A vulnerability discovered in an outdated version of the Sparkle updater framework that many third-party OS X apps depend on for serving the user with regular updates has been getting a lot of attention recently.
As we reported on Tuesday, the security problem affects a number of third-party Mac apps downloaded from the internet, and not apps downloaded from the Mac App Store. The vulnerability roots from the lack of an encrypted connection and gives a malicious hacker the ability to perform a man-in-the-middle attack.
But what OS X apps are affected? This is the information you need to know as soon as possible to keep your Mac safe from potential malware threats.
Mac App Store apps aren’t affected
It’s very important to note first-hand that Mac App Store apps aren’t affected by this problem because they are updated through the Apple’s own updating mechanism, which is well encrypted and will keep your network traffic safe.
The problem only affects a number of third-party OS X apps downloaded from the internet, such as on websites hosted by developers of the apps themselves. It’s worth nothing that not every app is affected either – only the ones using an outdated version of the Sparkle updater framework are affected.
Okay… so what apps are affected?
With such a diverse number of requirements for an app to be affected by the vulnerability, you are probably wondering what kinds of apps use the Sparkle updater framework and what apps are likely to be affected.
Although there’s no such thing as a complete list for this scenario, a list of apps recently added to GitHub is being regularly contributed to by users of apps known to use the Sparkle updater framework. The list contains apps that use both outdated and up-to-date Sparkle updater framework versions, and while it’s not telling you what apps are affected by the vulnerability, it is giving you a place to start in terms of what apps to keep an eye on.
Apps known to be affected by the vulnerability include the following:
- Camtasia 2 (version 2.10.4)
- DuetDisplay (version 126.96.36.199)
- Sketch (version 3.5.1)
- uTorrent (version 1.8.7)
… but the list goes on.
Some apps in the GitHub list are available both in the Mac App Store and online from the developers’ website, such as Fantastical 2 and CyberDuck. These apps can either use the Sparkle updater framework, or not, and you may be wondering how this scenario pans out.
Well, it pans out exactly how you might think – if you downloaded the app from the Mac App Store, then you’re still safe. If you downloaded it from the internet from a rouge website, then you might have something to be wary about.
Interestingly, even the security researcher (Radek) who originally discovered and outlined the flaw in the outdated version of the Sparkle updater framework has contributed to the GitHub list to help users remain wary over the security of updating certain apps via Sparkle.
All the apps being mentioned in the list by users may use the Sparkle updater framework, but that doesn’t mean all of the apps being listed are affected by the vulnerability – only apps using an outdated version of the Sparkle updater framework are going to be vulnerable because they use an HTTP channel instead of an HTTPS channel when checking for updates.
How will app developers fix this problem?
App developers who know their app is using a vulnerable version of the Sparkle updater framework have two choices to secure their apps: 1) Update their app’s Sparkle updater framework to the latest version, or 2) Use the Mac App Store to host their app instead of using their third-party website so Apple can handle the app updates instead.
Apple themselves will be unable to fix this problem in the long term because the problem isn’t related to Apple, nor their products; instead, it’s related to third-party software that third-party developers are relying on.
A recent example of how updating the Sparkle updater framework secures the user from the vulnerability is VLC Media Player, which was recently updated with a fix for the problem. What’s more is it was updated without using the Mac App Store; nevertheless, the app still uses the Sparkle updater framework, but because it’s up to date, it’s no longer vulnerable to the man-in-the-middle attack pointed out by Radek.
How to protect yourself
It’s worth noting that it’s easy to protect yourself from this vulnerability. When an app on your Mac that you didn’t download from the Mac App Store tells you that you have an update available, you can simply go to the developer’s website to download the latest version of the app manually rather than going through the updater interface.
This method ensures you get the file you intend to download and not something that a malicious hacker could be forcing you to download.
If you’re unsure about your safety while using an app, you can also contact support for that specific app and question the app developer directly to hopefully get a more solid response about whether or not you’re safe from this vulnerability.
It’s a nasty little security vulnerability, yes, but there have been no known cases of it actually being used in the real world just yet. Fortunately, you can keep yourself safe by sticking to common sense and staying educated as information about the latest security threats arise.
How many apps on your Mac are using the Sparkle updater framework as listed on GitHub? Share in the comments.