PaulSpoerry.com

Social Media, technology, and geeky stuff for your brain.

  • Home
  • About
    • Privacy Policy
  • Categories
    • Google+ Posts
    • Site news
    • Tech
      • Android
      • Apple
      • Chrome
      • Gadgets
      • Hacking
      • Linux
      • OSX
      • Privacy
      • Web Life
        • Bittorrent
        • Facebook
        • FireFox
        • GMail
        • Google
        • Google+
        • Twitter
        • WordPress
        • Windows
          • Windows 7
    • Google+: Getting Started Guides
    • Games
    • Meditation
    • Politics
    • Science
    • That’s freakin hilarious
  • Code
    • FreeImageZoom
    • Post Editor for Google+™
    • The Plus Editor
  • Contact
You are here: Home / Google+ Posts / "HUGE" number of OSX apps vulnerable to man-in-the-middle attacks

"HUGE" number of OSX apps vulnerable to man-in-the-middle attacks

February 9, 2016 by Paul Spoerry 2 Comments



“Huge” number of Mac apps vulnerable to hijacking, and a fix is elusive
Apps that use 3rd-party updater over insecure HTTP channels subject to MiTM attacks.

Mac users have been proclaiming the superiority of their OS in terms of security (sorry they still have security issues), lack of viruses (yeah they technically can get those as well), and so on… but even the most secure system is as vulnerable as it's weakest link. Rising popularity in OSX (still only about ~10% of desktops) has made it a larger target recently and security researchers have just discovered that apps that use 3rd-party updater Sparkle over insecure HTTP channels are subject to MiTM attacks.

They estimate the number of vulnerable apps as "huge", but state there is no way to know for sure because it's not easy to detect all the conditions necessary for them to be vulnerable. However, there's some big players who've been identified as vulnerable including:
Camtasia 2, DuetDisplay, uTorrent, VLC, and Sketch. VLC has already released an update to patch the issue. If possible… check for updates.

A longer list of apps that rely on Sparkle is on Github (https://github.com/sparkle-project/Sparkle/issues/717), but readers are cautioned that not all of them communicate over insecure HTTP channels or use a vulnerable version of the update framework. So while the chat client Adium uses Sparkle it does so over HTTPS so it's not vulnerable.

Check this out on Google+

Filed Under: Google+ Posts

About Paul Spoerry

I’m a groovy cat who’s into technology, Eastern Thought, and house music. I’m a proud and dedicated father to the coolest little guy on the planet (seriously, I'm NOT biased). I’m fascinated by ninjas, the Internet, and anybody who can balance objects on their nose for long periods of time.

I have a utility belt full of programming languages and a database of all my knowledge on databases... I practice code fu. Oh, I've also done actual Kung Fu, and have a black belt in Tae Kwon Do.

I run. I meditate. I dance. I blog at PaulSpoerry.com, tweet @PaulSpoerry, and I'm here on Google+.

I'm currently work for IBM developing web enabled insurance applications for IBM and support and develop a non-profit called The LittleBigFund.

Comments

  1. Paul Smith-Keitley says

    February 9, 2016 at 3:13 pm

    you must be wrong – Apple is very secure 😉

  2. Paul Spoerry says

    February 9, 2016 at 8:11 pm

    Tooooootally secure.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Copyright © 2023 · Epik on Genesis Framework · WordPress · Log in