'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability

Tuesday February 9, 2016 2:42 pm PST by Juli Clover
A pair of vulnerabilities in the framework that some Mac apps use to receive automatic updates leaves them open to man-in-the-middle attacks, according to a report from Ars Technica covering a security flaw that was first discovered by a security researcher named Radek in late January.

Apps that use a vulnerable version of Sparkle and an unencrypted HTTP channel for server updates are at risk of being hijacked to transmit malicious code to end users. The Sparkle framework is used by apps outside of the Mac App Store to facilitate automatic software updates.

Some of the affected apps are widely downloaded titles like Camtasia, Duet Display, uTorrent, and Sketch. A proof of concept attack was shared by Simone Margaritelli using an older version of VLC, which was recently updated to patch the flaw. The vulnerabilities were tested on both OS X Yosemite and the most recent version of OS X El Capitan.

sparklevulnerability
Image via EvilSocket

A "huge" number of apps are said to be at risk, but as Ars Technica points out, it is difficult to tell exactly which apps that use Sparkle are open to attack. GitHub users have compiled a list of apps that use Sparkle, but not all use the vulnerable version and not all transfer data over non-secured HTTP channels.

Apps downloaded through the Mac App Store are not affected as OS X's built in software update mechanism does not use Sparkle.

Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework. Ars Technica recommends concerned users with potentially vulnerable apps installed avoid using unsecured Wi-Fi networks or do so only via a VPN.

Tag: Sparkle
[ 96 comments ]

Top Rated Comments

(View all)

Avatar
engram
52 months ago
This will give you a list of what is on your system.
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
Rating: 24 Votes
Avatar
jdillings
52 months ago
This is why the app store was a good thing
Rating: 23 Votes
Avatar
KALLT
52 months ago
@engram ('https://forums.macrumors.com/threads/huge-number-of-mac-apps-open-to-hijacking-from-sparkle-updater-vulnerability.1955488/members/engram.513277/'): This does not work if you have applications in sub-folders. Use this one instead, it also prints the Sparkle version (credit to an Ars commenter):
find /Applications/ -path '*Sparkle.framework*/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString

Anything below version 1.13.1 is potentially affected.


Edit:

Apparently, this one is even better, because it shows which applications actually connect via HTTP instead of HTTPS. This should narrow it down further:
for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done
Rating: 10 Votes
Avatar
Michaelgtrusa
52 months ago
Nothing surprises me anymore.
Rating: 7 Votes
Avatar
jclo
52 months ago

This will give you a list of what is on your system.
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'


Not all of these are going to be affected -- only those using a version of Sparkle prior to 1.13.1 have the potential to be vulnerable. And of those, some may be using an encrypted HTTP channel to receive updates from the server, meaning they're not affected.
Rating: 7 Votes
Avatar
C DM
52 months ago

OS X isn't safe no more. Another day, another victim on news. It's 187 murder on Apps....RIP apps.
(pours out little liquor on their apps.)

Not really an OS exploit, but an app/service exploit.
Rating: 5 Votes
Avatar
Binarymix
52 months ago

I have malware bytes and open emu ... What should I do now?

If you're worried about it, uncheck any options for automatic updating within each apps preferences, and when it pops up that there is an update just cancel out of the dialog and download the app update manually from the developers site, which hopefully patches this vulnerability.
Rating: 4 Votes
Avatar
Stella
52 months ago
Put things into perspective - this isn't going to affect many people who currently have apps that use Sparkle.

I'm not too concerned, and will still favour non AppStore over AppStore versions which in many cases have less functionality.

It's really a big song and dance: The chances of being affected by this vulnerability is very small.

This was proof of concept and I doubt anyone is ready for mass exploitation.

At most, this is a chance for fear mongering and how this is solid evidence that OSX should be locked down with MacAppStore!

Good news that the vulnerability is patched and will work its way into affected apps.
Rating: 3 Votes
Avatar
Cindori
52 months ago
Trim Enabler has now been updated (3.4.3) with a fix. Make sure to update using a secure/trusted internet connection, or redownload from https://www.cindori.org/software/trimenabler/
Rating: 3 Votes
Avatar
KALLT
52 months ago

Isn't that below 1.13 and is therefore not patched?


Transmission has not been updated since June 2014 (latest version is 2.84). You actually have to use the nightly builds to get decent Yosemite+ support. I looked at the “appcast” feed they are using and it seems that they are indeed on the red list: they load the patch notes through separate HTTP URLs within the feed. This is the big issue of the vulnerability.

This was proof of concept and I doubt anyone is ready for mass exploitation.


Which is indeed a good thing. But it just goes to show that OS X does not work on fairy dust and that even Mac developers are lazy or negligent.
Rating: 3 Votes

[ Read All Comments ]