Jump to content

Sparkle vulnerability MAC


Dimortal

Recommended Posts

What Mac apps are known to be affected by the Sparkle vulnerability?

Are You Guys Aware Of This Issue ???

 

C/P: 

 

sparkle updater interface example

A vulnerability discovered in an outdated version of the Sparkle updater framework that many third-party OS X apps depend on for serving the user with regular updates has been getting a lot of attention recently.

As we reported on Tuesday, the security problem affects a number of third-party Mac apps downloaded from the internet, and not apps downloaded from the Mac App Store. The vulnerability roots from the lack of an encrypted connection and gives a malicious hacker the ability to perform a man-in-the-middle attack.

But what OS X apps are affected? This is the information you need to know as soon as possible to keep your Mac safe from potential malware threats.

Mac App Store apps aren’t affected

It’s very important to note first-hand that Mac App Store apps aren’t affected by this problem because they are updated through the Apple’s own updating mechanism, which is well encrypted and will keep your network traffic safe.

The problem only affects a number of third-party OS X apps downloaded from the internet, such as on websites hosted by developers of the apps themselves. It’s worth nothing that not every app is affected either – only the ones using an outdated version of the Sparkle updater framework are affected.

Okay… so what apps are affected?

With such a diverse number of requirements for an app to be affected by the vulnerability, you are probably wondering what kinds of apps use the Sparkle updater framework and what apps are likely to be affected.

Although there’s no such thing as a complete list for this scenario, a list of apps recently added to GitHub is being regularly contributed to by users of apps known to use the Sparkle updater framework. The list contains apps that use both outdated and up-to-date Sparkle updater framework versions, and while it’s not telling you what apps are affected by the vulnerability, it is giving you a place to start in terms of what apps to keep an eye on.

Apps known to be affected by the vulnerability include the following:

  • Camtasia 2 (version 2.10.4)
  • DuetDisplay (version 1.5.2.4)
  • Sketch (version 3.5.1)
  • uTorrent (version 1.8.7)

… but the list goes on.

Some apps in the GitHub list are available both in the Mac App Store and online from the developers’ website, such as Fantastical 2 and CyberDuck. These apps can either use the Sparkle updater framework, or not, and you may be wondering how this scenario pans out.

Well, it pans out exactly how you might think – if you downloaded the app from the Mac App Store, then you’re still safe. If you downloaded it from the internet from a rouge website, then you might have something to be wary about.

Interestingly, even the security researcher (Radek) who originally discovered and outlined the flaw in the outdated version of the Sparkle updater framework has contributed to the GitHub list to help users remain wary over the security of updating certain apps via Sparkle.

All the apps being mentioned in the list by users may use the Sparkle updater framework, but that doesn’t mean all of the apps being listed are affected by the vulnerability – only apps using an outdated version of the Sparkle updater framework are going to be vulnerable because they use an HTTP channel instead of an HTTPS channel when checking for updates.

How will app developers fix this problem?

App developers who know their app is using a vulnerable version of the Sparkle updater framework have two choices to secure their apps: 1) Update their app’s Sparkle updater framework to the latest version, or 2) Use the Mac App Store to host their app instead of using their third-party website so Apple can handle the app updates instead.

Apple themselves will be unable to fix this problem in the long term because the problem isn’t related to Apple, nor their products; instead, it’s related to third-party software that third-party developers are relying on.

A recent example of how updating the Sparkle updater framework secures the user from the vulnerability is VLC Media Player, which was recently updated with a fix for the problem. What’s more is it was updated without using the Mac App Store; nevertheless, the app still uses the Sparkle updater framework, but because it’s up to date, it’s no longer vulnerable to the man-in-the-middle attack pointed out by Radek.

How to protect yourself

It’s worth noting that it’s easy to protect yourself from this vulnerability. When an app on your Mac that you didn’t download from the Mac App Store tells you that you have an update available, you can simply go to the developer’s website to download the latest version of the app manually rather than going through the updater interface.

This method ensures you get the file you intend to download and not something that a malicious hacker could be forcing you to download.

If you’re unsure about your safety while using an app, you can also contact support for that specific app and question the app developer directly to hopefully get a more solid response about whether or not you’re safe from this vulnerability.

Conclusion

It’s a nasty little security vulnerability, yes, but there have been no known cases of it actually being used in the real world just yet. Fortunately, you can keep yourself safe by sticking to common sense and staying educated as information about the latest security threats arise.

How many apps on your Mac are using the Sparkle updater framework as listed on GitHub? Share in the comments.

Link to comment
Share on other sites

Below, the security engineer demonstrates in a YouTube video how the vulnerability works:

Among some of the affected apps are Camtasia 2 (version 2.10.4), DuetDisplay (version 1.5.2.4), Sketch (version 3.5.1), and uTorrent (version 1.8.7), but many other third-party apps using the same insecure updater framework are also affected.

VLC Media Player was recently affected by this vulnerability, but a recent update to the app (version 2.2.2) has reportedly patched the problem. Ars Technica notes that the vulnerability affects Macs running OS X Yosemite and OS X El Capitan.

How does it work?

The Sparkle updater framework vulnerability is essentially a man-in-the-middle attack, which is when the user’s machine is attempting to communicate with the update server over an unencrypted and insecure HTTP connection and a hacker with malicious intent can get right in the middle of the communication line and force the user’s computer to download malicious software instead of the real thing.

Because the problem doesn’t affect the updating mechanism in the Mac App Store, third-party app developers could avoid this problem by simply hosting their apps in the Mac App Store. The other option third-party app developers have is to update the Sparkle updater framework being used by their apps to the latest version, which isn’t affected by the vulnerability found by these security researchers.

This isn’t something Apple can readily fix to protect their users’ systems, but this is one of the reasons why Apple has become so strict with default OS X security settings, such as having Gatekeeper set to only allow apps to be downloaded from the Mac App Store by default. Instead, this is something the individual third-party app developers have to fix on their own by updating their apps as necessary.

How do I protect myself?

In terms of protecting yourself from this vulnerability in the Sparkle updater framework, the best advice we can give you is when you see a prompt for an app update, rather than updating the app through the update window itself, simply visit the app’s website and download the latest version from the website so you know you’re downloading what you actually intend to download.

If you’re trying to update an app from the Mac App Store, then you have nothing to worry about because this vulnerability doesn’t affect Mac App Store apps.

Third-party app developers who are aware this problem is affecting their apps will be updating their apps accordingly to protect their users, so keep an eye out for updates on the webpages of the apps you use regularly on your Mac.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...