'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Feb 9, 2016.

  1. MacRumors macrumors bot


    Apr 12, 2001

    A pair of vulnerabilities in the framework that some Mac apps use to receive automatic updates leaves them open to man-in-the-middle attacks, according to a report from Ars Technica covering a security flaw that was first discovered by a security researcher named Radek in late January.

    Apps that use a vulnerable version of Sparkle and an unencrypted HTTP channel for server updates are at risk of being hijacked to transmit malicious code to end users. The Sparkle framework is used by apps outside of the Mac App Store to facilitate automatic software updates.

    Some of the affected apps are widely downloaded titles like Camtasia, Duet Display, uTorrent, and Sketch. A proof of concept attack was shared by Simone Margaritelli using an older version of VLC, which was recently updated to patch the flaw. The vulnerabilities were tested on both OS X Yosemite and the most recent version of OS X El Capitan.


    A "huge" number of apps are said to be at risk, but as Ars Technica points out, it is difficult to tell exactly which apps that use Sparkle are open to attack. GitHub users have compiled a list of apps that use Sparkle, but not all use the vulnerable version and not all transfer data over non-secured HTTP channels.

    Apps downloaded through the Mac App Store are not affected as OS X's built in software update mechanism does not use Sparkle.

    Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework. Ars Technica recommends concerned users with potentially vulnerable apps installed avoid using unsecured Wi-Fi networks or do so only via a VPN.

    Article Link: 'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability
  2. engram, Feb 9, 2016
    Last edited by a moderator: Feb 10, 2016

    engram macrumors newbie

    Nov 17, 2010
    This will give you a list of what is on your system.
    find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
  3. jdillings macrumors 68000

    Jun 21, 2015
    This is why the app store was a good thing
  4. jayducharme macrumors 68040


    Jun 22, 2006
    The thick of it
    I read about this earlier today. To me, this alert seemed a bit blown out of proportion. Many of the apps have already been patched, and many others don't seem to be affected. Plus (if I read it correctly), the attack involved downloading a dodgy file, clicking on a link and the attacker also needed to be on the same WiFi network as your computer.

    As I side note, I encountered my first piece of malware on my Mac. I have no idea how I got it, but Safari was frozen with a repeating string of pop-ups telling me I had malware installed. A quick call to Apple's tech support resolved it. But it caught me by surprise.
  5. flowsy macrumors 6502


    Aug 16, 2009

    it found: AppCleaner / HandBrake / TeamViewer / VLC
  6. Michaelgtrusa macrumors 604

    Oct 13, 2008
  7. jclo Editor


    Staff Member

    Dec 7, 2012
    Not all of these are going to be affected -- only those using a version of Sparkle prior to 1.13.1 have the potential to be vulnerable. And of those, some may be using an encrypted HTTP channel to receive updates from the server, meaning they're not affected.
  8. jblagden macrumors 65816


    Aug 16, 2013
    Yeah! None of the apps from the app store are affected. Only apps from other sites are affected.
    20 apps on my system were affected and none of them were from the app store:
    • Boxer
    • cDock
    • Flux
    • GPG Keychain
    • Handbrake
    • Img2icns
    • Malwarebytes Anti-Malware
    • MediaInfo Mac
    • Neat
    • OpenEmu
    • Quicken 2015
    • Shrook
    • Spectacle
    • Subler
    • Toast 10 Titanium
    • Trim Enabler
    • Utilities
    • VLC
    • Wine
    • WineBottler
  9. pgiguere1 macrumors 68020


    May 28, 2009
    Montreal, Canada
    Uh oh :oops:

  10. jetjaguar macrumors 68030


    Apr 6, 2009
    I have malware bytes and open emu ... What should I do now?
  11. furi0usbee macrumors 68000


    Jul 11, 2008
    Here are my affected apps:

    Coda 2
  12. Binarymix macrumors 65816

    Nov 1, 2007
    If you're worried about it, uncheck any options for automatic updating within each apps preferences, and when it pops up that there is an update just cancel out of the dialog and download the app update manually from the developers site, which hopefully patches this vulnerability.
  13. jblagden macrumors 65816


    Aug 16, 2013
    Unfortunately, neither of those apps have updates right now. But when they do, you’ll have to open the program, click on the part of the File menu which has the name of the app and then click on “Check for updates”.
  14. b0rg macrumors member

    Oct 5, 2009
    RoyalTSX also uses Sparkle but is just updated today with the following release notes:

    New Features
    • Sparkle updater framework updated to version 1.13.1
    • Fixed some web links pointing to incorrect locations
  15. acegreen macrumors regular


    Jun 25, 2015
    Not sure if you are speaking of the same thing but I have come across something like this when on I was on http://projectfreetv.so

    Usually you trigger a burst of ad windows when you click somewhere like "play" and so on, which you have to close one by one.

    But when you are playing a video full screen, a CLEVER popup appears hidden with that audio string telling you that you have a malware installed. Its clever because it blocks you from exiting full mode and gives you the impression that they "froze your system resources to avoid loss of data" as they say in the string.

    To circumvent that, you need to move to one of you other virtual desktops and click the safari icon on your dock. Basically you need to make that hidden popup come out, dismissing it will "unfreeze" safari.
  16. You are the One macrumors 6502a

    You are the One

    Dec 25, 2014
    In the present
    As a principle I haven't ventured out in the land of internet for years without being on a VPN that anonyomise my IP. That and an encrypted connection to a DNS provider I trust (not Google, lol).

    That is a basic safety precaution that nowadays seems almost necessary. EVERYONE wants your metadata and traffic information, and not for your benefit. So please consider it.
  17. KALLT, Feb 9, 2016
    Last edited: Feb 9, 2016

    KALLT macrumors 601

    Sep 23, 2008
    @engram: This does not work if you have applications in sub-folders. Use this one instead, it also prints the Sparkle version (credit to an Ars commenter):
    find /Applications/ -path '*Sparkle.framework*/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString
    Anything below version 1.13.1 is potentially affected.


    Apparently, this one is even better, because it shows which applications actually connect via HTTP instead of HTTPS. This should narrow it down further:
    for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done
  18. thisisnotmyname macrumors 68000


    Oct 22, 2014
    known but velocity indeterminate
    Quicken and Winclone show up in my search
  19. grad macrumors regular

    Jun 2, 2014
    I am glad you edited your originally post, as the 1.13.1 only came 5 days ago, so there are hundreds of applications that use the unpatched version. It's true that many just use HTTPS but you can never be sure. Better reset these LittleSnitch rules...

    Someone might easily write a shell script that would print the app name and Sparkle version (I could do it later if I don't feel too lazy). I guess some old applications don't use the Sparkle.framework/Resources/Autoupdate.app but the version string can (?) also be taken from Sparkle.framework/Resources/.

    I wonder if it is possible to soft-link all our installed applications' Sparkle.frameworks to a single patched/current version that we store somewhere in our drive.

    Just saw KALLT's script. OK, someone should write a proper script that handles everything and prints info in single line (probably tab delimited).
  20. C DM macrumors Sandy Bridge

    Oct 17, 2011
    Interesting, it seems that VLC issued an update related to all of this, yet checking it all after the update seems to show that VLC is using version 1.6 and just HTTP.
  21. grad macrumors regular

    Jun 2, 2014
    But older versions can also be patched (?). Maybe VideoLAN compiled their own version ?
  22. KALLT macrumors 601

    Sep 23, 2008
    Entirely possible. This is a huge mess. You’d probably have to check with each developer to see whether they fixed it. An HTTPS feed url is at least an indication that the vulnerability will not be effective and applications that do report a fairly recent version will likely not have compiled their own version of Sparkle.
  23. kazmac macrumors 604


    Mar 24, 2010
    On the silver scream
    The only affected app I had was Aimersoft DVD ripper. Thanks @engram for the Terminal code.
  24. pat500000 Suspended


    Jun 3, 2015
    OS X isn't safe no more. Another day, another victim on news. It's 187 murder on Apps....RIP apps.
    (pours out little liquor on their apps.)
  25. C DM macrumors Sandy Bridge

    Oct 17, 2011
    Not really an OS exploit, but an app/service exploit.

Share This Page