Several years ago, when there were still shops with applications and automatic software updates, computer users have to download them manually from manufacturers, or from external web sites being journalists for this type of upgrade.
Most companies have already switched to modern and much safer systems, however, Apple still holds up fairly archaic system Sparkle, which distributes software updates for Macs. The problem is that the tool is no longer safe and could pose a serious threat to users. He discovered it one of the specialists. Safety hiding under the pseudonym Radek.
Radek actually discovered until two gap. The first, to establish a connection between the server software manufacturer and the user’s computer, uses a simple combination of HTTP instead of HTTPS encrypted. As a result, a hacker could use the attack Man in the Middle, strapping on the road communication both devices.
Second vulnerability is related to the way in which Sparkle uses a WebView component WebKit. Hackers can thus perform potentially dangerous Javascript code, and if the server host allows you to edit certain XML files, hackers could get into any computer system upgrade.
the good news is that, fortunately, not all applications use the network Sparkle are susceptible to these vulnerabilities. Unfortunately, those who are vulnerable, however, we include the most popular software on the Mac, such as VLC, Adium, Coda and iTerm. Fortunately, the developers have patched vulnerabilities on their side, so we can hope that soon the threat is eliminated.
No comments:
Post a Comment