'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability
A pair of vulnerabilities in the framework that some Mac apps use to receive automatic updates leaves them open to man-in-the-middle attacks, according to a report from Ars Technica covering a security flaw that was first discovered by a security researcher named Radek in late January.
Apps that use a vulnerable version of Sparkle and an unencrypted HTTP channel for server updates are at risk of being hijacked to transmit malicious code to end users. The Sparkle framework is used by apps outside of the Mac App Store to facilitate automatic software updates.
Some of the affected apps are widely downloaded titles like Camtasia, Duet Display, uTorrent, and Sketch. A proof of concept attack was shared by Simone Margaritelli using an older version of VLC, which was recently updated to patch the flaw. The vulnerabilities were tested on both OS X Yosemite and the most recent version of OS X El Capitan.
A "huge" number of apps are said to be at risk, but as
Ars Technica points out, it is difficult to tell exactly which apps that use Sparkle are open to attack. GitHub users have
compiled a list of apps that use Sparkle, but not all use the vulnerable version and not all transfer data over non-secured HTTP channels.
Apps downloaded through the Mac App Store are not affected as OS X's built in software update mechanism does not use Sparkle.
Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework. Ars Technica recommends concerned users with potentially vulnerable apps installed avoid using unsecured Wi-Fi networks or do so only via a VPN.
Popular Stories
Apple today launched its annual "Back to School" promotion for college/university students in the United States and Canada. This year's promotion offers a free Apple gift card with the purchase of an eligible Mac or iPad, rather than free AirPods like last year. Apple is also offering students 20% off AppleCare+ plans during the promotion.
Apple is offering a $150 gift card with the purchase ...
CEO Tim Cook this week did an interview with China Daily, where he once again commented on on the future of augmented reality and hinted at Apple's work on an AR/VR headset. Render via designer Ian Zelbo Cook said that Apple is excited about the opportunities available with augmented reality, which is not too far off from prior comments that he's made, but he went on to say that people should ...
The next-generation AirPods Pro could come with a long list of new features that include heart rate detection, the ability to function as a hearing aid, and a USB-C port according to a report from 52Audio.
The site claims that it has received new information on the AirPods Pro 2, and it has used that information to provide some renders on what the earbuds might look like. Design wise, there...
Apple today seeded the second betas of iOS 16 and iPadOS 16 to developers for testing purposes, and the new betas introduce new features and refine some of the changes that Apple made with the first iOS 16 release.
Subscribe to the MacRumors YouTube channel for more videos. Lock Screen Photo Wallpaper Customization
When customizing a photo on the Lock Screen, there are two new DuoTone and...
The iPad will no longer be able to be used as a home hub following the launch of iOS 16, iPadOS 16, macOS Ventura, and the HomePod 16 software this fall, Apple confirmed today.
As discovered in iOS 16 code by MacRumors contributor Steve Moser, Apple says that the iPad will no longer be supported as a home hub. This information will be displayed in the Home app after updating to iOS 16.A home ...
Apple is "likely" to announce its long-rumored mixed-reality headset as soon as January 2023, Apple analyst Ming-Chi Kuo has reiterated.
Concept render based on purported leaked information by Ian Zelbo In a detailed post on Medium, Kuo explained that Apple's headset will be a "game-changer" for the augmented-reality and virtual-reality market. Describing some of the headset's...
Top Rated Comments
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
find /Applications/ -path '*Sparkle.framework*/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString
Anything below version 1.13.1 is potentially affected.
Edit:
Apparently, this one is even better, because it shows which applications actually connect via HTTP instead of HTTPS. This should narrow it down further:
for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done