Monthly Archives: February 2016

news: DetectX v2.18 released

We’ve had a bit of a mad day here at Sqwarq and Applehelpwriter, releasing three updates within a few hours of each other for DetectX.

It all started with 2.16, which introduced some changes to the licensing and user interface. All well and good, until we noticed a serious security issue with Microsoft Silverlight had recently surfaced, and we didn’t want to wait to address it.

That resulted in 2.17, which added a Silverlight check to the detector Search function. If you have a version of MS Silverlight that is not the currently patched version, you’ll see a warning in the log drawer when you run a search. In 2.17 we also fixed a false positive in the Keylogger detector and updated some search definitions.

Alas, we’d inadvertantly let a bug slip in with v2.16 that prevented DetectX from quitting in certain situations. Luckily that report came in pretty quick (many thanks to Al), and we were able to address the bug with a simple code tweak (if you got bit by that bug, please open and then close the Licensing window before attempting to update to v2.18).

So, here we are at version 2.18 … we’re a bit breathless, so it’s time for a sit-down and a nice cup of tea!

Enjoy 🙂

Advertisements

news: DetectX v2.15 released

Screen Shot 2016-02-23 at 17.18.40

An update to DetectX is now available that makes some under-the-hood improvements and updates the user guide. The release notes are here.

news: DetectX v2.14 released

Screen Shot 2016-02-14 at 23.03.29

Yes, two in two days! We’ve added a Preference Pane since yesterday, and improved the performance of the search function. Note that the new Sparkle Vulnerability check we introduced in v2.13 is now off by default. It can be turned on from the Preference Pane (see above).

Other changes are listed in the release notes.

DetectX is still free, fully-functional, and without time-limit for home users. Available for download from here.

🙂

 

news: App Fixer v1.4 released

 

Screen Shot 2016-02-13 at 15.27.07

We’ve just released an incremental update to App Fixer. The app is free for home users and available from here.

🙂

news: FastTasks v2.7 released

FastTasks 2

An update to FastTasks 2 has just been released. The app is free for home use and available from here. The release notes are here.

 

🙂

news: DetectX 2.13 released

We just released an update to DetectX, available for free download from here. The release notes are here.

how to: check for Sparkle vulnerability

Screen Shot 2016-02-12 at 15.32.18

[updated Mon 15th:]

Here’s what we know about the widely-reported vulnerability found in Sparkle so far:

1. It requires a version of Sparkle earlier than 1.13
AND
2.1 It requires the SUFeedURL address to be an unencrypted http address AND/OR
2.2 the release notes address to be an unencrypted http address.

Condition 1 and one (or more) of conditions 2 need to be true to make the exploit possible. You can check to see if condition 2.1 is true for many apps on your system with the following procedure:

1. Control-click on the app in the Finder
2. Choose ‘Show Package Contents’
3. Navigate to /Contents/Info.plist
4. Hit the space bar to open in quick look, scroll down for the SUFeedURL field (it won’t have one if it doesn’t use Sparkle). The field will show you whether the address is https or not.

To make life easier, you can run this script in the AppleScript Editor (/Applications/Utilites/Script Editor.app) to do the job for you.


#script version 1.64
#regression to 1.52 and then
#added: now includes apps that do not have SUFeedURL key in plist and reports their Sparkle version number
#added: borrowed Bill Cheeseman's idea of using choose list and offering to launch the app
#added: borrowed reverse_offset handler from Nigel Garvey's post on MacScripter
#changed: test if Sparkle is < 1.13.1 first
#shows the Sparkle version number for each entry in the list
#added logic for opening prefPanes if chosen from the list
#changed the mdfind command to improve speed
#searches for keys of the form "SUFeedURL*" rather than just "SUFeedURL"



on extractSUFeedURL(aRecord)

set aRec to "httpx"
try
set aRec to item 1 of aRecord
on error errorMessage
set aRec to errorMessage
set aRec to my parseErrorMsg(aRec)
end try

return aRec

end extractSUFeedURL

on parseErrorMsg(aErr)

set what to "SUFeedURL" --define the full or partial record name you're trying to find
if aErr contains what then
set theStart to offset of what in aErr
set thisString to text theStart thru -1 of aErr
set theEnd to offset of "," in thisString
set subString to text 1 thru theEnd of thisString
--log subString --see the record name and its value in Script Editor's Messages pane
return subString
end if
end parseErrorMsg

on reverse_offset(d, t)
set astid to AppleScript's text item delimiters
set AppleScript's text item delimiters to d
set ro to (count t) - (count text item -1 of t)
set AppleScript's text item delimiters to astid
return ro
end reverse_offset

set foundCounter to 0
set infoFilePath to "/Contents/info.plist"

set theApps to do shell script "mdfind \"kMDItemFSName == '*.prefPane'cd || kMDItemFSName == '*.app'cd'\""
set theApps to paragraphs of theApps
set sparkleAppsList to {}

tell application "System Events"
repeat with anApp in theApps
set anApp to anApp as text
set aFrameWork to anApp & "/Contents/Frameworks/Sparkle.framework"

if exists disk item aFrameWork then
try
--get Sparkle Version first
set aSparklePlist to aFrameWork & "/Versions/A/Resources/Info.plist"
set thePlist to contents of property list file aSparklePlist
set theValue to value of thePlist
try
set sparkleVersion to CFBundleShortVersionString of theValue as text
on error
set sparkleVersion to CFBundleVersion of theValue as text
end try
end try
-- compare version num
considering numeric strings
set vulnerable to sparkleVersion < "1.13.1"
end considering
if vulnerable then
--get SUFeedURL if it exists
set thePlist to contents of property list file (anApp & infoFilePath)
set theValue to value of thePlist

try
set thisSUFeedURL to my extractSUFeedURL(theValue)
if length of thisSUFeedURL = 0 then

set thisSUFeedURL to "httpx"
end if
on error
set thisSUFeedURL to "httpx"
end try

if thisSUFeedURL contains "http:" then
set end of sparkleAppsList to anApp & " : uses insecure update URL (not https) " & "with Sparkle v" & sparkleVersion
set foundCounter to foundCounter + 1
else if thisSUFeedURL contains "httpx" then

set end of sparkleAppsList to anApp & " : update URL unknown (http/https??); uses Sparkle v" & sparkleVersion & linefeed & linefeed
set foundCounter to foundCounter + 1

end if

end if
end if
end repeat
end tell

set thePrompt to "Found " & foundCounter & " items that may be using a vulnerable form of the Sparkle framework: " & linefeed & linefeed

choose from list sparkleAppsList with title "Sparkle Vulnerability Check" with prompt thePrompt OK button name "Launch"

if result is not false then
set appPath to item 1 of result
get offset of " :" in appPath
set appPath to text 1 thru (result - 1) of appPath
set ro to reverse_offset("/", appPath)
set appPath to text (ro + 1) thru -1 of appPath
if appPath contains "prefPane" then
set paneOffset to offset of "." in appPath
set paneName to text 1 thru (paneOffset - 1) of appPath
log paneName
tell application "System Preferences"
activate
try
reveal (first pane whose name is paneName)
end try
end tell
else
tell me to launch application appPath
end if
end if

#EOF

However, be aware that this script will not find certain plug-ins (e.g., Mail plug-ins that use Sparkle).

If the app runs on 10.6, it’s not possible for Sparkle to be updated to the latest secure version, 1.13.1, so you need to check with the developers that they’re using https addresses for both the appcast feed and the release notes html.

Rest assured that Sqwarq apps that use Sparkle (App Fixer, DetectX, FastTasks 2, and OSXClock) all use encrypted https update feeds and release notes addresses, so as far as we’re aware at the moment, none of our apps are vulnerable to the exploit regardless of what version of Sparkle they’re using.

As said above, we’ll update this post if things change as the story unfolds.

Credits: Thanks to Yvan for significantly improving my earlier drafts of the AppleScript and writing the code for retrieving the Sparkle bundle number. Thanks to Chris Stone for tweaking and eeking a bit more speed out of the mdfind command. Thanks to Al for pointing out that in earlier versions of the script the Display Dialog message could get truncated.

%d bloggers like this: