If this is your first visit, be sure to check out the FAQ by clicking the link above.
You may have to register before you can post: click the register link above to proceed.
To start viewing messages, select the forum that you want to visit from the selection below.
You are here: MacNN Forums
> News
> Mac News
>
Vulnerability in Sparkle update framework puts Mac apps at risk
Vulnerability in Sparkle update framework puts Mac apps at risk
A framework used by developers to perform software updates in Mac apps has potentially put the users of some popular tools at risk, via a recently discovered flaw. A vulnerability in the Sparkle framework makes apps including Camtasia, uTorrent, and Sequel Pro susceptible to man-in-the-middle attacks, which could lead to the installation of malicious code on the Mac desktop, all without the knowledge of the user.
Security researchers have found an issue with the way some versions of Sparkle use HTTP rather than HTTPS to interact with the WebKit rendering engine's functions, which Ars Technicanotes occurs when an app attempts to download data from update servers. A researcher known as "Radek" from VulnSec claims it is possible on El Capitan and Yosemite, though notes "the vulneraility is not in code signing itself. It exists due to the functionality provided by the WebKit view that allows Javascript execution and the ability to modify unencrypted HTTP traffic."
While Radek has come up with a proof of concept to show the vulnerability's existence using Sequel Pro, a second researcher has extended this work further. Simone Margaritelli has managed to streamline the attack via the use of the Metasploit exploit framework, with it apparently working on a fully-patched Mac on a recent version of VLC Media Player. VLC has since released another patch to fix the security issue.
A second issue has also been found within Sparkle, but is considered to be less severe than the first. According to the report, the second attack can be used to replace update files with malicious versions, though it only really applies to poorly configured servers.
The developers behind Sparkle have already fixed the issues, though it now requires app developers to download it and integrate the updated framework with their software, before releasing their own update for the app. End users will have to wait for the app developers to release their updates.
Eek! I've got like 25 apps that use it. 10 of them I use regularly... and a couple of them have had updates within the last week or so. Hopefully all will be OK. I'll certainly hold off on running updates until I know they are clear. I wonder if there are other things we can do/check.
I found 23 apps including Quicken (both 2007 & 2016) and Quickbooks.
"The developers behind Sparkle have already fixed the issues, though it now requires app developers to download it and integrate the updated framework with their software, before releasing their own update for the app. End users will have to wait for the app developers to release their updates."
Well, let me clarify my somewhat sarcastic comment. The developer should tell you that they have a patch for the security flaw. Whether or not they'll be proactive is an entirely different matter.
The story at Ars Technica seemed to imply that you are only vulnerable if you are using the app to communicate on an unsecured wireless network. Am I understanding this correctly?