&安培; tldr; 什么阻止我们用更新的Sparkle.framework替换旧的Sparkle.framework?
Sparkle是Mac OS X应用程序中常用于管理更新的框架。最近报道了vulnerability对中间人的攻击;而且,由于大量使用Sparkle的知名应用程序,全世界的IT经理都开始失眠。
据报道,一些受影响的应用程序(如VLC)已经发布了修复程序。但是,由于Sparkle已存在很长时间,因此可能还有许多其他应用程序不再积极开发但仍然容易受到同样的问题的影响。我们已经遇到过一个这样的应用程序。
由于Sparkle.framework是一个运行时框架,因此在应用程序包中用较新的(1.13.1)代码替换旧的(在很多情况下为1.5或1.6)代码将使应用程序能够在许多情况下运行。到目前为止,我们的轻量级测试是两个令人鼓舞的两个(意思是,应用程序可以启动,并且会检查更新);但是,虽然鼓励乐观主义者,但这绝不是一个全面的答案。
因此,与专业人士联系 - 使用最新版本替换应用程序包中的旧版Sparkle.framework有什么缺点(或障碍)?实际上,这可以在等待所有受影响的应用程序更新时缓解漏洞。
答案可能会发生变化,具体取决于当前使用的Sparkle的版本,以及哪个版本支持哪些函数调用。它还取决于是否在新版本的Sparkle中弃用了任何函数,这是我不知道的。
答案 0 :(得分:1)
If you are the developer of an app, absolutely upgrade the framework and push out the updates. From the text that discusses replacing sparkle "within the application bundle" I'm going to presume you are contemplating fixing several apps that you have installed.
I would say that's not safe at all in general and it would be a much more effective countermeasure to just set the sparkle update variable to disable all updates. Since there are major changes in the code base between 1.5 and 1.10 (looking over the release notes the framework ditched 32 bit, ditched the old Obj-C runtime, ditched garbage collection and made numerous changes to the internal API) it would be highly risky to shove a newer sparkle into an older app unless you were to test each exhaustively or inspect the use of the framework / decompile the code.
I've been editing the Info.plist file to change the SUFeedURL key to point to https://172.0.0.1/app-name.xml for all the apps that have an http feels that's vulnerable to bad actors in control of compromised networks.
You could also disable automatic checks for those apps as well if you so desired. Here's a quick and dirty one line check for sparkle frameworks and non https feed sources:
﹕ AWS Lambda Function Error: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
The Canonical String for this request should have been
'POST
/2015-03-31/functions/hello-world/invocations
host:lambda.us-east-1.amazonaws.com
x-amz-date:20160212T202327Z
x-amz-security-token:AQoDYXdzEDUasAUPOOgG8GoFx4+VFVfVJyO11PET8Qw3PST5zbuVwe7+zksE985yw/TuEU8ICVw40qKF0J5ASKoih5vcYBxxksfACX5Um7kLWgHaqVh40rsYCaq4hXObJ9wZqrKx0W9FxfhcSH1mKpIRmZ9o46e6RC7Y2APpz3vT1ZRjxyBe3yHKyNMBSQja5lzBWtTo785FKig41jbBrmXJtAiCNqan1x5aKwqJ/mi3MwO/SWb6lnjgtMcdNXm0O3PF8QKGn3k2okVdf1uh/Yd3RYKSH75KV8uHyRMjV5LS/E1jetae96/j+KEtCkbG86TXaAeh9NCWoGsAD4kspjW+9F5PL+jLsunkMZ25REQdiuw06WCaWbo+T1BV2RFu1el8xB4E1BL4aXqpJNQRmkk/3TWvU5Vbmn+Z86jQ6xY/O+0T3tNzr6gXNcCQcmSL7VgO7haoHptZRuBPsB1RFfggQkc+h0oImAS+dbl6DS82bhHudLIim0A7stN1LyuQDVho1OXSyrp1STCqqKFr04Cx998HUPuQem0JSZu7rAw4Pf6uD0fOE8YALtCPgjGpBCg6hfFwVLdIsVMbrJh941vKCsXO3FmkFK8P6bbhkKSqlJ0nx+q7eC6R8ufVGQwkt2RLkKc6rIgnyfFUbXPsFsPAvsJKvmQpqCBJslVTNdr6G6PeR7WVc5gJq5T4BYz8NxIGHOvA0IJrDGCFo+GZWUrBCdPTVlO5ceB/4szRw2NYPJaer9szUkCRYW/R/R0QR9wr2hxSSfeH9PZKkO1ZXTpvSFC3lsoVnEzbHuTJU9MP5q4U274pCdvTr0xX9QAN9PrhdIFsjyhATAHIocDtSvhc5U6I+H3Efnvc4WulI8JcAd3FbceJD7VdYE7BGzKWAYAw8aBI4rli0RKh5sZXUhFn0QQLrzqZ6RrOINDu+LUF
x-amz-target:AWSLambda.Invoke
x-amz-ä±nvocation-type:
host;x-amz-date;x-amz-security-token;x-amz-target;x-amz-ä±nvocation-type
be9ba4e61f0079a705bfbf17c9e09abe670f22e18d56f8e83f1d7487101fe072'
The String-to-Sign should have been
'AWS4-HMAC-SHA256
20160212T202327Z
20160212/us-east-1/lambda/aws4_request
f5f0f3589e8c8e2acc91246da3c979fdb5e8e823983c5ffe86dccbab9e228c11'
(Service: AWSLambda; Status Code: 403; Error Code: InvalidSignatureException; Request ID: 7a7d9b57-d1c6-11e5-9e3b-a59637a66ac7)
You can find /Applications ~/Applications /usr -name Sparkle.framework -exec echo {} \; -exec defaults read {}/../../Info.plist SUFeedURL 2>/dev/null \; | grep -vw ^https
to check for apps outside the three folders I fed into the find command. Also, keep in mind other user home folders if you actually implement this change. Also, for managing several computers, you'll want to push a profile or a better implemented script to parse and disable these apps: