'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability
A pair of vulnerabilities in the framework that some Mac apps use to receive automatic updates leaves them open to man-in-the-middle attacks, according to a report from Ars Technica covering a security flaw that was first discovered by a security researcher named Radek in late January.
Apps that use a vulnerable version of Sparkle and an unencrypted HTTP channel for server updates are at risk of being hijacked to transmit malicious code to end users. The Sparkle framework is used by apps outside of the Mac App Store to facilitate automatic software updates.
Some of the affected apps are widely downloaded titles like Camtasia, Duet Display, uTorrent, and Sketch. A proof of concept attack was shared by Simone Margaritelli using an older version of VLC, which was recently updated to patch the flaw. The vulnerabilities were tested on both OS X Yosemite and the most recent version of OS X El Capitan.
A "huge" number of apps are said to be at risk, but as
Ars Technica points out, it is difficult to tell exactly which apps that use Sparkle are open to attack. GitHub users have
compiled a list of apps that use Sparkle, but not all use the vulnerable version and not all transfer data over non-secured HTTP channels.
Apps downloaded through the Mac App Store are not affected as OS X's built in software update mechanism does not use Sparkle.
Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework. Ars Technica recommends concerned users with potentially vulnerable apps installed avoid using unsecured Wi-Fi networks or do so only via a VPN.
Popular Stories
Apple today introduced its first two physical products of 2026: a second-generation AirTag and the Black Unity Connection Braided Solo Loop for the Apple Watch.
Read our coverage of each announcement to learn more:Apple Unveils New AirTag With Longer Range, Louder Speaker, and More
Apple Introduces New Black Unity Apple Watch BandBoth the new AirTag and the Black Unity Connection Braided...
Apple today introduced the second-generation AirTag, with key features including longer range for tracking items and a louder speaker.
For those who are not familiar, the AirTag is a small accessory that you can attach to your backpack, keys, or other items. Then, you can track the location of those items in the Find My app on the iPhone, iPad, Mac, Apple Watch, and iCloud.com.
The new...
Alongside iOS 26.2.1, Apple today released an updated version of iOS 12 for devices that are still running that operating system update, eight years after the software was first released.
iOS 12.5.8 is available for the iPhone 5s and the iPhone 6, meaning Apple is continuing to support these devices for 13 and 12 years after launch, respectively. The iPhone 5s came out in September 2013,...
2026 promises to be yet another busy year for Apple, with the company rumored to be planning more than 20 product announcements over the coming months.
Beyond the usual updates to iPhones, iPads, Macs, and Apple Watches, Apple is expected to release its all-new smart home hub, which was reportedly delayed until the more personalized version of Siri is ready. Other unique products rumored for ...
Apple plans to release new MacBook Pro, MacBook Air, Mac Studio, and Studio Display models in the first half of this year, according to Bloomberg's Mark Gurman.
In his Power On newsletter today, Gurman added that redesigned MacBook Pro models with an OLED touch screen "should be hitting toward the end of 2026," meaning that the MacBook Pro line would be upgraded twice this year.
First up...
