Sparkle software updater leaves 'huge' number of Mac apps open to attackA "huge" number of third-party Mac apps are under threat of man-in-the-middle attacks due to a recently discovered vulnerability in Sparkle, an open source framework used to facilitate software updates.
Proof-of-concept video showing remote code execution in Sequel Pro update. | Source: Vulnerable Security
Along with a flawed Sparkle version, vulnerable apps must also be running an unencrypted HTTP channel to receive software updates from offsite servers. Nefarious users capable of capturing network traffic, perhaps over an unsecured Wi-Fi connection, can leverage the Sparkle exploit to run malicious code remotely on a target computer. The publication cited work from a software engineer called Radek, who confirmed the exploit affects apps running on the latest versions of OS X 10.11 El Capitan and OS X 10.10 Yosemite.
While an exhaustive list of impacted Mac apps is unavailable, researchers successfully applied the exploit to Camtasia, uTorrent and a recent version VLC Media Player. It should be noted that developers are aware of the Sparkle vulnerability, as VLC patched the hole in an update last week. A running list of apps that use Sparkle as an update framework has been posted to GitHub
Sparkle Updater has pushed out a fix in its latest version release, but it remains up to third-party app developers to integrate the patched framework.
On Topic: Mac OS X
- 3rd-party Vulkan API could simplify porting graphics-intensive games to Metal on macOS, iOS
- Skype cloud shift will require OS X Yosemite or iOS 8 for full support on Apple devices
- Apple issues third macOS Sierra beta to developers
- MacKeeper threatens 14-year-old YouTube video maker with harassment suit
- Video: See all the best new features in Apple's macOS Sierra