The list may be long, but those who use public Wi-Fi networks can use it to figure out for which apps automatic updates should be disabled until a new version is available. Terminal will list the vulnerable apps in your Applications folder. Follow that link, copy the command under RAW Paste Data, paste the command in the Terminal window, and press Return. Unfortunately, there are smart quotes in RussW’s text that partially break the command (thanks to reader Joe for pointing that out), so I’ve created a Pastebin link with the properly formatted command. His solution checks to see if the app uses both Sparkle and an insecure HTTP connection, and then it prints out a list of those apps in a fairly readable format. If you are still worried, how do you figure out which apps are vulnerable? People have offered all sorts of Terminal commands to suss out vulnerable apps, but the best one I’ve found comes from RussW, a commenter on Mac Kung Fu. People who aren’t high-profile government or corporate officials. Since taking advantage of this vulnerability would require a targeted attack, it’s highly unlikely that it would be used indiscriminately against If a VPN isn’t an option, you can also disable automatic update checking in any apps that use Sparkle, and when an update arrives, download and install it manually. However, using a VPN will keep you safe and should be standard operating procedure when using networks outside your home or office. That risk would apply for any affected app that has automatic update checking enabled and is running. However, if you often use public Wi-Fi networks without also employing a VPN to secure all your network traffic, you could be at risk if there was a sufficiently capable hacker at the next table. Just keep letting your apps update when they want, and as long as you’re on a private network, you’ll be fine. So if you’re safely in the confines of your home or office with an Ethernet or secure Wi-Fi connection, you have nothing to fear. The only problem is that getting an updated app with the new Sparkle code requires, well, getting an update, which could expose you to the vulnerability.īut don’t panic! To exploit this vulnerability, an attacker would need to be on the same network as your Mac. Sparkle itself isn’t really doing much wrong, since using unencrypted HTTP connections violates this recommendation in its documentation: “We strongly encourage you to use HTTPS URLs for the AppCast.” Regardless, the Sparkle team has already updated Sparkle to address the vulnerability. So, a bad guy could sniff out your network connection, insert malicious code, and hijack your Mac via the compromised app without triggering Apple’s Gatekeeper security feature. Researcher Radosław Karpowicz found that many developers use unencrypted HTTP connections to their servers, which makes man-in-the-middle attacks possible. Unfortunately, some developers haven’t been careful enough with their implementations of Sparkle, and that could put your Mac at risk of attack. Instead, these apps use an open source framework called Sparkle to check for, download, and install updates automatically. While numerous readers love our regular TidBITS Watchlist feature, in which we track notable updates for key Mac software, many apps no longer require you to go hunting for the latest versions as they’re released. Sparkle Vulnerability Real, but Exploits Highly Unlikely #1643: New Mac mini and MacBook Pro models, new second-gen HomePod, security-focused OS updates, industry layoffs.#1644: Explaining Mastodon and the Fediverse, HomePod Software 16.3 and tvOS 16.3, GoTo breach.#1645: AirPlay iPhone to Mac for remote video, Siri learns to restart iPhones, Apple's Q1 2023 financials.1646: Security-focused OS updates, Photos Workbench review, Mastodon client wishlist, Apple-related conferences.1647: Focus-caused notification issues, site-specific browser examples, virtualizing Windows on M-series Macs.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |