Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability
- Thread starter MacRumors
- Start date
- Sort by reaction score
Trim Enabler has now been updated (3.4.3) with a fix. Make sure to update using a secure/trusted internet connection, or redownload from https://www.cindori.org/software/trimenabler/
So according to this article, it's a flaw in OS X, not Sparkle directly? But if you have Firefox on your machine and have run it at least once, you are safe?
-Kevin
This does not work. Apparently they don’t have a beta release at the moment. They just have the stable release and the developer nightly builds. You should download them here: https://build.transmissionbt.com/job/trunk-mac/.
No, that is not true and it follows from the article also. When Firefox is installed, then the FTP protocol will be handled with Firefox instead of Finder. However, other protocols can be used too, so this is not a fix.
The problem is that Sparkle has a web view in one of its panels that is used to show patch notes and changes. The content of that web view can come from a remote URL that is specified in the feed URL. When that remote URL is changed into something else other than a static web page, like an FTP address, then this can be exploited due to a bug in the web view (which is a WebKit component) and Finder (because it is the default FTP/AFP/SMB handler). An exploit could load a program or script via one of these protocols that is then executed.
Last edited:
Well we could be talking about different things but your scenario sounded awfully close to what I noticed on that website I use. And that is just a gimmick taking advantage of Safaris popup handling and cleverly disguising itself.
This is what I get when I run the code suggested by KALLT
http://www.fremacsoft.net/appcleaner/Updatrs.xml
http://audirvana.com/delivery/audirvanaplus_appcast.xml
http://update.videolan.org/vlc/sparkle/vic-intel64.xml
I'v already updated VLC so hopefully no more issues (you'd think). Just to understand, if I disable auto update and update via the website this would avoid the problem??
http://www.fremacsoft.net/appcleaner/Updatrs.xml
http://audirvana.com/delivery/audirvanaplus_appcast.xml
http://update.videolan.org/vlc/sparkle/vic-intel64.xml
I'v already updated VLC so hopefully no more issues (you'd think). Just to understand, if I disable auto update and update via the website this would avoid the problem??
Mac app isn't part of iOS and OS X ?
[doublepost=1455128020][/doublepost]
Yeah back in sl says... But now it appears OS X is the new disabled kid. And yeah it's not vulnerable to OS X itself but Mac app is part of OS x
A Mac app isn't part of iOS.Mac app isn't part of iOS and OS X ?
[doublepost=1455128020][/doublepost]
Yeah back in sl says... But now it appears OS X is the new disabled kid. And yeah it's not vulnerable to OS X itself but Mac app is part of OS x
If anyone used it when it worked, Carrier Editor shows up in my search.
http://uhelios.com/downloads
![carrier-editor-1.jpg]( "carrier-editor-1.jpg")
http://uhelios.com/downloads
![]()
A pair of vulnerabilities in the framework that some Mac apps use to receive automatic updates leaves them open to man-in-the-middle attacks, according to a report from Ars Technica covering a security flaw that was first discovered by a security researcher named Radek in late January.
Apps that use a vulnerable version of Sparkle and an unencrypted HTTP channel for server updates are at risk of being hijacked to transmit malicious code to end users. The Sparkle framework is used by apps outside of the Mac App Store to facilitate automatic software updates.
Some of the affected apps are widely downloaded titles like Camtasia, Duet Display, uTorrent, and Sketch. A proof of concept attack was shared by Simone Margaritelli using an older version of VLC, which was recently updated to patch the flaw. The vulnerabilities were tested on both OS X Yosemite and the most recent version of OS X El Capitan.
A "huge" number of apps are said to be at risk, but as Ars Technica points out, it is difficult to tell exactly which apps that use Sparkle are open to attack. GitHub users have compiled a list of apps that use Sparkle, but not all use the vulnerable version and not all transfer data over non-secured HTTP channels.
Apps downloaded through the Mac App Store are not affected as OS X's built in software update mechanism does not use Sparkle.
Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework. Ars Technica recommends concerned users with potentially vulnerable apps installed avoid using unsecured Wi-Fi networks or do so only via a VPN.
Article Link: 'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability
Here is what you need to know what to do http://blog.devmate.com/post/139057591966/sparkle-vulnerability-issue-whos-in-danger-and
A VPN is fine (unless you do not trust the service). The problem of this vulnerability is that a ‘man in the middle’ could get between your computer and the developer’s server and insert a fake feed that causes Sparkle to download something else, potentially malware. This is a risk with HTTP is general and HTTPS mitigates this because your system will not accept a connection if something is wrong with the HTTPS, e.g. if it has been tampered with by a man in the middle. Likewise, a VPN creates an encrypted connection between your device and your VPN provider and every connection, HTTP or HTTPS or otherwise, will be protected from man-in-the-middle attacks.
Realistically speaking, this vulnerability is really only an issue if you do not trust your Internet connection. For instance, if you do not control the router or access point, e.g. public Wi-Fi or an Internet cafe. At home, this is typically not an issue. A VPN is something you should use anyway when you are using someone else’s Internet connection.
That's good to know. I run my own Pritunl VPN 24/7 on a Linode VPS. I was just worried about the connection from my Linode to the update server, which I have no control over. Sounds like that might still be a problem, but I'm one step ahead just using a VPN.
It is believed that your OS platform is secure, yet here's is another example of how third party soft puts your computer in a risk. This is developers' responsibility to assure their app security. I really like DevMate's vision of the situation, simple things like implemented HTTPS protocol and updating Sparkle to the latest fixed version do matter.
Because if your software is free, as is the case with most of those apps, having to pay for the privilege of being on the Mac App Store is beyond ridiculous, when you can host it yourself on GitHub, or your own website or in a million other places.
And GitHub uses HTTPS for updates, so it’s as safe, or nearly as safe, as the Mac App Store.
![]()
Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework. Ars Technica recommends concerned users with potentially vulnerable apps installed avoid using unsecured Wi-Fi networks or do so only via a VPN.
Article Link: 'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability
Hi there!
TechSmith, the developers for Camtasia for Mac and Snagit for Mac, two of the many applications that had been affected by the Sparkle MITM vulnerability released an update on Tuesday, March 8th to both Camtasia and Snagit that addresses this vulnerability. For those that are running Camtasia or Snagit, to receive the update simply open the application and go to the Snagit or Camtasia menu and choose "Check for Updates" and it will begin the update process. For those that want to update manually, you can head to this link and select the appropriate application to receive the latest version.
Robert R.
Technical Support Specialist
TechSmith Corporation