'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Feb 9, 2016.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    A pair of vulnerabilities in the framework that some Mac apps use to receive automatic updates leaves them open to man-in-the-middle attacks, according to a report from Ars Technica covering a security flaw that was first discovered by a security researcher named Radek in late January.

    Apps that use a vulnerable version of Sparkle and an unencrypted HTTP channel for server updates are at risk of being hijacked to transmit malicious code to end users. The Sparkle framework is used by apps outside of the Mac App Store to facilitate automatic software updates.

    Some of the affected apps are widely downloaded titles like Camtasia, Duet Display, uTorrent, and Sketch. A proof of concept attack was shared by Simone Margaritelli using an older version of VLC, which was recently updated to patch the flaw. The vulnerabilities were tested on both OS X Yosemite and the most recent version of OS X El Capitan.

    [​IMG]

    A "huge" number of apps are said to be at risk, but as Ars Technica points out, it is difficult to tell exactly which apps that use Sparkle are open to attack. GitHub users have compiled a list of apps that use Sparkle, but not all use the vulnerable version and not all transfer data over non-secured HTTP channels.

    Apps downloaded through the Mac App Store are not affected as OS X's built in software update mechanism does not use Sparkle.

    Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework. Ars Technica recommends concerned users with potentially vulnerable apps installed avoid using unsecured Wi-Fi networks or do so only via a VPN.

    Article Link: 'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability
     
  2. engram, Feb 9, 2016
    Last edited by a moderator: Feb 10, 2016

    engram macrumors newbie

    Joined:
    Nov 17, 2010
    #2
    This will give you a list of what is on your system.
    Code:
    find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
     
  3. jdillings macrumors 6502a

    Joined:
    Jun 21, 2015
    #3
    This is why the app store was a good thing
     
  4. jayducharme macrumors 68030

    jayducharme

    Joined:
    Jun 22, 2006
    Location:
    The thick of it
    #4
    I read about this earlier today. To me, this alert seemed a bit blown out of proportion. Many of the apps have already been patched, and many others don't seem to be affected. Plus (if I read it correctly), the attack involved downloading a dodgy file, clicking on a link and the attacker also needed to be on the same WiFi network as your computer.

    As I side note, I encountered my first piece of malware on my Mac. I have no idea how I got it, but Safari was frozen with a repeating string of pop-ups telling me I had malware installed. A quick call to Apple's tech support resolved it. But it caught me by surprise.
     
  5. flowsy macrumors regular

    flowsy

    Joined:
    Aug 16, 2009
    Location:
    Germany
    #5
    Thanks!

    it found: AppCleaner / HandBrake / TeamViewer / VLC
     
  6. Michaelgtrusa macrumors 603

    Michaelgtrusa

    Joined:
    Oct 13, 2008
    Location:
    Everywhere And Nowhere
  7. jclo Editor

    jclo

    Staff Member

    Joined:
    Dec 7, 2012
    Location:
    California
    #7
    Not all of these are going to be affected -- only those using a version of Sparkle prior to 1.13.1 have the potential to be vulnerable. And of those, some may be using an encrypted HTTP channel to receive updates from the server, meaning they're not affected.
     
  8. jblagden macrumors 6502a

    jblagden

    Joined:
    Aug 16, 2013
    #8
    Yeah! None of the apps from the app store are affected. Only apps from other sites are affected.
    20 apps on my system were affected and none of them were from the app store:
    • Boxer
    • cDock
    • Flux
    • GPG Keychain
    • Handbrake
    • Img2icns
    • Malwarebytes Anti-Malware
    • MediaInfo Mac
    • Neat
    • OpenEmu
    • Quicken 2015
    • Shrook
    • Spectacle
    • Subler
    • Toast 10 Titanium
    • Trim Enabler
    • Utilities
    • VLC
    • Wine
    • WineBottler
     
  9. pgiguere1 macrumors 68020

    pgiguere1

    Joined:
    May 28, 2009
    Location:
    Montreal, Canada
    #9
    Uh oh :oops:

     
  10. jetjaguar macrumors 68020

    jetjaguar

    Joined:
    Apr 6, 2009
    Location:
    somewhere
    #10
    I have malware bytes and open emu ... What should I do now?
     
  11. furi0usbee macrumors 68000

    furi0usbee

    Joined:
    Jul 11, 2008
    #11
    Here are my affected apps:

    AppDelete
    Cocktail
    Coda 2
    Intaglio
    OpenEmu
    Transmit
     
  12. Binarymix macrumors 6502a

    Joined:
    Nov 1, 2007
    #12
    If you're worried about it, uncheck any options for automatic updating within each apps preferences, and when it pops up that there is an update just cancel out of the dialog and download the app update manually from the developers site, which hopefully patches this vulnerability.
     
  13. jblagden macrumors 6502a

    jblagden

    Joined:
    Aug 16, 2013
    #13
    Unfortunately, neither of those apps have updates right now. But when they do, you’ll have to open the program, click on the part of the File menu which has the name of the app and then click on “Check for updates”.
     
  14. b0rg macrumors member

    Joined:
    Oct 5, 2009
    #14
    RoyalTSX also uses Sparkle but is just updated today with the following release notes:

    New Features
    • Sparkle updater framework updated to version 1.13.1
    Bugfixes
    • Fixed some web links pointing to incorrect locations
     
  15. acegreen macrumors regular

    acegreen

    Joined:
    Jun 25, 2015
    #15
    Not sure if you are speaking of the same thing but I have come across something like this when on I was on http://projectfreetv.so

    Usually you trigger a burst of ad windows when you click somewhere like "play" and so on, which you have to close one by one.

    But when you are playing a video full screen, a CLEVER popup appears hidden with that audio string telling you that you have a malware installed. Its clever because it blocks you from exiting full mode and gives you the impression that they "froze your system resources to avoid loss of data" as they say in the string.

    To circumvent that, you need to move to one of you other virtual desktops and click the safari icon on your dock. Basically you need to make that hidden popup come out, dismissing it will "unfreeze" safari.
     
  16. You are the One macrumors 6502

    You are the One

    Joined:
    Dec 25, 2014
    Location:
    In the present
    #16
    As a principle I haven't ventured out in the land of internet for years without being on a VPN that anonyomise my IP. That and an encrypted connection to a DNS provider I trust (not Google, lol).

    That is a basic safety precaution that nowadays seems almost necessary. EVERYONE wants your metadata and traffic information, and not for your benefit. So please consider it.
     
  17. KALLT, Feb 9, 2016
    Last edited: Feb 9, 2016

    KALLT macrumors 68040

    Joined:
    Sep 23, 2008
    #17
    @engram: This does not work if you have applications in sub-folders. Use this one instead, it also prints the Sparkle version (credit to an Ars commenter):
    Code:
    find /Applications/ -path '*Sparkle.framework*/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString
    Anything below version 1.13.1 is potentially affected.


    Edit:

    Apparently, this one is even better, because it shows which applications actually connect via HTTP instead of HTTPS. This should narrow it down further:
    Code:
    for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done
     
  18. thisisnotmyname macrumors 6502a

    thisisnotmyname

    Joined:
    Oct 22, 2014
    Location:
    known but velocity indeterminate
    #18
    Quicken and Winclone show up in my search
     
  19. grad macrumors member

    Joined:
    Jun 2, 2014
    #19
    I am glad you edited your originally post, as the 1.13.1 only came 5 days ago, so there are hundreds of applications that use the unpatched version. It's true that many just use HTTPS but you can never be sure. Better reset these LittleSnitch rules...

    Someone might easily write a shell script that would print the app name and Sparkle version (I could do it later if I don't feel too lazy). I guess some old applications don't use the Sparkle.framework/Resources/Autoupdate.app but the version string can (?) also be taken from Sparkle.framework/Resources/.

    I wonder if it is possible to soft-link all our installed applications' Sparkle.frameworks to a single patched/current version that we store somewhere in our drive.

    Edit:
    Just saw KALLT's script. OK, someone should write a proper script that handles everything and prints info in single line (probably tab delimited).
     
  20. C DM macrumors Nehalem

    Joined:
    Oct 17, 2011
    #20
    Interesting, it seems that VLC issued an update related to all of this, yet checking it all after the update seems to show that VLC is using version 1.6 and just HTTP.
     
  21. grad macrumors member

    Joined:
    Jun 2, 2014
    #21
    But older versions can also be patched (?). Maybe VideoLAN compiled their own version ?
     
  22. KALLT macrumors 68040

    Joined:
    Sep 23, 2008
    #22
    Entirely possible. This is a huge mess. You’d probably have to check with each developer to see whether they fixed it. An HTTPS feed url is at least an indication that the vulnerability will not be effective and applications that do report a fairly recent version will likely not have compiled their own version of Sparkle.
     
  23. kazmac macrumors 68040

    kazmac

    Joined:
    Mar 24, 2010
    Location:
    Somewhere out there...
    #23
    The only affected app I had was Aimersoft DVD ripper. Thanks @engram for the Terminal code.
     
  24. pat500000 macrumors 68040

    pat500000

    Joined:
    Jun 3, 2015
    #24
    OS X isn't safe no more. Another day, another victim on news. It's 187 murder on Apps....RIP apps.
    (pours out little liquor on their apps.)
     
  25. C DM macrumors Nehalem

    Joined:
    Oct 17, 2011
    #25
    Not really an OS exploit, but an app/service exploit.
     

Share This Page