A new vulnerability in Sparkle has put a “huge” number of Mac applications at risk for hijacking. For those unfamiliar, Sparkle is a tool used often by third-party apps that are not in the App Store to allow updates to be pushed to users. Apps susceptible to this hijacking hack include Camtasia, uTorrent, DuetDisplay, and Sketch. The attack applies to both OS X Yosemite and El Capitan (via Ars Technica).
The Sparkle vulnerability could allow for an attacker to take control of another computer on the network via a Man In The Middle attack, security researcher Radek points out on his blog. A Man In The Middle attack works when a third party intercepts traffic between a user and another server and then captures and modifies that traffic from the user.
Lately, I was doing research connected with different updating strategies, and I tested a few applications working under Mac OS X. This short weekend research revealed that we have many insecure applications in the wild. As a result, I have found a vulnerability which allows an attacker take control of another computer on the same network (via MITM).
Essentially, the vulnerability exists because the Sparkle Updater framework connects over HTTP versus HTTPS. It’s important to note, however, that Sparkle has already updated its framework to close the vulnerability, but it is up to the apps that implement the Sparkle Updater framework to update their apps with the newest version of the framework. Many app developers are doing this as we speak, including popular media playback software VLC, which was updated earlier this week to implement the newest Sparkle Updater framework.
It’s important to note that the updater mechanism used within OS X does not use the Sparkle Updater, making it unsusceptible to this Man In The Middle attack. Issues like this vulnerability certainly make a compelling argument for developers to move more towards the Mac App Store, but both growth and use of it has been relatively stagnant.
There’s much more in Raedek’s full breakdown of the Sparkle Updater vulnerability on his blog.
Image via EvilSocket