sparkle updater interface example

A new vulnerability has been discovered to affect a wide variety of third-party apps for OS X that have been downloaded from the internet and use an outdated version of the Sparkle updater framework.

The new vulnerability puts a number of users of affected third-party apps at risk of being hijacked when those apps attempt to use the outdated framework to alert users of new app updates.

Who’s affected?

The problem, as noted by a security engineer named Radek on vulnsec.com, doesn’t affect apps that are updated through the Mac App Store, but rather, affects a number of third-party apps downloaded from the internet that are installed manually by the user and are using an outdated version of the Sparkle updater framework to regularly check for updates automatically in the background.

Lately, I was doing research connected with different updating strategies, and I tested a few applications working under Mac OS X. This short weekend research revealed that we have many insecure applications in the wild. As a result, I have found a vulnerability which allows an attacker take control of another computer on the same network (via MITM).

The vulnerability is not in code signing itself. It exists due to the functionality provided by the WebKit view that allows JavaScript execution and the ability to modify unencrypted HTTP traffic (XML response).

Below, the security engineer demonstrates in a YouTube video how the vulnerability works:

Among some of the affected apps are Camtasia 2 (version 2.10.4), DuetDisplay (version 1.5.2.4), Sketch (version 3.5.1), and uTorrent (version 1.8.7), but many other third-party apps using the same insecure updater framework are also affected.

VLC Media Player was recently affected by this vulnerability, but a recent update to the app (version 2.2.2) has reportedly patched the problem. Ars Technica notes that the vulnerability affects Macs running OS X Yosemite and OS X El Capitan.

How does it work?

The Sparkle updater framework vulnerability is essentially a man-in-the-middle attack, which is when the user’s machine is attempting to communicate with the update server over an unencrypted and insecure HTTP connection and a hacker with malicious intent can get right in the middle of the communication line and force the user’s computer to download malicious software instead of the real thing.

Because the problem doesn’t affect the updating mechanism in the Mac App Store, third-party app developers could avoid this problem by simply hosting their apps in the Mac App Store. The other option third-party app developers have is to update the Sparkle updater framework being used by their apps to the latest version, which isn’t affected by the vulnerability found by these security researchers.

This isn’t something Apple can readily fix to protect their users’ systems, but this is one of the reasons why Apple has become so strict with default OS X security settings, such as having Gatekeeper set to only allow apps to be downloaded from the Mac App Store by default. Instead, this is something the individual third-party app developers have to fix on their own by updating their apps as necessary.

How do I protect myself?

In terms of protecting yourself from this vulnerability in the Sparkle updater framework, the best advice we can give you is when you see a prompt for an app update, rather than updating the app through the update window itself, simply visit the app’s website and download the latest version from the website so you know you’re downloading what you actually intend to download.

If you’re trying to update an app from the Mac App Store, then you have nothing to worry about because this vulnerability doesn’t affect Mac App Store apps.

Third-party app developers who are aware this problem is affecting their apps will be updating their apps accordingly to protect their users, so keep an eye out for updates on the webpages of the apps you use regularly on your Mac.

Are you using any of the affected apps on your OS X system? Share in the comments below.