
A new security vulnerability has been found in a popular framework that is used by a variety of Mac applications. This vulnerability exists within the Sparkle framework and leaves users open to Man-in-the-Middle attacks–an attack where the attacker relays and alters communication between two parties.
Sparkle is a framework for a large number of third-party OS X applications including Camtasia, Utorrent, Duet Display, and Sketch. These applications use sparkle to update automatically in the background.
The vulnerability within Sparkle affects Mac users who use an outdated version of Sparkle or use an un-encrypted HTTP channel to receive info from update servers. The issue stems from an improper implementation of Sparkle updater from the Sparkle developers.
Security researcher Radek found this flaw when doing research:
Lately, I was doing research connected with different updating strategies, and I tested a few applications working under Mac OS X. This short weekend research revealed that we have many insecure applications in the wild. As a result, I have found a vulnerability which allows an attacker take control of another computer on the same network (via MITM).
The vulnerability is not in code signing itself. It exists due to the functionality provided by the WebKit view that allows JavaScript execution and the ability to modify un-encrypted HTTP traffic (XML response).
The devs used an un-encrypted HTTP URL to check for new updates instead of a more secure SSL encrypted channel. The result of this vulnerability would give a malicious user complete control to inject malicious code between a regular user and server. As a result, a malicious user can completely control a vulnerable computer.
While this attack vector is highly unlikely, users should still be aware that connecting to the web from public wifi networks will leave them open to this new exploit. So, if you are going to update Sparkle framework do so from the security of your private home wifi network, or when connected to a secure VPN like TorGuard.
While Sparkle has already updated their application to protect against the security flaw, it is still up to the applications that utilize Sparkle to update their applications to the newest version of the Sparkle framework.
It’s worth noting that both the App store and TorGuard do not use the Sparkle framework. If you’re looking to protect yourself against vulnerabilities like this, update your version of sparkle. For the best solution, stay away from unsecured Wi-Fi and use encrypted Internet through TorGuard VPN.
