Apple's Beats brand in April unveiled the Powerbeats Pro, a redesigned wire-free version of its popular fitness-oriented Powerbeats earbuds.
'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability
A pair of vulnerabilities in the framework that some Mac apps use to receive automatic updates leaves them open to man-in-the-middle attacks, according to a report from Ars Technica covering a security flaw that was first discovered by a security researcher named Radek in late January.
Apps that use a vulnerable version of Sparkle and an unencrypted HTTP channel for server updates are at risk of being hijacked to transmit malicious code to end users. The Sparkle framework is used by apps outside of the Mac App Store to facilitate automatic software updates.
Some of the affected apps are widely downloaded titles like Camtasia, Duet Display, uTorrent, and Sketch. A proof of concept attack was shared by Simone Margaritelli using an older version of VLC, which was recently updated to patch the flaw. The vulnerabilities were tested on both OS X Yosemite and the most recent version of OS X El Capitan.
Image via EvilSocket
A "huge" number of apps are said to be at risk, but as Ars Technica points out, it is difficult to tell exactly which apps that use Sparkle are open to attack. GitHub users have compiled a list of apps that use Sparkle, but not all use the vulnerable version and not all transfer data over non-secured HTTP channels.
Apps downloaded through the Mac App Store are not affected as OS X's built in software update mechanism does not use Sparkle.
Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework. Ars Technica recommends concerned users with potentially vulnerable apps installed avoid using unsecured Wi-Fi networks or do so only via a VPN.
Apps that use a vulnerable version of Sparkle and an unencrypted HTTP channel for server updates are at risk of being hijacked to transmit malicious code to end users. The Sparkle framework is used by apps outside of the Mac App Store to facilitate automatic software updates.
Some of the affected apps are widely downloaded titles like Camtasia, Duet Display, uTorrent, and Sketch. A proof of concept attack was shared by Simone Margaritelli using an older version of VLC, which was recently updated to patch the flaw. The vulnerabilities were tested on both OS X Yosemite and the most recent version of OS X El Capitan.
A "huge" number of apps are said to be at risk, but as Ars Technica points out, it is difficult to tell exactly which apps that use Sparkle are open to attack. GitHub users have compiled a list of apps that use Sparkle, but not all use the vulnerable version and not all transfer data over non-secured HTTP channels.
Apps downloaded through the Mac App Store are not affected as OS X's built in software update mechanism does not use Sparkle.
Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework. Ars Technica recommends concerned users with potentially vulnerable apps installed avoid using unsecured Wi-Fi networks or do so only via a VPN.
Tag: Sparkle
[ 96 comments ]
Top Rated Comments
(View all)
44 months ago
This will give you a list of what is on your system.
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
44 months ago
@engram ('https://forums.macrumors.com/threads/huge-number-of-mac-apps-open-to-hijacking-from-sparkle-updater-vulnerability.1955488/members/engram.513277/'): This does not work if you have applications in sub-folders. Use this one instead, it also prints the Sparkle version (credit to an Ars commenter):
find /Applications/ -path '*Sparkle.framework*/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString
Anything below version 1.13.1 is potentially affected.
Edit:
Apparently, this one is even better, because it shows which applications actually connect via HTTP instead of HTTPS. This should narrow it down further:
for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done
find /Applications/ -path '*Sparkle.framework*/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString
Anything below version 1.13.1 is potentially affected.
Edit:
Apparently, this one is even better, because it shows which applications actually connect via HTTP instead of HTTPS. This should narrow it down further:
for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done
44 months ago
This will give you a list of what is on your system.
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
Not all of these are going to be affected -- only those using a version of Sparkle prior to 1.13.1 have the potential to be vulnerable. And of those, some may be using an encrypted HTTP channel to receive updates from the server, meaning they're not affected.
44 months ago
OS X isn't safe no more. Another day, another victim on news. It's 187 murder on Apps....RIP apps.
(pours out little liquor on their apps.)
44 months ago
I have malware bytes and open emu ... What should I do now?
If you're worried about it, uncheck any options for automatic updating within each apps preferences, and when it pops up that there is an update just cancel out of the dialog and download the app update manually from the developers site, which hopefully patches this vulnerability.
44 months ago
Isn't that below 1.13 and is therefore not patched?
Transmission has not been updated since June 2014 (latest version is 2.84). You actually have to use the nightly builds to get decent Yosemite+ support. I looked at the “appcast” feed they are using and it seems that they are indeed on the red list: they load the patch notes through separate HTTP URLs within the feed. This is the big issue of the vulnerability.
This was proof of concept and I doubt anyone is ready for mass exploitation.
Which is indeed a good thing. But it just goes to show that OS X does not work on fairy dust and that even Mac developers are lazy or negligent.
44 months ago
Trim Enabler has now been updated (3.4.3) with a fix. Make sure to update using a secure/trusted internet connection, or redownload from https://www.cindori.org/software/trimenabler/
44 months ago
Put things into perspective - this isn't going to affect many people who currently have apps that use Sparkle.
I'm not too concerned, and will still favour non AppStore over AppStore versions which in many cases have less functionality.
It's really a big song and dance: The chances of being affected by this vulnerability is very small.
This was proof of concept and I doubt anyone is ready for mass exploitation.
At most, this is a chance for fear mongering and how this is solid evidence that OSX should be locked down with MacAppStore!
Good news that the vulnerability is patched and will work its way into affected apps.
I'm not too concerned, and will still favour non AppStore over AppStore versions which in many cases have less functionality.
It's really a big song and dance: The chances of being affected by this vulnerability is very small.
This was proof of concept and I doubt anyone is ready for mass exploitation.
At most, this is a chance for fear mongering and how this is solid evidence that OSX should be locked down with MacAppStore!
Good news that the vulnerability is patched and will work its way into affected apps.
[ Read All Comments ]
Apple today seeded the first beta of an upcoming tvOS 13 software update to its public beta testing group, giving non-developers a chance to try out the new software ahead of its fall public release....
Apple today seeded the fifth beta of an upcoming iOS 12.4 update to developers, two weeks after seeding the fourth iOS 12.4 beta, and over a month after releasing iOS 12.3, a major update that...
Apple today seeded the third beta of an upcoming macOS Mojave 10.14.6 update to developers, two weeks after seeding the second macOS Mojave 10.14.6 beta and more than a month after the release of...
Apple today seeded the fourth beta of an upcoming watchOS 5.3 update to developers, two weeks after releasing the third watchOS 5.3 beta and a month after the launch of watchOS 5.2.1, an update that...
B&H Photo is further discounting a set of previous generation iMacs, providing the lowest ever price for the 21.5-inch model with 8GB RAM and a 1TB Fusion Drive. You can get this model for...
Microsoft plans to launch a small foldable Surface tablet in the first half of 2020, according to Jeff Lin, an analyst at research firm IHS Markit.
Microsoft Surface Go
In an email shared...
Augmented reality game Harry Potter: Wizards Unite got a surprise early release last week in the U.S. and the U.K., and Niantic has now rolled the game out to a global audience.
Early Sunday...
For this week's giveaway, we've teamed up with Tap to give MacRumors readers a chance to win one of the company's wearable keyboards, which Tap believes is the keyboard of the future.
...
