Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#6062 closed Bug (duplicate)

Sparkle Updater framework vulnerability

Reported by: Lanark Owned by: livings124
Priority: High Milestone: None Set
Component: Mac Client Version: 2.84
Severity: Normal Keywords: security vulnerability
Cc:

Description

As reported here (https://vulnsec.com/2016/osx-apps-vulnerabilities/) many OSX apps using the sparkle framework are vulnerable to a MITM attack when performing a system update. The transmission servers already support HTTPS, so I think that all this requires is editing the info.plist to use HTTPS instead of insecure HTTP

Hacker News discussion https://news.ycombinator.com/item?id=10995802

Change History (2)

comment:1 Changed 6 years ago by mike.dld

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #6061.

comment:2 Changed 6 years ago by xnyhps

Only updating the RSS feed URL is not enough. As noted by the vulnsec.com blog, there are two vulnerabilities here:

We have two different vulnerabilities here. First one is connected with the default configuration (http) which is unsafe and leads to RCE over MITM attack inside untrusted environment.

The second one is the risk of parsing file://, ftp:// and other protocols inside the WebView? component. As a result, if there is a security flaw on the server that allows replacing XML file, it can target all people through the affected application. It's possible even without knowing the private DSA key, without modifying application binary on the server and over https. After that, it doesn't require the MITM attack anymore.

All this does is attempt to fix the first one. But considering the "release notes" URL in the appcast file is still "http://www.transmissionbt.com/appcast/releasenotes.html" that doesn't work.

The DSA signature used for Sparkle saved people from auto-updating to the OSX.KeRanger?.A infected 2.90 copy, but due to the second vulnerability the attackers could have bypassed that if they had access to modify the Sparkle appcast or release notes file.

Note: See TracTickets for help on using tickets.