Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sparkle vulnerability #226

Closed
kevin1 opened this issue Jan 31, 2016 · 6 comments
Closed

Sparkle vulnerability #226

kevin1 opened this issue Jan 31, 2016 · 6 comments
Labels

Comments

@kevin1
Copy link

kevin1 commented Jan 31, 2016

Hi Cody,

gfxCardStatus doesn't load its updates over HTTPS, making it likely affected by the recent Sparkle vulnerability. Specifically, a MITM attacker can execute arbitrary remote code when the SUFeedURL isn’t loaded over HTTPS:

http://gfx.io/appcast.xml

More information about the vulnerability:

https://vulnsec.com/2016/osx-apps-vulnerabilities/
https://www.evilsocket.net/2016/01/30/osx-mass-pwning-using-bettercap-and-the-sparkle-updater-vulnerability/

Thanks! Hope to see it updated soon,
Kevin

@codykrieger
Copy link
Owner

codykrieger commented Jan 31, 2016

Fixed in #225. I'll leave this open until a new version has been released with the fix.

@zachriggle
Copy link

zachriggle commented Nov 12, 2016

All users are still vulnerable to this, since the latest version is still v2.3, released back in 2012.

Would you mind cutting a new release, which either:

  1. Disables Sparkle update entirely
  2. Uses the fix from Switched to HTTPS due to Sparkle Security vulnerability #225

Thanks!

@mgol
Copy link

mgol commented May 23, 2017

This seems to be a big vulnerability which may lead to arbitrary code execution... :/ Could we get a release?

@mgol
Copy link

mgol commented Nov 27, 2017

Ping @codykrieger, could we have a release?

@codykrieger
Copy link
Owner

codykrieger commented Nov 20, 2020

Finally (!) putting out a beta release that fixes this and includes some Big Sur fixes (#336).

@codykrieger
Copy link
Owner

codykrieger commented Nov 20, 2020

Alright—fixed in v2.5b1: https://gfx.io/downloads/gfxCardStatus-2.5b1.zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants