![]() ![]() If a VPN isn’t an option, you can also disable automatic update checking in any apps that use Sparkle, and when an update arrives, download and install it manually. However, using a VPN will keep you safe and should be standard operating procedure when using networks outside your home or office. That risk would apply for any affected app that has automatic update checking enabled and is running. However, if you often use public Wi-Fi networks without also employing a VPN to secure all your network traffic, you could be at risk if there was a sufficiently capable hacker at the next table. Just keep letting your apps update when they want, and as long as you’re on a private network, you’ll be fine. So if you’re safely in the confines of your home or office with an Ethernet or secure Wi-Fi connection, you have nothing to fear. The only problem is that getting an updated app with the new Sparkle code requires, well, getting an update, which could expose you to the vulnerability.īut don’t panic! To exploit this vulnerability, an attacker would need to be on the same network as your Mac. Sparkle itself isn’t really doing much wrong, since using unencrypted HTTP connections violates this recommendation in its documentation: “We strongly encourage you to use HTTPS URLs for the AppCast.” Regardless, the Sparkle team has already updated Sparkle to address the vulnerability. So, a bad guy could sniff out your network connection, insert malicious code, and hijack your Mac via the compromised app without triggering Apple’s Gatekeeper security feature. Researcher Radosław Karpowicz found that many developers use unencrypted HTTP connections to their servers, which makes man-in-the-middle attacks possible. ![]() ![]() Unfortunately, some developers haven’t been careful enough with their implementations of Sparkle, and that could put your Mac at risk of attack. Instead, these apps use an open source framework called Sparkle to check for, download, and install updates automatically. While numerous readers love our regular TidBITS Watchlist feature, in which we track notable updates for key Mac software, many apps no longer require you to go hunting for the latest versions as they’re released. Sparkle Vulnerability Real, but Exploits Highly Unlikely #1650: Cloud storage changes for Box, Dropbox, Google Drive, and OneDrive quirky printing problem.#1651: Dealing with leading zeroes in spreadsheet data, removing ad tracking from ckbk.#1652: OS updates, DPReview shuttered, LucidLink cloud storage.#1653: Apple Music Classical review, Authory service for writers, WWDC 2023 dates announced.1654: Urgent OS security updates, upgrading to macOS 13 Ventura, using smart speakers while temporarily blind. ![]()
0 Comments
Leave a Reply. |