Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > Vulnerability in Sparkle update framework puts Mac apps at risk

Vulnerability in Sparkle update framework puts Mac apps at risk
Thread Tools
NewsPoster
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Feb 10, 2016, 08:41 AM
 
A framework used by developers to perform software updates in Mac apps has potentially put the users of some popular tools at risk, via a recently discovered flaw. A vulnerability in the Sparkle framework makes apps including Camtasia, uTorrent, and Sequel Pro susceptible to man-in-the-middle attacks, which could lead to the installation of malicious code on the Mac desktop, all without the knowledge of the user.

Security researchers have found an issue with the way some versions of Sparkle use HTTP rather than HTTPS to interact with the WebKit rendering engine's functions, which Ars Technica notes occurs when an app attempts to download data from update servers. A researcher known as "Radek" from VulnSec claims it is possible on El Capitan and Yosemite, though notes "the vulneraility is not in code signing itself. It exists due to the functionality provided by the WebKit view that allows Javascript execution and the ability to modify unencrypted HTTP traffic."



While Radek has come up with a proof of concept to show the vulnerability's existence using Sequel Pro, a second researcher has extended this work further. Simone Margaritelli has managed to streamline the attack via the use of the Metasploit exploit framework, with it apparently working on a fully-patched Mac on a recent version of VLC Media Player. VLC has since released another patch to fix the security issue.

A second issue has also been found within Sparkle, but is considered to be less severe than the first. According to the report, the second attack can be used to replace update files with malicious versions, though it only really applies to poorly configured servers.

The developers behind Sparkle have already fixed the issues, though it now requires app developers to download it and integrate the updated framework with their software, before releasing their own update for the app. End users will have to wait for the app developers to release their updates.
     
iSkippy
Fresh-Faced Recruit
Join Date: Nov 2004
Location: Canada
Status: Offline
Reply With Quote
Feb 10, 2016, 12:14 PM
 
Found this on another website, so I can't take full credit for it, but I thought it'd be helpful to share here, too. In Terminal, run:

find /Applications -name Sparkle.framework

to see all of the apps in your Applications folder that use the Sparkle framework.
     
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Feb 10, 2016, 12:28 PM
 
Nice find!
     
Steve Wilkinson
Senior User
Join Date: Dec 2001
Location: Prince George, BC, Canada
Status: Offline
Reply With Quote
Feb 11, 2016, 01:20 AM
 
Thanks, iSkippy!

Eek! I've got like 25 apps that use it. 10 of them I use regularly... and a couple of them have had updates within the last week or so. Hopefully all will be OK. I'll certainly hold off on running updates until I know they are clear. I wonder if there are other things we can do/check.
------
Steve Wilkinson
Web designer | Christian apologist
cgWerks | TilledSoil.org
     
HPeet
Fresh-Faced Recruit
Join Date: Oct 2011
Status: Offline
Reply With Quote
Feb 11, 2016, 08:41 AM
 
I found 23 apps including Quicken (both 2007 & 2016) and Quickbooks.

"The developers behind Sparkle have already fixed the issues, though it now requires app developers to download it and integrate the updated framework with their software, before releasing their own update for the app. End users will have to wait for the app developers to release their updates."

How will we know that this has happened?
     
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Feb 11, 2016, 09:17 AM
 
Presumably, the developer will tell you.
     
HPeet
Fresh-Faced Recruit
Join Date: Oct 2011
Status: Offline
Reply With Quote
Feb 12, 2016, 06:33 AM
 
Presumably? Intuit?
     
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Feb 12, 2016, 07:52 AM
 
Well, let me clarify my somewhat sarcastic comment. The developer should tell you that they have a patch for the security flaw. Whether or not they'll be proactive is an entirely different matter.
     
tankman
Fresh-Faced Recruit
Join Date: Mar 2010
Status: Offline
Reply With Quote
Feb 12, 2016, 03:41 PM
 
The story at Ars Technica seemed to imply that you are only vulnerable if you are using the app to communicate on an unsecured wireless network. Am I understanding this correctly?
     
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Feb 12, 2016, 05:04 PM
 
It would be easier to do on an unsecured wireless network, yes, but not limited to such.
     
Steve Wilkinson
Senior User
Join Date: Dec 2001
Location: Prince George, BC, Canada
Status: Offline
Reply With Quote
Feb 12, 2016, 09:18 PM
 
I've only heard from one developer so far... nothing from the other 25 yet.

So, basically don't let any of these apps auto-update until we hear from the developer that it's safe? (That's my read of the situation so far...)
------
Steve Wilkinson
Web designer | Christian apologist
cgWerks | TilledSoil.org
     
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Feb 12, 2016, 10:41 PM
 
That would stop any possible vector of attack, yes.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 04:49 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,