"Hey Siri" support and possibly wireless charging case alongside AirPower charging mat.
'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability
A pair of vulnerabilities in the framework that some Mac apps use to receive automatic updates leaves them open to man-in-the-middle attacks, according to a report from Ars Technica covering a security flaw that was first discovered by a security researcher named Radek in late January.
Apps that use a vulnerable version of Sparkle and an unencrypted HTTP channel for server updates are at risk of being hijacked to transmit malicious code to end users. The Sparkle framework is used by apps outside of the Mac App Store to facilitate automatic software updates.
Some of the affected apps are widely downloaded titles like Camtasia, Duet Display, uTorrent, and Sketch. A proof of concept attack was shared by Simone Margaritelli using an older version of VLC, which was recently updated to patch the flaw. The vulnerabilities were tested on both OS X Yosemite and the most recent version of OS X El Capitan.
Image via EvilSocket
A "huge" number of apps are said to be at risk, but as Ars Technica points out, it is difficult to tell exactly which apps that use Sparkle are open to attack. GitHub users have compiled a list of apps that use Sparkle, but not all use the vulnerable version and not all transfer data over non-secured HTTP channels.
Apps downloaded through the Mac App Store are not affected as OS X's built in software update mechanism does not use Sparkle.
Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework. Ars Technica recommends concerned users with potentially vulnerable apps installed avoid using unsecured Wi-Fi networks or do so only via a VPN.
Apps that use a vulnerable version of Sparkle and an unencrypted HTTP channel for server updates are at risk of being hijacked to transmit malicious code to end users. The Sparkle framework is used by apps outside of the Mac App Store to facilitate automatic software updates.
Some of the affected apps are widely downloaded titles like Camtasia, Duet Display, uTorrent, and Sketch. A proof of concept attack was shared by Simone Margaritelli using an older version of VLC, which was recently updated to patch the flaw. The vulnerabilities were tested on both OS X Yosemite and the most recent version of OS X El Capitan.
A "huge" number of apps are said to be at risk, but as Ars Technica points out, it is difficult to tell exactly which apps that use Sparkle are open to attack. GitHub users have compiled a list of apps that use Sparkle, but not all use the vulnerable version and not all transfer data over non-secured HTTP channels.
Apps downloaded through the Mac App Store are not affected as OS X's built in software update mechanism does not use Sparkle.
Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework. Ars Technica recommends concerned users with potentially vulnerable apps installed avoid using unsecured Wi-Fi networks or do so only via a VPN.
Tag: Sparkle
[ 96 comments ]
Top Rated Comments
(View all)
39 months ago
This will give you a list of what is on your system.
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
39 months ago
@engram ('https://forums.macrumors.com/threads/huge-number-of-mac-apps-open-to-hijacking-from-sparkle-updater-vulnerability.1955488/members/engram.513277/'): This does not work if you have applications in sub-folders. Use this one instead, it also prints the Sparkle version (credit to an Ars commenter):
find /Applications/ -path '*Sparkle.framework*/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString
Anything below version 1.13.1 is potentially affected.
Edit:
Apparently, this one is even better, because it shows which applications actually connect via HTTP instead of HTTPS. This should narrow it down further:
for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done
find /Applications/ -path '*Sparkle.framework*/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString
Anything below version 1.13.1 is potentially affected.
Edit:
Apparently, this one is even better, because it shows which applications actually connect via HTTP instead of HTTPS. This should narrow it down further:
for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done
39 months ago
This will give you a list of what is on your system.
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
Not all of these are going to be affected -- only those using a version of Sparkle prior to 1.13.1 have the potential to be vulnerable. And of those, some may be using an encrypted HTTP channel to receive updates from the server, meaning they're not affected.
39 months ago
OS X isn't safe no more. Another day, another victim on news. It's 187 murder on Apps....RIP apps.
(pours out little liquor on their apps.)
39 months ago
I have malware bytes and open emu ... What should I do now?
If you're worried about it, uncheck any options for automatic updating within each apps preferences, and when it pops up that there is an update just cancel out of the dialog and download the app update manually from the developers site, which hopefully patches this vulnerability.
39 months ago
Isn't that below 1.13 and is therefore not patched?
Transmission has not been updated since June 2014 (latest version is 2.84). You actually have to use the nightly builds to get decent Yosemite+ support. I looked at the “appcast” feed they are using and it seems that they are indeed on the red list: they load the patch notes through separate HTTP URLs within the feed. This is the big issue of the vulnerability.
This was proof of concept and I doubt anyone is ready for mass exploitation.
Which is indeed a good thing. But it just goes to show that OS X does not work on fairy dust and that even Mac developers are lazy or negligent.
39 months ago
Trim Enabler has now been updated (3.4.3) with a fix. Make sure to update using a secure/trusted internet connection, or redownload from https://www.cindori.org/software/trimenabler/
39 months ago
Put things into perspective - this isn't going to affect many people who currently have apps that use Sparkle.
I'm not too concerned, and will still favour non AppStore over AppStore versions which in many cases have less functionality.
It's really a big song and dance: The chances of being affected by this vulnerability is very small.
This was proof of concept and I doubt anyone is ready for mass exploitation.
At most, this is a chance for fear mongering and how this is solid evidence that OSX should be locked down with MacAppStore!
Good news that the vulnerability is patched and will work its way into affected apps.
I'm not too concerned, and will still favour non AppStore over AppStore versions which in many cases have less functionality.
It's really a big song and dance: The chances of being affected by this vulnerability is very small.
This was proof of concept and I doubt anyone is ready for mass exploitation.
At most, this is a chance for fear mongering and how this is solid evidence that OSX should be locked down with MacAppStore!
Good news that the vulnerability is patched and will work its way into affected apps.
[ Read All Comments ]
Going forward, regular users of Microsoft's Edge mobile browser for iOS can expect to receive warnings when they visit untrustworthy news sites.
The company's browser is integrating...
Amazon has pulled its Echo Wall Clock over concerns about connectivity issues, just a little over a month since it began shipping the product.
The Wall Clock's lack of availability on the...
Instagram has moved to address rumors that it actively suppresses the reach of user posts on the social network.
In a statement posted on its official Twitter account, Instagram said that it has...
For those of you who like to rearrange the Home screen on your iPhone and iPad to organize your apps, you might be interested to know that there's a handy little hidden feature for moving...
Commonwealth Bank (CBA) today implemented support for Apple Pay, making it the second of Australia's "Big Four" banks to offer the payments service. CBA is the biggest retail bank in...
Netflix today launched a new Instagram integration that's designed to allow Instagram users to share their favorite movies and TV shows in Stories, reports Variety.
The feature can be used...
Twitter today announced that it has started rolling out a new, simplified interface on the web, which is available to some users starting today.
The updated interface features a two-column...
Alongside the release of iOS 12.1.3, the latest update to the iOS 12 operating system, Apple has released new 12.1.13 software that's designed for the HomePod.
The new HomePod software will...
