|
Title: How updating your Mac's apps could allow man-in-the-middle attacks Post by: HCK on February 11, 2016, 09:00:14 pm How updating your Mac's apps could allow man-in-the-middle attacks
<article> <section class="page"> <p> The drumbeat of avoiding insecure “http” web connections beats every louder. A researcher disclosed several days ago (https://vulnsec.com/2016/osx-apps-vulnerabilities/) a vulnerability hiding in plain sight with the Sparkle update framework (https://sparkle-project.org) for OS X Yosemite and El Capitan. Because Sparkle allows apps to update via non-encrypted web connections, the potential of sending malicious updates through man-in-the-middle attacks is quite high. But the attack works because of three separate OS X issues: executing JavaScript in WebKit views intended to show formatted text; mounting FTP servers on the desktop; and Gatekeeper not checking certain paths for and kinds of downloaded files. (Ars Technica reported first (http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/) on the researcher’s post, which went up in late January.)</p><p class="jumpTag"><a href="/article/3031381/software/how-updating-your-macs-apps-could-allow-man-in-the-middle-attacks.html#jump">To read this article in full or to leave a comment, please click here[/url]</p></section></article> Source: How updating your Mac's apps could allow man-in-the-middle attacks (http://www.macworld.com/article/3031381/software/how-updating-your-macs-apps-could-allow-man-in-the-middle-attacks.html#tk.rss_all) |