-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sparkle vulnerability #226
Comments
Fixed in #225. I'll leave this open until a new version has been released with the fix. |
All users are still vulnerable to this, since the latest version is still v2.3, released back in 2012. Would you mind cutting a new release, which either:
Thanks! |
This seems to be a big vulnerability which may lead to arbitrary code execution... :/ Could we get a release? |
Ping @codykrieger, could we have a release? |
Finally (!) putting out a beta release that fixes this and includes some Big Sur fixes (#336). |
Alright—fixed in v2.5b1: https://gfx.io/downloads/gfxCardStatus-2.5b1.zip |
Hi Cody,
gfxCardStatus doesn't load its updates over HTTPS, making it likely affected by the recent Sparkle vulnerability. Specifically, a MITM attacker can execute arbitrary remote code when the SUFeedURL isn’t loaded over HTTPS:
http://gfx.io/appcast.xml
More information about the vulnerability:
https://vulnsec.com/2016/osx-apps-vulnerabilities/
https://www.evilsocket.net/2016/01/30/osx-mass-pwning-using-bettercap-and-the-sparkle-updater-vulnerability/
Thanks! Hope to see it updated soon,
Kevin
The text was updated successfully, but these errors were encountered: