'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability
A pair of vulnerabilities in the framework that some Mac apps use to receive automatic updates leaves them open to man-in-the-middle attacks, according to a report from Ars Technica covering a security flaw that was first discovered by a security researcher named Radek in late January.
Apps that use a vulnerable version of Sparkle and an unencrypted HTTP channel for server updates are at risk of being hijacked to transmit malicious code to end users. The Sparkle framework is used by apps outside of the Mac App Store to facilitate automatic software updates.
Some of the affected apps are widely downloaded titles like Camtasia, Duet Display, uTorrent, and Sketch. A proof of concept attack was shared by Simone Margaritelli using an older version of VLC, which was recently updated to patch the flaw. The vulnerabilities were tested on both OS X Yosemite and the most recent version of OS X El Capitan.
A "huge" number of apps are said to be at risk, but as
Ars Technica points out, it is difficult to tell exactly which apps that use Sparkle are open to attack. GitHub users have
compiled a list of apps that use Sparkle, but not all use the vulnerable version and not all transfer data over non-secured HTTP channels.
Apps downloaded through the Mac App Store are not affected as OS X's built in software update mechanism does not use Sparkle.
Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework. Ars Technica recommends concerned users with potentially vulnerable apps installed avoid using unsecured Wi-Fi networks or do so only via a VPN.
Popular Stories
Today marks the fifth anniversary of the Apple silicon chip that replaced Intel chips in Apple's Mac lineup. The first Apple silicon chip, the M1, was unveiled on November 10, 2020. The M1 debuted in the MacBook Air, Mac mini, and 13-inch MacBook Pro.
The M1 chip was impressive when it launched, featuring the "world's fastest CPU core" and industry-leading performance per watt, and it's only ...
Apple will conceal the front-facing camera under the screen of its 2027 iPhone, a Chinese leaker said today, corroborating reports that Apple's 20th anniversary iPhone will have no visible cutouts in the display.
Weibo-based account Digital Chat Station said Apple's development of under-screen camera technology was progressing as planned for adoption in 2027, one year after it will...
We're officially in the month of Black Friday, which will take place on Friday, November 28 in 2025. As always, this will be the best time of the year to shop for great deals, including popular Apple products like AirPods, iPad, Apple Watch, and more. In this article, the majority of the discounts will be found on Amazon.
Note: MacRumors is an affiliate partner with some of these vendors. When ...
The thin, light iPhone Air sold so poorly that Apple has decided to delay the launch of the next-generation iPhone Air that was scheduled to come out alongside the iPhone 18 Pro, reports The Information.
Apple initially planned to release a new iPhone Air in fall 2026, but now that's not going to happen.
Since the iPhone Air launched in September, there have been reports of poor sales...
Apple today updated its trade-in values for select iPhone, iPad, Mac, and Apple Watch models. Trade-ins can be completed on Apple's website, or at an Apple Store.
The charts below provide an overview of Apple's current and previous trade-in values in the U.S., according to its website. Maximum values for most devices either decreased or saw no change, but the iPad Air received a slight bump.
...
The future of Apple Fitness+ is "under review" amid a reorganization of the service, according to Bloomberg's Mark Gurman.
In the latest edition of his "Power On" newsletter, Gurman said that Apple Fitness+ remains one of the company's "weakest digital offerings." The service apparently suffers from high churn and little revenue.
Nevertheless, Fitness+ has a small, loyal fanbase that...
Apple has teamed up with Japanese fashion house ISSEY MIYAKE to launch iPhone Pocket, a 3D-knitted limited edition accessory designed to carry an iPhone, AirPods, and other everyday items.
The accessory is like a stretchy pocket, not unlike an iPod Sock, but elongated to form a strap made of a ribbed, elastic textile that fully encloses an iPhone yet allows you to glimpse the display...
Apple is promoting the new Liquid Glass design in iOS 26, showing off the ways that third-party developers are embracing the aesthetic in their apps. On its developer website, Apple is featuring a visual gallery that demonstrates how "teams of all sizes" are creating Liquid Glass experiences.
The gallery features examples of Liquid Glass in apps for iPhone, iPad, Apple Watch, and Mac. Apple...
Following more than a month of beta testing, Apple released iOS 26.1 on Monday, November 3. The update includes a handful of new features and changes, including the ability to adjust the look of Liquid Glass and more.
Below, we outline iOS 26.1's key new features.
Liquid Glass Toggle
iOS 26.1 lets you choose your preferred look for Liquid Glass.
In the Settings app, under Display...
Apple is working on a series of new satellite connectivity features for the iPhone, Bloomberg's Mark Gurman reports.
In this week's "Power On" newsletter, Gurman revealed that the new features in development include:
Apple Maps via satellite: Navigation in Apple Maps without cellular or Wi-Fi connectivity.
Photos in Messages via satellite: Support for sending photos in the Messages...
