, so may be deemed
> to eclipse the vulnerability in Sparkle.
>
>
>> 2. If 1 is true, neither of these matter:
>>  2.1 the version of Sparkle
>>  2.2 whether the release notes are http or https
>
> If the release notes are via a separate URL and that URL is HTTP rather
> than HTTPS, then the attacker can spoof it as easily as they could spoof
> an HTTP appcast.  If they do that, then your app is just as vulnerable.
>
> You are mostly safe if the appcast URL is HTTPS _and_ the release notes
> are embedded in the appcast or accessed via HTTPS URL.
>
> Regards,
> Ken
>
>
> ___
>
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
>
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/diederik%40tenhorses.com
>
> This email sent to diede...@tenhorses.com

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com