'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability
A pair of vulnerabilities in the framework that some Mac apps use to receive automatic updates leaves them open to man-in-the-middle attacks, according to a report from Ars Technica covering a security flaw that was first discovered by a security researcher named Radek in late January.
Apps that use a vulnerable version of Sparkle and an unencrypted HTTP channel for server updates are at risk of being hijacked to transmit malicious code to end users. The Sparkle framework is used by apps outside of the Mac App Store to facilitate automatic software updates.
Some of the affected apps are widely downloaded titles like Camtasia, Duet Display, uTorrent, and Sketch. A proof of concept attack was shared by Simone Margaritelli using an older version of VLC, which was recently updated to patch the flaw. The vulnerabilities were tested on both OS X Yosemite and the most recent version of OS X El Capitan.
A "huge" number of apps are said to be at risk, but as
Ars Technica points out, it is difficult to tell exactly which apps that use Sparkle are open to attack. GitHub users have
compiled a list of apps that use Sparkle, but not all use the vulnerable version and not all transfer data over non-secured HTTP channels.
Apps downloaded through the Mac App Store are not affected as OS X's built in software update mechanism does not use Sparkle.
Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework. Ars Technica recommends concerned users with potentially vulnerable apps installed avoid using unsecured Wi-Fi networks or do so only via a VPN.
Popular Stories
Bloomberg's Mark Gurman expects Apple to release new AirPods Pro this year, and he said the earbuds will have a key new feature: heart rate monitoring.
From his Power On newsletter today, with emphasis added:As for Apple's other devices, there's a lot in the fall pipeline — though many of the new products are only incremental upgrades.
There will be Apple Watch updates, faster Vision...
Apple's iPhone 17 Pro and iPhone 17 Pro Max should be unveiled in a few more weeks, and there are plenty of rumors about the devices.
In his Power On newsletter today, Bloomberg's Mark Gurman corroborated a rumor that iPhone 17 Pro models will be "available in an orange color."
Below, we recap key changes rumored for the iPhone 17 Pro models:
Aluminum frame: iPhone 17 Pro models are...
Apple has "considered" releasing a bumper case for the upcoming iPhone 17 Air, according to Bloomberg's Mark Gurman.
Similar to the bumper case that Apple introduced for the iPhone 4 in 2010, Gurman said the iPhone 17 Air version of the case would cover the edges of the device, but not the back of it. Those bumper cases were made of rubber.
Given that the iPhone 17 Air is expected to have ...
Apple will offer the upcoming iPhone 17 Pro and iPhone 17 Pro Max in a new orange color, according to Bloomberg's Mark Gurman.
Gurman made the claim in the latest edition of his Power On newsletter, adding that the new iPhone 17 Air – replacing the iPhone 16 Plus – will come in a new light blue color.
We've heard multiple rumors about a new iPhone 17 Pro color being a shade of orange. The ...
We're only weeks away from Apple's annual iPhone event – rumored to take place on September 9 – and along with the new iPhone 17 series, we're going to get a new version of the Apple Watch Ultra for the first time since 2023.
By the time the Ultra 3 is unveiled, it will have been two years since the previous model arrived. The intervening period has left plenty of room for enhancements,...
On this week's episode of The MacRumors Show, we talk through what to expect from the Apple Watch SE 3, Series 11, and Ultra 3, and whether it's worth holding off on an upgrade until next year.
Subscribe to The MacRumors Show YouTube channel for more videos
The third-generation Apple Watch SE is rumored to feature a larger display (perhaps like the Apple Watch Series 7), the S11 chip, and...
