'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability

[MacRumors]

A pair of vulnerabilities in the framework that some Mac apps use to receive automatic updates leaves them open to man-in-the-middle attacks, according to a report from Ars Technica covering a security flaw that was first discovered by a security researcher named Radek in late January.

Apps that use a vulnerable version of Sparkle and an unencrypted HTTP channel for server updates are at risk of being hijacked to transmit malicious code to end users. The Sparkle framework is used by apps outside of the Mac App Store to facilitate automatic software updates.

Some of the affected apps are widely downloaded titles like Camtasia, Duet Display, uTorrent, and Sketch. A proof of concept attack was shared by Simone Margaritelli using an older version of VLC, which was recently updated to patch the flaw. The vulnerabilities were tested on both OS X Yosemite and the most recent version of OS X El Capitan.

Image via EvilSocket​

A "huge" number of apps are said to be at risk, but as Ars Technica points out, it is difficult to tell exactly which apps that use Sparkle are open to attack. GitHub users have compiled a list of apps that use Sparkle, but not all use the vulnerable version and not all transfer data over non-secured HTTP channels.

Apps downloaded through the Mac App Store are not affected as OS X's built in software update mechanism does not use Sparkle.

Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework. Ars Technica recommends concerned users with potentially vulnerable apps installed avoid using unsecured Wi-Fi networks or do so only via a VPN.

Article Link: 'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability

 

[engram]

This will give you a list of what is on your system.

find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'

 

[jdillings]

This is why the app store was a good thing

 

[jayducharme]

I read about this earlier today. To me, this alert seemed a bit blown out of proportion. Many of the apps have already been patched, and many others don't seem to be affected. Plus (if I read it correctly), the attack involved downloading a dodgy file, clicking on a link and the attacker also needed to be on the same WiFi network as your computer.

As I side note, I encountered my first piece of malware on my Mac. I have no idea how I got it, but Safari was frozen with a repeating string of pop-ups telling me I had malware installed. A quick call to Apple's tech support resolved it. But it caught me by surprise.

 

[flowsy]

This will give you a list of what is on your system.
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'

Thanks!

it found: AppCleaner / HandBrake / TeamViewer / VLC

 

[Michaelgtrusa]

Nothing surprises me anymore.

 

[jclo]

This will give you a list of what is on your system.
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'

Not all of these are going to be affected -- only those using a version of Sparkle prior to 1.13.1 have the potential to be vulnerable. And of those, some may be using an encrypted HTTP channel to receive updates from the server, meaning they're not affected.

 

[jblagden]

This is why the app store was a good thing

Yeah! None of the apps from the app store are affected. Only apps from other sites are affected.
20 apps on my system were affected and none of them were from the app store:

• Boxer
• cDock
• Flux
• GPG Keychain
• Handbrake
• Img2icns
• Malwarebytes Anti-Malware
• MediaInfo Mac
• Neat
• OpenEmu
• Quicken 2015
• Shrook
• Spectacle
• Subler
• Toast 10 Titanium
• Trim Enabler
• Utilities
• VLC
• Wine
• WineBottler

 

[pgiguere1]

Uh oh

Antidote 9
BlueHarvest
Chatology
ControlPlane
CrazyBump
DaisyDisk
Data Rescue 3
Disk Drill
DiskAid
Folx 3
gfxCardStatus
HandBrake
ImageOptim
MacDown
MacPaw Gemini
MPlayerX
SafariCacheExplorer
Scroll Reverser
Sequel Pro
Sketch
SoundCloud
SourceTree
StuffIt Expander
Sublime Text 2
TeamViewer
TogglDesktop
UnRarX
Utilities
uTorrent
VLC
WebKit
WebKit
WebKit
Winclone Pro
Winclone

 

[jetjaguar]

Yeah! None of the apps from the app store are affected. Only apps from other sites are affected.
20 apps on my system were affected and none of them were from the app store:

• Boxer
• cDock
• Flux
• GPG Keychain
• Handbrake
• Img2icns
• Malwarebytes Anti-Malware
• MediaInfo Mac
• Neat
• OpenEmu
• Quicken 2015
• Shrook
• Spectacle
• Subler
• Toast 10 Titanium
• Trim Enabler
• Utilities
• VLC
• Wine
• WineBottler

I have malware bytes and open emu ... What should I do now?

 

[furi0usbee]

Here are my affected apps:

AppDelete
Cocktail
Coda 2
Intaglio
OpenEmu
Transmit

 

[Binarymix]

I have malware bytes and open emu ... What should I do now?

If you're worried about it, uncheck any options for automatic updating within each apps preferences, and when it pops up that there is an update just cancel out of the dialog and download the app update manually from the developers site, which hopefully patches this vulnerability.

 

[jblagden]

I have malware bytes and open emu ... What should I do now?

Unfortunately, neither of those apps have updates right now. But when they do, you’ll have to open the program, click on the part of the File menu which has the name of the app and then click on “Check for updates”.

 

[b0rg]

RoyalTSX also uses Sparkle but is just updated today with the following release notes:

New Features

• Sparkle updater framework updated to version 1.13.1

Bugfixes

• Fixed some web links pointing to incorrect locations

 

[acegreen]

I read about this earlier today. To me, this alert seemed a bit blown out of proportion. Many of the apps have already been patched, and many others don't seem to be affected. Plus (if I read it correctly), the attack involved downloading a dodgy file, clicking on a link and the attacker also needed to be on the same WiFi network as your computer.

As I side note, I encountered my first piece of malware on my Mac. I have no idea how I got it, but Safari was frozen with a repeating string of pop-ups telling me I had malware installed. A quick call to Apple's tech support resolved it. But it caught me by surprise.

Not sure if you are speaking of the same thing but I have come across something like this when on I was on http://projectfreetv.so

Usually you trigger a burst of ad windows when you click somewhere like "play" and so on, which you have to close one by one.

But when you are playing a video full screen, a CLEVER popup appears hidden with that audio string telling you that you have a malware installed. Its clever because it blocks you from exiting full mode and gives you the impression that they "froze your system resources to avoid loss of data" as they say in the string.

To circumvent that, you need to move to one of you other virtual desktops and click the safari icon on your dock. Basically you need to make that hidden popup come out, dismissing it will "unfreeze" safari.

 

[You are the One]

As a principle I haven't ventured out in the land of internet for years without being on a VPN that anonyomise my IP. That and an encrypted connection to a DNS provider I trust (not Google, lol).

That is a basic safety precaution that nowadays seems almost necessary. EVERYONE wants your metadata and traffic information, and not for your benefit. So please consider it.

 

[KALLT]

@engram: This does not work if you have applications in sub-folders. Use this one instead, it also prints the Sparkle version (credit to an Ars commenter):

find /Applications/ -path '*Sparkle.framework*/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString

Anything below version 1.13.1 is potentially affected.


Edit:

Apparently, this one is even better, because it shows which applications actually connect via HTTP instead of HTTPS. This should narrow it down further:

for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done

 

[thisisnotmyname]

Quicken and Winclone show up in my search

 

[grad]

Not all of these are going to be affected -- only those using a version of Sparkle prior to 1.13.1 have the potential to be vulnerable. And of those, some may be using an encrypted HTTP channel to receive updates from the server, meaning they're not affected.

I am glad you edited your originally post, as the 1.13.1 only came 5 days ago, so there are hundreds of applications that use the unpatched version. It's true that many just use HTTPS but you can never be sure. Better reset these LittleSnitch rules...

Someone might easily write a shell script that would print the app name and Sparkle version (I could do it later if I don't feel too lazy). I guess some old applications don't use the Sparkle.framework/Resources/Autoupdate.app but the version string can (?) also be taken from Sparkle.framework/Resources/.

I wonder if it is possible to soft-link all our installed applications' Sparkle.frameworks to a single patched/current version that we store somewhere in our drive.

Edit:
Just saw KALLT's script. OK, someone should write a proper script that handles everything and prints info in single line (probably tab delimited).

 

[C DM]

@engram: This does not work if you have applications in sub-folders. Use this one instead, it also prints the Sparkle version (credit to an Ars commenter):

find /Applications/ -path '*Sparkle.framework*/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString

Anything below version 1.13.1 is potentially affected.


Edit:

Apparently, this one is even better, because it shows which applications actually connect via HTTP instead of HTTPS. This should narrow it down further:

for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done

Interesting, it seems that VLC issued an update related to all of this, yet checking it all after the update seems to show that VLC is using version 1.6 and just HTTP.

 

[grad]

Interesting, it seems that VLC issued an update related to all of this, yet checking it all after the update seems to show that VLC is using version 1.6 and just HTTP.

But older versions can also be patched (?). Maybe VideoLAN compiled their own version ?

 

[KALLT]

But older versions can also be patched (?). Maybe VideoLAN compiled their own version ?

Entirely possible. This is a huge mess. You’d probably have to check with each developer to see whether they fixed it. An HTTPS feed url is at least an indication that the vulnerability will not be effective and applications that do report a fairly recent version will likely not have compiled their own version of Sparkle.

 

[kazmac]

The only affected app I had was Aimersoft DVD ripper. Thanks @engram for the Terminal code.

 

[pat500000]

OS X isn't safe no more. Another day, another victim on news. It's 187 murder on Apps....RIP apps.
(pours out little liquor on their apps.)

 

[C DM]

OS X isn't safe no more. Another day, another victim on news. It's 187 murder on Apps....RIP apps.
(pours out little liquor on their apps.)

Not really an OS exploit, but an app/service exploit.