Archive for February 2, 2016

Tuesday, February 2, 2016

Seven Swift Snares

David Ungar (comments):

But with value types, there’s no override keyword to help the compiler find my mistakes. This omission seems out of place in a language otherwise designed to include enough redundancy to help find one’s errors.


All that can be known at compile-time is that pie is a Pizza, and the Pizza protocol extension says Wheat, so the declaration of a cornmeal crust in the CornmealPizza structure had no effect whatsoever when asking pie for something. Although the compiler could have warned about the potential for error from this use of static- instead of dynamic-dispatch, it did not. I believe that here lurks a trap for the unwary, and I would call this a major snare.


Presenting Swift with both a declaration and a definition in this fashion causes the compiler to take notice of the runtime value of the pie variable.


However, without editing the source code in the framework, we cannot fix this problem. Hence, it is impossible to safely extend a protocol declared in another framework (without gambling that it will never need dynamic-dispatch.)


As shown in a previous section, a declaration in a protocol was sufficient to induce dynamic dispatch for a defined of the corresponding attribute in the protocol extension. But a definition in a restricted extension is always statically-dispatched.


Avoid assigning the result of an expression with side-effects to left-hand-side with optional chaining.


In-out parameters do not work when passed into the outer scope of a closure

Joe Groff:

These are all things we hope to remove or provide diagnostics for in 3.0, at least.

Sam Griffith:

Swift for all its newness is going down a path much like C++ did as far as complexity. That is worrisome.


Swift’s init rules are confusing. I’ve never once got anything non-trivial right first time

Marcel Weiher (tweet, first linked in 2014):

Apple’s new Swift language has taken a page from the C++ and Java playbooks and made initialization a special case. Well, lots of special cases actually. The Swift book has 30 pages on initialization, and they aren’t just illustration and explanation, they are dense with rules and special cases.

Joe Groff:

The initializer model does need reconsideration, though. Current model doesn’t fit our ABI resilience goals.

A little up-front complexity for initializers greatly simplifies the state space for everything else.

Sparkle Updater Vulnerability


Let’s sum up everything to that point:

  • AppCast process is using HTTP that could be intercepted and modified on the fly
  • We can insert our HTML and JavaScript code into a WebView component to display it to the user
  • We control the transmission after doing the MITM attack


The vulnerability is not in code signing itself. It exists due to the functionality provided by the WebKit view that allows JavaScript execution and the ability to modify unencrypted HTTP traffic (XML response).

He uses JavaScript and the fact that the Finder is the default FTP handler to mount a .terminal file at a known location. JavaScript then opens the .terminal file via a “file://” URL, executing arbitrary code. I was surprised that this second part is possible. This seems like more of a WebKit vulnerability.


This attack works on stock Mac OS X install, and GateKeeper enabled with both options “Mac App Store and identified developers” or “Mac App Store” (the strictest one).

Simone Margaritelli (via Greg Slepak):

I’m not going to explain the details of his attack, his post is quite self explanatory, but I’ll show you how easy it is to mass pwn OSX machines on your network using the new OSX Sparkle bettercap proxy module.

Moreover, I improved the attack ... Radek shown how to get RCE using an OSX terminal profile file, I will show you how to make the target execute any Mach-O executable you want!

My apps use HTTPS for software update checks, using my own code rather than Sparkle, and JavaScript is disabled.

Update (2016-02-02): Rosyna Keller:

That is, Sparkle was explicitly opening every file using LaunchServices by overriding the default WebView handler.

Update (2016-02-10): Dan Goodin:

Fellow researcher Simone Margaritelli has developed a technique that streamlines the attack by allowing it to work with the Metasploit exploit framework. He showed how he could exploit the vulnerability on a fully patched Mac running the latest version of the VLC Media Player. VLC developers released an update three days ago that patches the vulnerability so that the attack no longer works against the latest version.


The precise number of apps affected isn’t known because it’s not easy to detect all the conditions necessary for them to be vulnerable. Radek estimated the number to be "huge" and said he has confirmed that the list includes Camtasia 2 v2.10.4, DuetDisplay v1.5.2.4, uTorrent v1.8.7, and Sketch v3.5.1. Computer forensics expert Jonathan Zdziarski told Ars that the Hopper reverse engineering tool and DXO Optics Pro are also susceptible. A longer list of apps that rely on Sparkle is here, but readers are cautioned that not all of them communicate over insecure HTTP channels or use a vulnerable version of the update framework. Margaritelli said the most recent version of the Adium instant messenger uses HTTPS for updates and isn’t vulnerable.

Juli Clover:

Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework.

Update (2016-02-16): Josh Centers:

If you are still worried, how do you figure out which apps are vulnerable? People have offered all sorts of Terminal commands to suss out vulnerable apps, but the best one I’ve found comes from RussW, a commenter on Mac Kung Fu. His solution checks to see if the app uses both Sparkle and an insecure HTTP connection, and then it prints out a list of those apps in a fairly readable format.

Unfortunately, there are smart quotes in RussW’s text that partially break the command (thanks to reader Joe for pointing that out), so I’ve created a Pastebin link with the properly formatted command. Follow that link, copy the command under RAW Paste Data, paste the command in the Terminal window, and press Return. Terminal will list the vulnerable apps in your Applications folder.

The Futility of Pleasing All Users

Khoi Vinh:

This is a fine idea, but when I upgraded, I was surprised to find that the new “All Vaults” view is the default view. Even when I selected a specific vault as my preferred view, the next time I launch 1Password from my browser it would revert to the “All Vaults” view. I found this very irritating. This change struck me as wrongheaded—it flies right in the face of how I use vaults, as I prefer to keep each group of passwords segregated from the others.

That was my reaction as well.

Make Money Outside the Mac App Store

Christian Tietze (via Matt Gemmell):

Sell outside the Mac App Store to increase revenue per sale and get to know your customers. This book shows you how. Fully functional, super-clean coded sample apps, everything ready to be copied right into your project, backed by more than 200 unit tests in total!


Save days of research and start selling your app before an Apple review person would even notice your upload to the App Store.

15 Years of VLC and VideoLAN

Jean-Baptiste Kempf (comments):

Since then, only on VLC, we've had around,

  • 700 contributors,
  • 70000 commits,
  • at least 2 billion downloads,
  • hundreds of millions users!

And all that, mostly with volunteers and without turning into a business!


A little know fact about the VideoLAN project is that it was started so that the student organization could justify the need to replace the old networking infrastructure of the campus with a brand new high-bandwidth fiber optics network. They really wanted to deploy a fiber optic network but the school would have never approved it so they thought “OK, we need something that uses a ton of bandwidth, let’s make a video streaming app”.

They proceeded to start the VideoLAN project, with the VideoLAN Client (VLC) and VideoLAN server, and streamed movies and public television channels to the whole campus.

It remains frustrating to me that VLC can play (just about) everything but only in its own app, while QuickTime works in every app but doesn’t support many popular formats. For a while, QuickTime plug-ins seemed to be the solution, but Apple doesn’t want to support them anymore.

Previously: Perian to Cease Development.