Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability
- Thread starter MacRumors
- Start date
- Sort by reaction score
Any recommendation for a torrent program that actually updates and is currently not on the list?
Maybe Deluge?
Any reason why more apps don't use the App Store?
I've asked Team Viewer, VLC and Skype to deliver via the App Store but as you can see, my requests were in vain.
Also, I wish OS X apps would put the "Check For Updates" button in a consistent location (This is another example of lack of attention to consistency and detail.)
I've asked Team Viewer, VLC and Skype to deliver via the App Store but as you can see, my requests were in vain.
Also, I wish OS X apps would put the "Check For Updates" button in a consistent location (This is another example of lack of attention to consistency and detail.)
Lack of detail as far as who is concerned? Third party apps develop things to their liking so they can put things where they feel appropriate for them.
Right, I use nightly build. 2.84 (14306) Thank you. Works fine though. Tick "Include beta releases" at the bottom to get it.
[doublepost=1455091616][/doublepost]
Latest version is ok. VLC is one of my favourites.
[doublepost=1455092028][/doublepost]
Didn't try it, Transmission works fine for me.No one loves Vuze?
[doublepost=1455092269][/doublepost]
Remember, always be afraid anyway. Also remember War Is Peace, Freedom Is Slavery, And Ignorance Is Strength.
[doublepost=1455092526][/doublepost]
Run one of the scripts suggested on page 1 of this thread.
Last edited:
This does not solve the problem.
[doublepost=1455096373][/doublepost]
This is has nothing to do with OS X.
[doublepost=1455096650][/doublepost]
No risk in real life situations.
I have a robust list, unfortunately.
No upgrades mechanism
Taking 30%
Lately, not seeing the value, the app store is not something that is giving developers much advantages.
- Arq
- Blocs
- DXOOpticsPro10
- Geekbench 3
- Geekbench
- OpenDNS Updater
- RapidWeaver4
- Sandvox
- Snagit
- TextExpander
- Transmit
- TurboTax Deluxe 2014
- TurboTax Deluxe 2015
- Winclone
Wow, I guess you're ok then - you're risk is minimal. As for the rest of us, who use the computer a but more, its a more of an issue
I'm on openDNS, so that should hopefully help me a but more.
Because of Apple's stringent policies, not letting developers access certain APIs,
No upgrades mechanism
Taking 30%
Lately, not seeing the value, the app store is not something that is giving developers much advantages.
I think the risk is that the automatic updates can introduce a man in the middle attack. IT doesn't matter if your Mac never leaves the house or your network, the vulnerability is in the app, so when it gets updated, you could be introducing malware into your system.
If you take a look at this page: https://www.taoeffect.com/blog/2016...falling-protecting-yourself-from-sparklegate/
one of the ways to prevent the attack is to have run Firefox once. Hopefully that means I'm safe.
one of the ways to prevent the attack is to have run Firefox once. Hopefully that means I'm safe.
Consider adding a layer of security to your OpenDNS by using DNSCrypt. It supports multiple DNS-servers, OpenDNS is one of them.
Nice that your article points / links to another article (posted 11 days ago) that provides instructions on how to exploit this vulnerability in the name of awareness.
One response says it,
One response says it,
Actually, you didn't say enough. You left out, "altering the contents of someone's computer in the United States without their permission is a violation of the Computer Fraud and Abuse Act, and possibly other state computer trespass statutes, so doing this is violating the law." Ethically, you have not justified distributing such a capability to people who you are encouraging break the law with the "have fun" smiley-face closing to your post. How is handing a simple exploit technique to people helping the situation? Promoting simple exploitation is easy. Helping provide solutions and promoting more secure ways of doing things is hard. Please use your skills to do the hard thing, don't take the easy way out just to get retweets.
Are you sure this was legitimate? The same thing happened to me today. I hope you didn't call the number shown in the pop-up, as this is certainly a scam.
If it happens again, force quit Safari and then reopened it without restoring tabs, by holding Shift as you launch the app.
Interesting. The Apple technician had me shift-click on Safari, which allowed it to open normally. Then ironically she had me download Malwarebytes -- which is one of the currently affected pieces of software!
No, the App Store - at least not in the way that Apple implemented it - is NOT a good thing, for a rather long list of reasons. The App Store (and its lack of support for paid updates and upgrades) is not only an economic problem for software developers, it also did not prevent several malware from being distributed through it. Just Google for something like "apple app store malware" and you will find plenty of articles about it.
That being said, nothing is perfect, but I'd rather live with an occasional security issue with Sparkle and other installers/update tools than with a system where the monopolistic App Store would be the only means of obtaining and installing software.
[doublepost=1455113354][/doublepost]
It never was safe. There only was a time when its market share was so insignificant that nobody bothered exploiting its vulnerabilities. That time is gone and now people wake up to the reality that they bought into hype and marketing -- and that Apple's platform is by no means safer than Microsoft's. However, just to get this straight, a vulnerability is Sparkle is not a vulnerability in OS X itself.
