A new vulnerability in Sparkle has put a “huge” number of Mac applications at risk for hijacking. For those unfamiliar, Sparkle is a tool used often by third-party apps that are not in the App Store to allow updates to be pushed to users. Apps susceptible to this hijacking hack include Camtasia, uTorrent, DuetDisplay, and Sketch. The attack applies to both OS X Yosemite and El Capitan (via Ars Technica).
- Yes, that's how you're supposed to include all framework headers, and the headers inside that framework have #include Framework/otherheader.h in them, so it HAS to be done this way. For frameworks residing in /Library/Frameworks it seems to work automagically, but anywhere else it's a problem.
- HWMonitor is a straightforward and useful system utility that brings to OS X’s status bar all the information regarding your Mac’s hardware components’ temperatures, fan speeds, power consumption, and CPU voltage. Read how to install HWsensor kext to read more Mac sensors.
The Sparkle vulnerability could allow for an attacker to take control of another computer on the network via a Man In The Middle attack, security researcher Radek points out on his blog. A Man In The Middle attack works when a third party intercepts traffic between a user and another server and then captures and modifies that traffic from the user.
![For For](/uploads/1/2/6/5/126526889/114445498.png)
Sparkle is open source software available under the permissive MIT license, and is developed on GitHub by the Sparkle Project with the help of dozens of valued contributors. Modern Sparkle is kept up to date with the latest Apple technologies: it uses ARC and Auto Layout and supports macOS versions 10.7 through 10.15.
Lately, I was doing research connected with different updating strategies, and I tested a few applications working under Mac OS X. This short weekend research revealed that we have many insecure applications in the wild. As a result, I have found a vulnerability which allows an attacker take control of another computer on the same network (via MITM).
The vulnerability is not in code signing itself. It exists due to the functionality provided by the WebKit view that allows JavaScript execution and the ability to modify unencrypted HTTP traffic (XML response).
Essentially, the vulnerability exists because the Sparkle Updater framework connects over HTTP versus HTTPS. It’s important to note, however, that Sparkle has already updated its framework to close the vulnerability, but it is up to the apps that implement the Sparkle Updater framework to update their apps with the newest version of the framework. Many app developers are doing this as we speak, including popular media playback software VLC, which was updated earlier this week to implement the newest Sparkle Updater framework.
It’s important to note that the updater mechanism used within OS X does not use the Sparkle Updater, making it unsusceptible to this Man In The Middle attack. Issues like this vulnerability certainly make a compelling argument for developers to move more towards the Mac App Store, but both growth and use of it has been relatively stagnant.
There’s much more in Raedek’s full breakdown of the Sparkle Updater vulnerability on his blog.
Image via EvilSocket
Sparkle Framework For Mac Os X High Sierra Download
FTC: We use income earning auto affiliate links.More.
A vulnerability has been discovered in an open-source framework that many developers have been using to provide app update services for the Mac. That it exists at all is not good, but that it hasn't been used to perform any real world attacks 'in the wild', and that developers can update to prevent it, means it's something you should know about but nothing you should go into red alert over, at least not yet.
What's Sparkle?
Sparkle is an open source project that many OS X apps turn to provide update functionality. Here's the official description:
Sparkle is an easy-to-use software update framework for Mac applications. It delivers updates using appcasting, a term used to refer to the practice of using RSS to distribute update information and release notes.
So, what's happening with Sparkle?
Starting in late January, an engineer who goes by the name 'Radek' started discovering vulnerabilities in the way some developers had implemented Sparkle. According to Radek:
We have two different vulnerabilities here. First one is connected with the default configuration (http) which is unsafe and leads to RCE [Remote Code Execution] over MITM [Man in the Middle] attack inside untrusted environment.
The second one is the risk of parsing file://, ftp:// and other protocols inside the WebView component.
In other words, some developers weren't using HTTPS to encrypt the updates being sent to their apps. That left the connection vulnerable to interception by an attacker who could slip in malware.
Lack of HTTPS also exposes people to the possibility of an attacker intercepting and manipulating web traffic. The usual risk is that sensitive information could be obtained. Because Sparkle's purpose is to update apps, the risk that the person-in-the-middle attack carries here is that an attacker could push malicious code as an update to a vulnerable app.
Does this affect Mac App Store apps?
No. Mac App Store (MAS) uses its own update functionality. Some apps, however, have versions on and off the App Store. So, while the MAS version is safe, the non-MAS version may not be.
Radek made sure to point out:
Mentioned vulnerability is not present in the updater built into OS X. It was present in the previous version of the Sparkle Updater framework, and it's not a part of Apple Mac OS X.
Which apps are affected?
A list of apps that use Sparkle is available on GitHub, and while a 'huge' number of Sparkle apps are vulnerable, some of them are secure.
What can I do?
![Sparkle Framework For Mac Os X Sparkle Framework For Mac Os X](/uploads/1/2/6/5/126526889/656747309.jpg)
People who have a vulnerable app that uses Sparkle may want to disable automatic updates in the app, and wait for an update with a fix to be available, then install directly from the developer's website.
Ars Technica, which has been following the story, also advises:
The challenge many app developers have in plugging the security hole, combined with the difficulty end users have in knowing which apps are vulnerable, makes this a vexing problem to solve. People who aren't sure if an app on their Mac is safe should consider avoiding unsecured Wi-Fi networks or using a virtual private network when doing so. Even then, it will still be possible to exploit vulnerable apps, but the attackers would have to be government spies or rogue telecom employees with access to a phone network or Internet backbone.
Ugh. Bottom-line me!
There's a risk that this vulnerability could be used to get malicious code onto your Mac, and that would be bad. But the probability of it happening to most people is low.
Now that it's public, developers using Sparkle should be sprinting to make sure they aren't affected, and if they are, to get updates into customers hands immediately.
Sparkle Framework For Mac Os X 10 11 Download Free
We may earn a commission for purchases using our links. Learn more.
A more musical homeSparkle Framework For Mac Os X 10 13 Download
Apple's new 'Behind the Mac' vid shows James Blake making music at home
Sparkle Framework For Mac Os X 10 11
Apple's latest 'Behind the Mac' video shows James Blake making music even though he's been stuck in his home studio because of 2020.