Sparkle Updater Framework HTTP man-in-the-middle vulnerability

bentoms
Honored Contributor III
Honored Contributor III

Hi All,

A vulnerability in the Sparkle Updater Framework that can potentially be exploited via man-in-the-middle attacks has been disclosed.

I've been looking into it with a few folks on the MacAdmins Slack](macadmins.org) & with the help of @Banks (amongst others), I have written a [post on this issue & included within which is an Extension Attribute to help detect vulnerable applications.

3 REPLIES 3

sean
Valued Contributor

Hmmm

NSAllowsArbitraryLoads NOTE Disabling ATS allows connection regardless of HTTP or HTTPS configuration, allows connection to servers with lower TLS versions, and allows connection using cipher suites that do not support forward secrecy (FS).

or any of the other 'I'd like to reduce the security of my app options'

ATS

and then there's

bettercap and sparkle

Enjoying this one?

sean
Valued Contributor

Guess who replied with this message despite having links and brief explanation!

I understand you would like an update release that addresses security vulnerabilities on the Mac, particularly with Sparkle feeds. Be advised that you have contacted the Roxio Technical Support department. You may have sent your email by mistake, as we do not have anything to do with Sparkle (sparkle-project.org). If you want security issues on the Mac addressed, you need to contact Apple Support. Please do not hesitate to contact us with any further questions.

Of to find me a new bit of wall!

sean
Valued Contributor

Anyone have a large Toast base that wants to give Corel a kicking?

Thank you for contacting Corel Technical Support. We have received feedback from our Engineering department and were informed that no more development is being done for Toast 14. Any existing issues in the current version will be fixed in our future releases. At this point, the only thing we can offer is a refund for your purchase. Our sincerest apologies, and let us know. Please do not hesitate to contact us with any further questions.