What you need to know about the Sparkle vulnerability affecting some OS X apps

By , Feb 9, 2016

sparkle updater interface example

A new vulnerability has been discovered to affect a wide variety of third-party apps for OS X that have been downloaded from the internet and use an outdated version of the Sparkle updater framework.

The new vulnerability puts a number of users of affected third-party apps at risk of being hijacked when those apps attempt to use the outdated framework to alert users of new app updates.

Who’s affected?

The problem, as noted by a security engineer named Radek on vulnsec.com, doesn’t affect apps that are updated through the Mac App Store, but rather, affects a number of third-party apps downloaded from the internet that are installed manually by the user and are using an outdated version of the Sparkle updater framework to regularly check for updates automatically in the background.

Lately, I was doing research connected with different updating strategies, and I tested a few applications working under Mac OS X. This short weekend research revealed that we have many insecure applications in the wild. As a result, I have found a vulnerability which allows an attacker take control of another computer on the same network (via MITM).

The vulnerability is not in code signing itself. It exists due to the functionality provided by the WebKit view that allows JavaScript execution and the ability to modify unencrypted HTTP traffic (XML response).

Below, the security engineer demonstrates in a YouTube video how the vulnerability works:

Among some of the affected apps are Camtasia 2 (version 2.10.4), DuetDisplay (version 1.5.2.4), Sketch (version 3.5.1), and uTorrent (version 1.8.7), but many other third-party apps using the same insecure updater framework are also affected.

VLC Media Player was recently affected by this vulnerability, but a recent update to the app (version 2.2.2) has reportedly patched the problem. Ars Technica notes that the vulnerability affects Macs running OS X Yosemite and OS X El Capitan.

How does it work?

The Sparkle updater framework vulnerability is essentially a man-in-the-middle attack, which is when the user’s machine is attempting to communicate with the update server over an unencrypted and insecure HTTP connection and a hacker with malicious intent can get right in the middle of the communication line and force the user’s computer to download malicious software instead of the real thing.

Because the problem doesn’t affect the updating mechanism in the Mac App Store, third-party app developers could avoid this problem by simply hosting their apps in the Mac App Store. The other option third-party app developers have is to update the Sparkle updater framework being used by their apps to the latest version, which isn’t affected by the vulnerability found by these security researchers.

This isn’t something Apple can readily fix to protect their users’ systems, but this is one of the reasons why Apple has become so strict with default OS X security settings, such as having Gatekeeper set to only allow apps to be downloaded from the Mac App Store by default. Instead, this is something the individual third-party app developers have to fix on their own by updating their apps as necessary.

How do I protect myself?

In terms of protecting yourself from this vulnerability in the Sparkle updater framework, the best advice we can give you is when you see a prompt for an app update, rather than updating the app through the update window itself, simply visit the app’s website and download the latest version from the website so you know you’re downloading what you actually intend to download.

If you’re trying to update an app from the Mac App Store, then you have nothing to worry about because this vulnerability doesn’t affect Mac App Store apps.

Third-party app developers who are aware this problem is affecting their apps will be updating their apps accordingly to protect their users, so keep an eye out for updates on the webpages of the apps you use regularly on your Mac.

Are you using any of the affected apps on your OS X system? Share in the comments below.

  • Share:
  • Follow:
  • JRDN

    I have uTorrent (for basic, non-pirating needs). I haven’t updated in a while (it’s sitting at 1.8.7, last checked today). Will I or have I been affected?

    • Anthony Bouchard

      Your app is currently vulnerable, but there is also no newer version available. If you’re worried about security, I’d suggest uninstalling for now until an update is released.

      • JRDN

        Is it still vulnerable even if I don’t use it? The vulnerability says it affects the app with a man-in-the-middle attack, which means I would have to update uTorrent from it’s application in order to be possibly affected.

      • Anthony Bouchard

        The vulnerability affects the updater that runs in the background. You’re vulnerable the second the app is launched and checks for an update.

        However, you won’t have any problems if you avoid updating the app from the app itself.

  • Interestingly enough, a couple of jailbreak tools use Sparkle (very old versions, like 1.x of Sparkle).

    • the hood

      Which jailbreak tools?

      • redsn0w and Spirit are a few. Just open up the .app files and look for any .framework folders.

  • I wish there was a list of apps that are may be in risk. The only apps on my Mac are in risk could be Transmissions and AppZapper 2. Anyone else have these two apps?

  • kokeropie

    Is DuetDisplay different than duet? If not, why the vulnerable version is 1.5.2.4 while mine is 1.5.1.1 and it says the latest version.

    • Anthony Bouchard

      They may be the same app – I’m honestly not sure. Could be vulnerable if it’s using anything older.

  • Juan Sebastian Callejas Rodrig

    HURR DURR JUST UPLOAD IT TO THE APPLE APP STORE AND IT’S ALL FIXED! See, I’m not really in the mood to pay a shit ton of money to get a code signing identity to host in the app store, SO… I’ll just update the updater 😀

  • Anthony Bouchard

    I’ve confirmed with the developer that MacID doesn’t use a vulnerable version of Sparkle. So if you use MacID, you’re safe.

  • BlackSheep_dsg

    turn off automatic updates for all third party apps and don’t update via the apps problem solved,

  • huntx

    I was able to get a list of all the /Applications using Sparkle using the following from a terminal window

    find /Applications -iname Sparkle.framework