Your new post is loading...
A security engineer has recently discovered a serious vulnerability in Sparkle, the widely used open source software update framework for Mac applications, that could be exploited by attackers to mount a man-in-the-middle attack and ultimately take control of the computer if they are located on the same network.
Since it inception in 2006, Sparkle slowly became the de-facto standard for OS X application updates. It is used by many, many popular applicationsincluding Evernote, Coda, VLC Media Player, Slack, and TeamViewer (to name a few), but not all these apps are vulnerable to this attack.
That's because the flaw can be exploited only if the app using the vulnerable version of Sparkle also uses HTTP to receive updates.
"The vulnerability is not in code signing itself. It exists due to the functionality provided by the WebKit view that allows JavaScript execution and the ability to modify unencrypted HTTP traffic (XML response)," explained the researcher, who goes by the name of Radek.
Learn more / En savoir plus / Mehr erfahren:
http://www.scoop.it/t/apple-mac-ios4-ipad-iphone-and-in-security
A security engineer has recently discovered a serious vulnerability in Sparkle, the widely used open source software update framework for Mac applications, that could be exploited by attackers to mount a man-in-the-middle attack and ultimately take control of the computer if they are located on the same network.
Since it inception in 2006, Sparkle slowly became the de-facto standard for OS X application updates. It is used by many, many popular applicationsincluding Evernote, Coda, VLC Media Player, Slack, and TeamViewer (to name a few), but not all these apps are vulnerable to this attack.
That's because the flaw can be exploited only if the app using the vulnerable version of Sparkle also uses HTTP to receive updates.
"The vulnerability is not in code signing itself. It exists due to the functionality provided by the WebKit view that allows JavaScript execution and the ability to modify unencrypted HTTP traffic (XML response)," explained the researcher, who goes by the name of Radek.
Learn more / En savoir plus / Mehr erfahren:
http://www.scoop.it/t/apple-mac-ios4-ipad-iphone-and-in-security