{"id":4051,"date":"2016-03-07T10:59:02","date_gmt":"2016-03-07T15:59:02","guid":{"rendered":"http:\/\/rud.is\/b\/?p=4051"},"modified":"2018-03-07T16:42:46","modified_gmt":"2018-03-07T21:42:46","slug":"os-x-xquartz-vulnerability-test-using-r","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/","title":{"rendered":"OS X XQuartz Vulnerability Test Using R"},"content":{"rendered":"

It’s usually a good thing when my #rstats<\/a> and infosec worlds collide. Unfortunately, this time it’s a script that R folk running on OS X can use to see if they are using a version of XQuartz that has a nasty vulnerability in the framework it uses to auto-update. If this test comes back with the warning, try to refrain from using XQuartz on insecure networks until the developers fix the issue.<\/p>\n

**UPDATE**<\/p>\n

Thanks to a gist prodding by @bearloga, here’s a script to scan all your applications for the vulnerability:<\/p>\n

library(purrr)\r\nlibrary(dplyr)\r\nlibrary(XML)\r\n\r\nread_plist <- safely(readKeyValueDB)\r\nsafe_compare <- safely(compareVersion)\r\n\r\napps <- list.dirs(c(\"\/Applications\", \"\/Applications\/Utilities\"), recursive=FALSE)\r\n\r\n# if you have something further than this far down that's bad you're on your own\r\n\r\nfor (i in 1:4) {\r\n  moar_dirs <- grep(\"app$\", apps, value=TRUE, invert=TRUE)\r\n  if (length(moar_dirs) > 0) { apps <- c(apps, list.dirs(moar_dirs, recursive=FALSE)) }\r\n}\r\napps <- unique(grep(\"app$\", apps, value=TRUE))\r\n\r\npb <- txtProgressBar(0, length(apps), style=3)\r\n\r\nsuppressWarnings(map_df(1:length(apps), function(i) {\r\n  \r\n  x <- apps[i]\r\n  \r\n  setTxtProgressBar(pb, i)\r\n  \r\n  is_vuln <- FALSE\r\n  version <- \"\"\r\n  \r\n  app_name <- sub(\"\\\\.app$\", \"\", basename(x))\r\n  app_loc <- sub(\"^\/\", \"\", dirname(x))\r\n  \r\n  to_look <- c(sprintf(\"%s\/Contents\/Frameworks\/Autoupdate.app\/Contents\/Info.plist\", x),\r\n               sprintf(\"%s\/Contents\/Frameworks\/Sparkle.framework\/Versions\/A\/Resources\/Info.plist\", x),\r\n               sprintf(\"%s\/Contents\/Frameworks\/Sparkle.framework\/Versions\/A\/Resources\/Autoupdate.app\/Contents\/Info.plist\", x))\r\n  \r\n  is_there <- map_lgl(c(sprintf(\"%s\/Contents\/Frameworks\/Sparkle.framework\/\", x), to_look), file.exists)\r\n  \r\n  has_sparkle <- any(is_there)\r\n  \r\n  to_look <- to_look[which(is_there[-1])]\r\n  \r\n  discard(map_chr(to_look, function(x) {\r\n    read_plist(x)$result$CFBundleShortVersionString %||% NA\r\n  }), is.na) -> vs\r\n  \r\n  if (any(map_dbl(vs, function(v) { safe_compare(v, \"1.16.1\")$result %||% -1 }) < 0)) {\r\n    is_vuln <- TRUE\r\n    version <- vs[1]\r\n  }\r\n  \r\n  data_frame(app_loc, app_name, has_sparkle, is_vuln, version)\r\n  \r\n})) -> app_scan_results\r\n\r\nclose(pb)\r\n\r\nselect(arrange(filter(app_scan_results, has_sparkle), app_loc, app_name), -has_sparkle)<\/pre>\n","protected":false},"excerpt":{"rendered":"
It’s usually a good thing when my #rstats and infosec worlds collide. Unfortunately, this time it’s a script that R folk running on OS X can use to see if they are using a version of XQuartz that has a nasty vulnerability in the framework it uses to auto-update. If this test comes back with […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[664,3,12,91],"tags":[810],"class_list":["post-4051","post","type-post","status-publish","format-standard","hentry","category-appsec","category-information-security","category-os-x","category-r","tag-post"],"yoast_head":"\nOS X XQuartz Vulnerability Test Using R - rud.is<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"OS X XQuartz Vulnerability Test Using R - rud.is\" \/>\n<meta property=\"og:description\" content=\"It’s usually a good thing when my #rstats and infosec worlds collide. Unfortunately, this time it’s a script that R folk running on OS X can use to see if they are using a version of XQuartz that has a nasty vulnerability in the framework it uses to auto-update. If this test comes back with […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/\" \/>\n<meta property=\"og:site_name\" content=\"rud.is\" \/>\n<meta property=\"article:published_time\" content=\"2016-03-07T15:59:02+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-03-07T21:42:46+00:00\" \/>\n<meta name=\"author\" content=\"hrbrmstr\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hrbrmstr\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/\"},\"author\":{\"name\":\"hrbrmstr\",\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"headline\":\"OS X XQuartz Vulnerability Test Using R\",\"datePublished\":\"2016-03-07T15:59:02+00:00\",\"dateModified\":\"2018-03-07T21:42:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/\"},\"wordCount\":101,\"commentCount\":4,\"publisher\":{\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"keywords\":[\"post\"],\"articleSection\":[\"AppSec\",\"Information Security\",\"OS X\",\"R\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/\",\"url\":\"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/\",\"name\":\"OS X XQuartz Vulnerability Test Using R - rud.is\",\"isPartOf\":{\"@id\":\"https:\/\/rud.is\/b\/#website\"},\"datePublished\":\"2016-03-07T15:59:02+00:00\",\"dateModified\":\"2018-03-07T21:42:46+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/rud.is\/b\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"OS X XQuartz Vulnerability Test Using R\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/rud.is\/b\/#website\",\"url\":\"https:\/\/rud.is\/b\/\",\"name\":\"rud.is\",\"description\":\""In God we trust. All others must bring data"\",\"publisher\":{\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/rud.is\/b\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\",\"name\":\"hrbrmstr\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"url\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"width\":460,\"height\":460,\"caption\":\"hrbrmstr\"},\"logo\":{\"@id\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\"},\"description\":\"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7\",\"sameAs\":[\"http:\/\/rud.is\"],\"url\":\"https:\/\/rud.is\/b\/author\/hrbrmstr\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"OS X XQuartz Vulnerability Test Using R - rud.is","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/","og_locale":"en_US","og_type":"article","og_title":"OS X XQuartz Vulnerability Test Using R - rud.is","og_description":"It’s usually a good thing when my #rstats and infosec worlds collide. Unfortunately, this time it’s a script that R folk running on OS X can use to see if they are using a version of XQuartz that has a nasty vulnerability in the framework it uses to auto-update. If this test comes back with […]","og_url":"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/","og_site_name":"rud.is","article_published_time":"2016-03-07T15:59:02+00:00","article_modified_time":"2018-03-07T21:42:46+00:00","author":"hrbrmstr","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hrbrmstr"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/#article","isPartOf":{"@id":"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/"},"author":{"name":"hrbrmstr","@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"headline":"OS X XQuartz Vulnerability Test Using R","datePublished":"2016-03-07T15:59:02+00:00","dateModified":"2018-03-07T21:42:46+00:00","mainEntityOfPage":{"@id":"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/"},"wordCount":101,"commentCount":4,"publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"keywords":["post"],"articleSection":["AppSec","Information Security","OS X","R"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/","url":"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/","name":"OS X XQuartz Vulnerability Test Using R - rud.is","isPartOf":{"@id":"https:\/\/rud.is\/b\/#website"},"datePublished":"2016-03-07T15:59:02+00:00","dateModified":"2018-03-07T21:42:46+00:00","breadcrumb":{"@id":"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/rud.is\/b\/2016\/03\/07\/os-x-xquartz-vulnerability-test-using-r\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/rud.is\/b\/"},{"@type":"ListItem","position":2,"name":"OS X XQuartz Vulnerability Test Using R"}]},{"@type":"WebSite","@id":"https:\/\/rud.is\/b\/#website","url":"https:\/\/rud.is\/b\/","name":"rud.is","description":""In God we trust. All others must bring data"","publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/rud.is\/b\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886","name":"hrbrmstr","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","width":460,"height":460,"caption":"hrbrmstr"},"logo":{"@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1"},"description":"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7","sameAs":["http:\/\/rud.is"],"url":"https:\/\/rud.is\/b\/author\/hrbrmstr\/"}]}},"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p23idr-13l","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":3709,"url":"https:\/\/rud.is\/b\/2015\/10\/20\/installing-r-on-os-x\/","url_meta":{"origin":4051,"position":0},"title":"Installing R on OS X","author":"hrbrmstr","date":"2015-10-20","format":false,"excerpt":"NOTE: The comments are a must read for this. Some excellent additional advice and \"gotchas\" by some super-helpful readers. I was in a conversation with an academic colleague (wicked smart dude) and the subject of installing R came up (NOTE: this will happen to you, too, if you ever have\u2026","rel":"","context":"In "OS X"","block_context":{"text":"OS X","link":"https:\/\/rud.is\/b\/category\/os-x\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3732,"url":"https:\/\/rud.is\/b\/2015\/10\/22\/installing-r-on-os-x-100-homebrew-edition\/","url_meta":{"origin":4051,"position":1},"title":"Installing R on OS X – “100% Homebrew Edition”","author":"hrbrmstr","date":"2015-10-22","format":false,"excerpt":"In a previous post I provided \"mouse-heavy\" instructions for getting R running on your Mac. A few of the comments suggested that an \"all Homebrew\" solution may be preferable for some folks. Now, there are issues with this since getting \"support\" for what may be R issues will be very\u2026","rel":"","context":"In "OS X"","block_context":{"text":"OS X","link":"https:\/\/rud.is\/b\/category\/os-x\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":886,"url":"https:\/\/rud.is\/b\/2012\/03\/26\/getting-homebrew-working-in-mountain-lion-developer-preview-2-with-xcode-4-4-developer-preview-2\/","url_meta":{"origin":4051,"position":2},"title":"Getting Homebrew Working in Mountain Lion Developer Preview 2 with Xcode 4.4 Developer Preview 2","author":"hrbrmstr","date":"2012-03-26","format":false,"excerpt":"Work & home chaos has me a bit behind in the \"ThinkStats\u2026in R\" posts, but I \"needed\" to get some of the homebrew kit working in Mountain Lion Developer Preview 2 (to run some network discovery tools while waiting for #4's surgery to be done at the hospital). Keying off\u2026","rel":"","context":"In "homebrew"","block_context":{"text":"homebrew","link":"https:\/\/rud.is\/b\/category\/homebrew\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6215,"url":"https:\/\/rud.is\/b\/2017\/09\/04\/readability-redux\/","url_meta":{"origin":4051,"position":3},"title":"Readability Redux","author":"hrbrmstr","date":"2017-09-04","format":false,"excerpt":"I recently posted about using a Python module to convert HTML to usable text. Since then, a new package has hit CRAN dubbed htm2txt that is 100% R and uses regular expressions to strip tags from text. I gave it a spin so folks could compare some basic output, but\u2026","rel":"","context":"In "data wrangling"","block_context":{"text":"data wrangling","link":"https:\/\/rud.is\/b\/category\/data-wrangling\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8230,"url":"https:\/\/rud.is\/b\/2018\/02\/16\/pym-js-library-vulnerability-in-widgetframe-package\/","url_meta":{"origin":4051,"position":4},"title":"Pym.js Library Vulnerability in widgetframe Package","author":"hrbrmstr","date":"2018-02-16","format":false,"excerpt":"What's Up? The NPR Visuals Team created and maintains a javascript library that makes it super easy to embed iframes on web pages and have said documents still be responsive. The widgetframe R htmlwidget uses pym.js to bring this (much needed) functionality into widgets and (eventually) shiny apps. NPR reported\u2026","rel":"","context":"In "Cybersecurity"","block_context":{"text":"Cybersecurity","link":"https:\/\/rud.is\/b\/category\/cybersecurity\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3796,"url":"https:\/\/rud.is\/b\/2015\/11\/21\/an-os-x-r-task-runner-for-and-a-mini-r-centric-review-of-microsofts-visual-studio-code-editor\/","url_meta":{"origin":4051,"position":5},"title":"An OS X R Task Runner for\u2014and a Mini-R-centric review of\u2014Microsoft’s Visual Studio Code Editor","author":"hrbrmstr","date":"2015-11-21","format":false,"excerpt":"Microsoft's newfound desire to make themselves desirable to the hipster development community has caused them to make many things [open](https:\/\/github.com\/Microsoft\/) and\/or free of late. One of these manifestations is [Visual Studio Code](https:\/\/code.visualstudio.com\/), an [Atom](https:\/\/atom.io\/)-ish editor for us code jockeys. I have friends at Microsoft and the Revolution R folks are\u2026","rel":"","context":"In "Development"","block_context":{"text":"Development","link":"https:\/\/rud.is\/b\/category\/development\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/4051","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/comments?post=4051"}],"version-history":[{"count":0,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/4051\/revisions"}],"wp:attachment":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media?parent=4051"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/categories?post=4051"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/tags?post=4051"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}