Skip to main content

Sparkle Updater vulnerability puts ‘huge’ number of Mac apps at risk of hijacking

vlc-exploit

A new vulnerability in Sparkle has put a “huge” number of Mac applications at risk for hijacking. For those unfamiliar, Sparkle is a tool used often by third-party apps that are not in the App Store to allow updates to be pushed to users. Apps susceptible to this hijacking hack include Camtasia, uTorrent, DuetDisplay, and Sketch. The attack applies to both OS X Yosemite and El Capitan (via Ars Technica).

The Sparkle vulnerability could allow for an attacker to take control of another computer on the network via a Man In The Middle attack, security researcher Radek points out on his blog. A Man In The Middle attack works when a third party intercepts traffic between a user and another server and then captures and modifies that traffic from the user.

Lately, I was doing research connected with different updating strategies, and I tested a few applications working under Mac OS X. This short weekend research revealed that we have many insecure applications in the wild. As a result, I have found a vulnerability which allows an attacker take control of another computer on the same network (via MITM).

The vulnerability is not in code signing itself. It exists due to the functionality provided by the WebKit view that allows JavaScript execution and the ability to modify unencrypted HTTP traffic (XML response).

Essentially, the vulnerability exists because the Sparkle Updater framework connects over HTTP versus HTTPS. It’s important to note, however, that Sparkle has already updated its framework to close the vulnerability, but it is up to the apps that implement the Sparkle Updater framework to update their apps with the newest version of the framework. Many app developers are doing this as we speak, including popular media playback software VLC, which was updated earlier this week to implement the newest Sparkle Updater framework.

It’s important to note that the updater mechanism used within OS X does not use the Sparkle Updater, making it unsusceptible to this Man In The Middle attack. Issues like this vulnerability certainly make a compelling argument for developers to move more towards the Mac App Store, but both growth and use of it has been relatively stagnant.

There’s much more in Raedek’s full breakdown of the Sparkle Updater vulnerability on his blog.

Image via EvilSocket

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. pointum - 8 years ago

    It should read “the vulnerability exists IF” instead of “the vulnerability exists because”. It’s up to developer to use HTTPS URL to fetch the updates. Apps that already do that are not vulnerable, unless a developer server is hacked.

  2. crichton007 - 8 years ago

    Kobe fair if I saw there was an update for Skitch on my Mac that would definitely be suspicious.

  3. Rich Davis (@RichDavis9) - 8 years ago

    Letter to app developers. Get your apps on the App Store.

    • srgmac - 8 years ago

      Not everyone is capable of doing this (obviously…) for many reasons.

  4. standardpull - 8 years ago

    Ah, here’s a tip: organizations that transfer executable code over an unverified channel are committing a form of malpractice. Shame on them.

  5. srgmac - 8 years ago

    Thanks for this — updating VLC now.

  6. Martha Conolly - 8 years ago

    There were many and many ways of avoiding this situation, like using https connection. Just found some tips for developers on how to secure apps, should be useful: http://bit.ly/sparkle-vulnerability-solution

  7. Robert Risdon - 8 years ago

    Hi there!

    TechSmith, the developers for Camtasia for Mac and Snagit for Mac, two of the many applications that had been affected by the Sparkle MITM vulnerability released an update on Tuesday, March 8th to both Camtasia and Snagit that addresses this vulnerability. For those that are running Camtasia or Snagit, to receive the update simply open the application and go to the Snagit or Camtasia menu and choose “Check for Updates” and it will begin the update process.

    Robert R.
    Technical Support Specialist
    TechSmith Corporation

Author

Avatar for Chance Miller Chance Miller

Chance is an editor for the entire 9to5 network and covers the latest Apple news for 9to5Mac.

Tips, questions, typos to chance@9to5mac.com