How updating your Mac's apps could allow man-in-the-middle attacks<article>
<section class="page">
<p>
The drumbeat of avoiding insecure “http” web connections beats every louder. A researcher
disclosed several days ago a vulnerability hiding in plain sight with the
Sparkle update framework for OS X Yosemite and El Capitan. Because Sparkle allows apps to update via non-encrypted web connections, the potential of sending malicious updates through man-in-the-middle attacks is quite high. But the attack works because of three separate OS X issues: executing JavaScript in WebKit views intended to show formatted text; mounting FTP servers on the desktop; and Gatekeeper not checking certain paths for and kinds of downloaded files. (Ars Technica
reported first on the researcher’s post, which went up in late January.)</p><p class="jumpTag"><a href="/article/3031381/software/how-updating-your-macs-apps-could-allow-man-in-the-middle-attacks.html#jump">To read this article in full or to leave a comment, please click here[/url]</p></section></article>
Source:
How updating your Mac's apps could allow man-in-the-middle attacks
