Third-party update service Sparkle, combined with insecure network protocols and parsing, leaves some OS X apps open to person-in-the-middle exploits.
A vulnerability has been discovered in an open-source framework that many developers have been using to provide app update services for the Mac. That it exists at all is not good, but that it hasn't been used to perform any real world attacks "in the wild", and that developers can update to prevent it, means it's something you should know about but nothing you should go into red alert over, at least not yet.
Sparkle is an open source project that many OS X apps turn to provide update functionality. Here's the official description:
Sparkle is an easy-to-use software update framework for Mac applications. It delivers updates using appcasting, a term used to refer to the practice of using RSS to distribute update information and release notes.
So, what's happening with Sparkle?
Starting in late January, an engineer who goes by the name "Radek" started discovering vulnerabilities in the way some developers had implemented Sparkle. According to Radek:
We have two different vulnerabilities here. First one is connected with the default configuration (http) which is unsafe and leads to RCE [Remote Code Execution] over MITM [Man in the Middle] attack inside untrusted environment.
The second one is the risk of parsing file://, ftp:// and other protocols inside the WebView component.
In other words, some developers weren't using HTTPS to encrypt the updates being sent to their apps. That left the connection vulnerable to interception by an attacker who could slip in malware.
Lack of HTTPS also exposes people to the possibility of an attacker intercepting and manipulating web traffic. The usual risk is that sensitive information could be obtained. Because Sparkle's purpose is to update apps, the risk that the person-in-the-middle attack carries here is that an attacker could push malicious code as an update to a vulnerable app.
Does this affect Mac App Store apps?
No. Mac App Store (MAS) uses its own update functionality. Some apps, however, have versions on and off the App Store. So, while the MAS version is safe, the non-MAS version may not be.
Radek made sure to point out:
Mentioned vulnerability is not present in the updater built into OS X. It was present in the previous version of the Sparkle Updater framework, and it's not a part of Apple Mac OS X.
Which apps are affected?
A list of apps that use Sparkle is available on GitHub, and while a "huge" number of Sparkle apps are vulnerable, some of them are secure.
What can I do?
People who have a vulnerable app that uses Sparkle may want to disable automatic updates in the app, and wait for an update with a fix to be available, then install directly from the developer's website.
Ars Technica, which has been following the story, also advises:
The challenge many app developers have in plugging the security hole, combined with the difficulty end users have in knowing which apps are vulnerable, makes this a vexing problem to solve. People who aren't sure if an app on their Mac is safe should consider avoiding unsecured Wi-Fi networks or using a virtual private network when doing so. Even then, it will still be possible to exploit vulnerable apps, but the attackers would have to be government spies or rogue telecom employees with access to a phone network or Internet backbone.
Ugh. Bottom-line me!
There's a risk that this vulnerability could be used to get malicious code onto your Mac, and that would be bad. But the probability of it happening to most people is low.
Now that it's public, developers using Sparkle should be sprinting to make sure they aren't affected, and if they are, to get updates into customers hands immediately.