A vulnerability has been discovered in an open-source framework that many developers have been using to provide app update services for the Mac. That it exists at all is not good, but that it hasn't been used to perform any real world attacks "in the wild", and that developers can update to prevent it, means it's something you should know about but nothing you should go into red alert over, at least not yet.
Sparkle is an open source project that many OS X apps turn to provide update functionality. Here's the official description:
Sparkle is an easy-to-use software update framework for Mac applications. It delivers updates using appcasting, a term used to refer to the practice of using RSS to distribute update information and release notes.
So, what's happening with Sparkle?
Starting in late January, an engineer who goes by the name "Radek" started discovering vulnerabilities in the way some developers had implemented Sparkle. According to Radek:
We have two different vulnerabilities here. First one is connected with the default configuration (http) which is unsafe and leads to RCE [Remote Code Execution] over MITM [Man in the Middle] attack inside untrusted environment.
The second one is the risk of parsing file://, ftp:// and other protocols inside the WebView component.
In other words, some developers weren't using HTTPS to encrypt the updates being sent to their apps. That left the connection vulnerable to interception by an attacker who could slip in malware.
Lack of HTTPS also exposes people to the possibility of an attacker intercepting and manipulating web traffic. The usual risk is that sensitive information could be obtained. Because Sparkle's purpose is to update apps, the risk that the person-in-the-middle attack carries here is that an attacker could push malicious code as an update to a vulnerable app.
Does this affect Mac App Store apps?
No. Mac App Store (MAS) uses its own update functionality. Some apps, however, have versions on and off the App Store. So, while the MAS version is safe, the non-MAS version may not be.
Radek made sure to point out:
Mentioned vulnerability is not present in the updater built into OS X. It was present in the previous version of the Sparkle Updater framework, and it's not a part of Apple Mac OS X.
Which apps are affected?
A list of apps that use Sparkle is available on GitHub, and while a "huge" number of Sparkle apps are vulnerable, some of them are secure.
What can I do?
People who have a vulnerable app that uses Sparkle may want to disable automatic updates in the app, and wait for an update with a fix to be available, then install directly from the developer's website.
Ars Technica, which has been following the story, also advises:
The challenge many app developers have in plugging the security hole, combined with the difficulty end users have in knowing which apps are vulnerable, makes this a vexing problem to solve. People who aren't sure if an app on their Mac is safe should consider avoiding unsecured Wi-Fi networks or using a virtual private network when doing so. Even then, it will still be possible to exploit vulnerable apps, but the attackers would have to be government spies or rogue telecom employees with access to a phone network or Internet backbone.
Ugh. Bottom-line me!
There's a risk that this vulnerability could be used to get malicious code onto your Mac, and that would be bad. But the probability of it happening to most people is low.
Now that it's public, developers using Sparkle should be sprinting to make sure they aren't affected, and if they are, to get updates into customers hands immediately.
We may earn a commission for purchases using our links. Learn more.
FAQ: TikTok & WeChat ban — why it’s happening and what it means for you
Are TikTok and WeChat really being banned? When does all of this take effect? Will I still be able to use these apps? All this and more answered in our FAQ regarding the latest U.S. orders.
Plan your day with Hour Blocks and its amazing iOS 14 Home screen widgets
Planning your day is no fun but sometimes you find an app that goes some way to making it less boring. Hour Blocks does a decent job and it looks lovely, too.
Scribble Together gets the coolest iOS 14 App Clip we've seen so far
Scribble Together has released its new App Clip for Scribble Together, which will allow users to collaborate on a Scribble Together whiteboard even if they don't have the app.
These HomeKit cameras work with iOS14's Face Recognition and Activity Zones
iOS 14 brings some powerful new capabilities to HomeKit Secure Video-enabled cameras like Face Recognition and Activity Zones. Here's all of the cameras and doorbells that support the latest and greatest HomeKit features.