Skip to main content
Question

Sparkle Updater Framework HTTP man-in-the-middle vulnerability


bentoms
Forum|alt.badge.img+35
  • Legendary Contributor
  • 4331 replies

Hi All,

A vulnerability in the Sparkle Updater Framework that can potentially be exploited via man-in-the-middle attacks has been disclosed.

I've been looking into it with a few folks on the MacAdmins Slack](macadmins.org) & with the help of @Banks (amongst others), I have written a [post on this issue & included within which is an Extension Attribute to help detect vulnerable applications.

3 replies

Forum|alt.badge.img+12
  • Contributor
  • 529 replies
  • February 8, 2016

Hmmm

NSAllowsArbitraryLoads NOTE Disabling ATS allows connection regardless of HTTP or HTTPS configuration, allows connection to servers with lower TLS versions, and allows connection using cipher suites that do not support forward secrecy (FS).

or any of the other 'I'd like to reduce the security of my app options'

ATS

and then there's

bettercap and sparkle

Enjoying this one?


Forum|alt.badge.img+12
  • Contributor
  • 529 replies
  • February 11, 2016

Guess who replied with this message despite having links and brief explanation!

I understand you would like an update release that addresses security vulnerabilities on the Mac, particularly with Sparkle feeds. Be advised that you have contacted the Roxio Technical Support department. You may have sent your email by mistake, as we do not have anything to do with Sparkle (sparkle-project.org). If you want security issues on the Mac addressed, you need to contact Apple Support. Please do not hesitate to contact us with any further questions.

Of to find me a new bit of wall!


Forum|alt.badge.img+12
  • Contributor
  • 529 replies
  • April 13, 2016

Anyone have a large Toast base that wants to give Corel a kicking?

Thank you for contacting Corel Technical Support. We have received feedback from our Engineering department and were informed that no more development is being done for Toast 14. Any existing issues in the current version will be fixed in our future releases. At this point, the only thing we can offer is a refund for your purchase. Our sincerest apologies, and let us know. Please do not hesitate to contact us with any further questions.

Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings