'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability

MacRumors

macrumors bot
Original poster
Apr 12, 2001
49,470
10,820



A pair of vulnerabilities in the framework that some Mac apps use to receive automatic updates leaves them open to man-in-the-middle attacks, according to a report from Ars Technica covering a security flaw that was first discovered by a security researcher named Radek in late January.

Apps that use a vulnerable version of Sparkle and an unencrypted HTTP channel for server updates are at risk of being hijacked to transmit malicious code to end users. The Sparkle framework is used by apps outside of the Mac App Store to facilitate automatic software updates.

Some of the affected apps are widely downloaded titles like Camtasia, Duet Display, uTorrent, and Sketch. A proof of concept attack was shared by Simone Margaritelli using an older version of VLC, which was recently updated to patch the flaw. The vulnerabilities were tested on both OS X Yosemite and the most recent version of OS X El Capitan.


A "huge" number of apps are said to be at risk, but as Ars Technica points out, it is difficult to tell exactly which apps that use Sparkle are open to attack. GitHub users have compiled a list of apps that use Sparkle, but not all use the vulnerable version and not all transfer data over non-secured HTTP channels.

Apps downloaded through the Mac App Store are not affected as OS X's built in software update mechanism does not use Sparkle.

Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework. Ars Technica recommends concerned users with potentially vulnerable apps installed avoid using unsecured Wi-Fi networks or do so only via a VPN.

Article Link: 'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability
 
  • Like
Reactions: rshrugged

jayducharme

macrumors 68040
Jun 22, 2006
3,667
3,462
The thick of it
I read about this earlier today. To me, this alert seemed a bit blown out of proportion. Many of the apps have already been patched, and many others don't seem to be affected. Plus (if I read it correctly), the attack involved downloading a dodgy file, clicking on a link and the attacker also needed to be on the same WiFi network as your computer.

As I side note, I encountered my first piece of malware on my Mac. I have no idea how I got it, but Safari was frozen with a repeating string of pop-ups telling me I had malware installed. A quick call to Apple's tech support resolved it. But it caught me by surprise.
 

jclo

Editor
Staff member
Dec 7, 2012
1,643
3,291
California
This will give you a list of what is on your system.
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
Not all of these are going to be affected -- only those using a version of Sparkle prior to 1.13.1 have the potential to be vulnerable. And of those, some may be using an encrypted HTTP channel to receive updates from the server, meaning they're not affected.
 

jblagden

macrumors 65816
Aug 16, 2013
1,156
640
This is why the app store was a good thing
Yeah! None of the apps from the app store are affected. Only apps from other sites are affected.
20 apps on my system were affected and none of them were from the app store:
  • Boxer
  • cDock
  • Flux
  • GPG Keychain
  • Handbrake
  • Img2icns
  • Malwarebytes Anti-Malware
  • MediaInfo Mac
  • Neat
  • OpenEmu
  • Quicken 2015
  • Shrook
  • Spectacle
  • Subler
  • Toast 10 Titanium
  • Trim Enabler
  • Utilities
  • VLC
  • Wine
  • WineBottler
 
  • Like
Reactions: StupidMac

pgiguere1

macrumors 68020
May 28, 2009
2,157
1,082
Montreal, Canada
Uh oh :oops:

Antidote 9
BlueHarvest
Chatology
ControlPlane
CrazyBump
DaisyDisk
Data Rescue 3
Disk Drill
DiskAid
Folx 3
gfxCardStatus
HandBrake
ImageOptim
MacDown
MacPaw Gemini
MPlayerX
SafariCacheExplorer
Scroll Reverser
Sequel Pro
Sketch
SoundCloud
SourceTree
StuffIt Expander
Sublime Text 2
TeamViewer
TogglDesktop
UnRarX
Utilities
uTorrent
VLC
WebKit
WebKit
WebKit
Winclone Pro
Winclone
 
  • Like
Reactions: StupidMac

jetjaguar

macrumors 68040
Apr 6, 2009
3,188
1,335
somewhere
Yeah! None of the apps from the app store are affected. Only apps from other sites are affected.
20 apps on my system were affected and none of them were from the app store:
  • Boxer
  • cDock
  • Flux
  • GPG Keychain
  • Handbrake
  • Img2icns
  • Malwarebytes Anti-Malware
  • MediaInfo Mac
  • Neat
  • OpenEmu
  • Quicken 2015
  • Shrook
  • Spectacle
  • Subler
  • Toast 10 Titanium
  • Trim Enabler
  • Utilities
  • VLC
  • Wine
  • WineBottler
I have malware bytes and open emu ... What should I do now?
 
  • Like
Reactions: StupidMac

Binarymix

macrumors 65816
Nov 1, 2007
1,091
322
I have malware bytes and open emu ... What should I do now?
If you're worried about it, uncheck any options for automatic updating within each apps preferences, and when it pops up that there is an update just cancel out of the dialog and download the app update manually from the developers site, which hopefully patches this vulnerability.
 

jblagden

macrumors 65816
Aug 16, 2013
1,156
640
I have malware bytes and open emu ... What should I do now?
Unfortunately, neither of those apps have updates right now. But when they do, you’ll have to open the program, click on the part of the File menu which has the name of the app and then click on “Check for updates”.
 
  • Like
Reactions: StupidMac

b0rg

macrumors member
Oct 5, 2009
90
33
RoyalTSX also uses Sparkle but is just updated today with the following release notes:

New Features
  • Sparkle updater framework updated to version 1.13.1
Bugfixes
  • Fixed some web links pointing to incorrect locations
 
  • Like
Reactions: StupidMac

acegreen

macrumors regular
Jun 25, 2015
170
210
I read about this earlier today. To me, this alert seemed a bit blown out of proportion. Many of the apps have already been patched, and many others don't seem to be affected. Plus (if I read it correctly), the attack involved downloading a dodgy file, clicking on a link and the attacker also needed to be on the same WiFi network as your computer.

As I side note, I encountered my first piece of malware on my Mac. I have no idea how I got it, but Safari was frozen with a repeating string of pop-ups telling me I had malware installed. A quick call to Apple's tech support resolved it. But it caught me by surprise.
Not sure if you are speaking of the same thing but I have come across something like this when on I was on http://projectfreetv.so

Usually you trigger a burst of ad windows when you click somewhere like "play" and so on, which you have to close one by one.

But when you are playing a video full screen, a CLEVER popup appears hidden with that audio string telling you that you have a malware installed. Its clever because it blocks you from exiting full mode and gives you the impression that they "froze your system resources to avoid loss of data" as they say in the string.

To circumvent that, you need to move to one of you other virtual desktops and click the safari icon on your dock. Basically you need to make that hidden popup come out, dismissing it will "unfreeze" safari.
 
  • Like
Reactions: StupidMac

KALLT

macrumors 603
Sep 23, 2008
5,147
3,191
@engram: This does not work if you have applications in sub-folders. Use this one instead, it also prints the Sparkle version (credit to an Ars commenter):
Code:
find /Applications/ -path '*Sparkle.framework*/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString
Anything below version 1.13.1 is potentially affected.


Edit:

Apparently, this one is even better, because it shows which applications actually connect via HTTP instead of HTTPS. This should narrow it down further:
Code:
for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done
 
Last edited:

grad

macrumors 6502
Jun 2, 2014
273
329
Not all of these are going to be affected -- only those using a version of Sparkle prior to 1.13.1 have the potential to be vulnerable. And of those, some may be using an encrypted HTTP channel to receive updates from the server, meaning they're not affected.
I am glad you edited your originally post, as the 1.13.1 only came 5 days ago, so there are hundreds of applications that use the unpatched version. It's true that many just use HTTPS but you can never be sure. Better reset these LittleSnitch rules...

Someone might easily write a shell script that would print the app name and Sparkle version (I could do it later if I don't feel too lazy). I guess some old applications don't use the Sparkle.framework/Resources/Autoupdate.app but the version string can (?) also be taken from Sparkle.framework/Resources/.

I wonder if it is possible to soft-link all our installed applications' Sparkle.frameworks to a single patched/current version that we store somewhere in our drive.

Edit:
Just saw KALLT's script. OK, someone should write a proper script that handles everything and prints info in single line (probably tab delimited).
 
  • Like
Reactions: StupidMac

C DM

macrumors Sandy Bridge
Oct 17, 2011
49,333
17,914
@engram: This does not work if you have applications in sub-folders. Use this one instead, it also prints the Sparkle version (credit to an Ars commenter):
Code:
find /Applications/ -path '*Sparkle.framework*/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString
Anything below version 1.13.1 is potentially affected.


Edit:

Apparently, this one is even better, because it shows which applications actually connect via HTTP instead of HTTPS. This should narrow it down further:
Code:
for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done
Interesting, it seems that VLC issued an update related to all of this, yet checking it all after the update seems to show that VLC is using version 1.6 and just HTTP.
 

grad

macrumors 6502
Jun 2, 2014
273
329
Interesting, it seems that VLC issued an update related to all of this, yet checking it all after the update seems to show that VLC is using version 1.6 and just HTTP.
But older versions can also be patched (?). Maybe VideoLAN compiled their own version ?
 
  • Like
Reactions: StupidMac

KALLT

macrumors 603
Sep 23, 2008
5,147
3,191
But older versions can also be patched (?). Maybe VideoLAN compiled their own version ?
Entirely possible. This is a huge mess. You’d probably have to check with each developer to see whether they fixed it. An HTTPS feed url is at least an indication that the vulnerability will not be effective and applications that do report a fairly recent version will likely not have compiled their own version of Sparkle.
 

pat500000

Suspended
Jun 3, 2015
8,523
7,512
OS X isn't safe no more. Another day, another victim on news. It's 187 murder on Apps....RIP apps.
(pours out little liquor on their apps.)
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.