I ran that, but it just gave me a bunch of URLs. Do these URLS mean that the corresponding apps use HTTP for updating and are safe as a result?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability
- Thread starter MacRumors
- Start date
- Sort by reaction score
Malwarebytes and Viscocity seems not to have caught up. They are on sub 1.13.1 versions.
[doublepost=1455065096][/doublepost]
Try Transmission.
Transmission is on the list.Malwarebytes and Viscocity seems not to have caught up. They are on sub 1.13.1 versions.
[doublepost=1455065096][/doublepost]
Try Transmission.
So many... At least most of the ones I HAVE to use aren't below 1.13.1
- A Better Finder Rename 10
- Coda 2
- CodeKit
- Cyberduck
- DaisyDisk
- Dock Library
- Evom
- HandBrake
- HipChat
- ImageOptim
- Kaleidoscope
- Mailbox (Beta)
- MAMP
- Monotype SkyFonts
- OpenEmu
- Senuti
- Sequel Pro
- Sofortbild
- SourceTree
- StrongVPN Client
- TeamViewer
- TinyGrab
- Transmission
- Tunnelblick
- UnRarX
- Versions
- Viscosity
- VLC
- Zeplin (Beta)
Mind that for those using these scripts that Sparkle framework might be masked (e.g. renaming Autoupdate.app inside Sparkle.framework to something else, for example in Duet display) or used in different paths than /Applications (e.g. in Library/PreferencePanes for Logitech Options, in /Library/ScriptingAdditions for XtraFinder, etc).
The good thing is that this vulnerability has only (?) recently been discovered so we should be careful from now on when checking and installing updates. Having old/abandoned/not-likely-to-suggest-updates software is not going to hurt you, you have to trust and do the fake update to get infected with something. What we need a list for apps that use Sparkle framework which update through HTTP. Nevertheless, I don't think that any application doing automatic updates in the background would/should use insecure HTTP and you would be naive to leave such an option on if it exists.
The good thing is that this vulnerability has only (?) recently been discovered so we should be careful from now on when checking and installing updates. Having old/abandoned/not-likely-to-suggest-updates software is not going to hurt you, you have to trust and do the fake update to get infected with something. What we need a list for apps that use Sparkle framework which update through HTTP. Nevertheless, I don't think that any application doing automatic updates in the background would/should use insecure HTTP and you would be naive to leave such an option on if it exists.
Last edited:
The apps that use HTTP and have not updated Sparkle are not safe. If the app uses HTTPS, it's safe.
Transmission is on the list.
Transmission uses ver 1.5 so it should be ok. At least mine does. Make sure you use the latest version.
* edit as chrfr pointed out, 1.5 is older than 1.13.1 and therefore vulnareble. My bad.
Last edited:
Those with an HTTP URL are at risk if they use the unpatched framework (which is difficult to tell, as some programs may have compiled the framework themselves). HTTPS mitigates this. The problem occurs when there is another URL within the XML/RSS feed to which this first URL links. Sparkle will attempt to load that other URL to present the patch notes and a man in the middle could potentially load something else through it if they hijack this. If the feed URL is itself on HTTPS then this will not be possible.
Last edited:
You don't have to (permanently) delete apps, you just have to download updates to them manually from their makers website (and switch off auto-updating). If the act of updating one of the apps had already been the source of malware getting onto your computer then it is possible that the app is infected but it is equally possible that the app itself is fine and the malware placed its payload somewhere else. If you have been infected, the only save way would be to wipe your disk and restore from a backup made before this potential infection (the date of which you would have no way of knowing).
A good list would be one of app that are vulnerable and that offer auto-updating, because those are the only ones that would require immediate action.
Put things into perspective - this isn't going to affect many people who currently have apps that use Sparkle.
I'm not too concerned, and will still favour non AppStore over AppStore versions which in many cases have less functionality.
It's really a big song and dance: The chances of being affected by this vulnerability is very small.
This was proof of concept and I doubt anyone is ready for mass exploitation.
At most, this is a chance for fear mongering and how this is solid evidence that OSX should be locked down with MacAppStore!
Good news that the vulnerability is patched and will work its way into affected apps.
I'm not too concerned, and will still favour non AppStore over AppStore versions which in many cases have less functionality.
It's really a big song and dance: The chances of being affected by this vulnerability is very small.
This was proof of concept and I doubt anyone is ready for mass exploitation.
At most, this is a chance for fear mongering and how this is solid evidence that OSX should be locked down with MacAppStore!
Good news that the vulnerability is patched and will work its way into affected apps.
Last edited:
The annoying thing is that network-related vulnerabilities always seem to be related to insecure connections and the reluctance to make the switch to HTTPS. If everyone would have just moved to HTTPS years ago, issues like these would simply not be there. It has to be said that Apple is pushing developers to do this. For instance, for iOS 9 and OS X 10.11 they introduced a new opt-out security policy that requires developers to adopt secure network connections. It turns out that this is still not enough and worse still, some big names like Google actively encouraged developers to opt out so that their own ad networks can continue to work.
It annoys me to no end that even developers of respected applications are now affected by this, purely because they did not adopt HTTPS, the vulnerability notwithstanding.
I don't think I ever downloaded a single app on my Mac lol. Just been using the stock ones for 4 years now.
I agree. What I don't understand is why we need to continue to support those apps if they aren't pushing hard to go to HTTPS.
Transmission has not been updated since June 2014 (latest version is 2.84). You actually have to use the nightly builds to get decent Yosemite+ support. I looked at the “appcast” feed they are using and it seems that they are indeed on the red list: they load the patch notes through separate HTTP URLs within the feed. This is the big issue of the vulnerability.
Which is indeed a good thing. But it just goes to show that OS X does not work on fairy dust and that even Mac developers are lazy or negligent.
Nope. All I need to do is set up a wifi access point called "attwifi", "Google Starbucks", "TWCWiFi", etc., wait for your laptop to join it, and wait for your laptop to ask for a file that would look like any other update to one of the affected apps.
I got :
- DaisyDisk
- Flux
- UnrarX
- VLC
Seriously, what's the next step to take? *newbie here*
Updated VLC. Deleted UnrarX
[doublepost=1455070428][/doublepost]
No one loves Vuze?
- DaisyDisk
- Flux
- UnrarX
- VLC
Seriously, what's the next step to take? *newbie here*
Updated VLC. Deleted UnrarX
[doublepost=1455070428][/doublepost]
Try Transmission.
No one loves Vuze?
Last edited:
No one loves Vuze?
You mean Azureus. ;-)
I don’t like it. It still reminds me of my Windows time (2008 and earlier) and it is even still written in Java. It comes with its very own installer, which is something I really do not like. You just never know what such a program installs once it asks for your credentials. uTorrent, which does the same thing, is known to have bundled the Spigot adware in its installer. If an application must use an installer, then it should use the one that is included with OS X.
I prefer Transmission because it is simply a very clean and lean app, does not require an installer and is completely open source.
The App Store is a good thing, but it isn't the best thing. Due to limitations Apple puts on developers, certain GREAT apps will have to continue to be offered outside of the App Store.