Sparkle updater vulnerability: What you need to know!
A vulnerability has been discovered in an open-source framework that many developers have been using to provide app update services for the Mac. That it exists at all is not good, but that it hasn't been used to perform any real world attacks "in the wild", and that developers can update to prevent it, means it's something you should know about but nothing you should go into red alert over, at least not yet.
Sparkle is an open source project that many OS X apps turn to provide update functionality. Here's the official description:
So, what's happening with Sparkle?
Starting in late January, an engineer who goes by the name "Radek" started discovering vulnerabilities in the way some developers had implemented Sparkle. According to Radek:
In other words, some developers weren't using HTTPS to encrypt the updates being sent to their apps. That left the connection vulnerable to interception by an attacker who could slip in malware.
Lack of HTTPS also exposes people to the possibility of an attacker intercepting and manipulating web traffic. The usual risk is that sensitive information could be obtained. Because Sparkle's purpose is to update apps, the risk that the person-in-the-middle attack carries here is that an attacker could push malicious code as an update to a vulnerable app.
Does this affect Mac App Store apps?
No. Mac App Store (MAS) uses its own update functionality. Some apps, however, have versions on and off the App Store. So, while the MAS version is safe, the non-MAS version may not be.
Radek made sure to point out:
Which apps are affected?
A list of apps that use Sparkle is available on GitHub, and while a "huge" number of Sparkle apps are vulnerable, some of them are secure.
What can I do?
People who have a vulnerable app that uses Sparkle may want to disable automatic updates in the app, and wait for an update with a fix to be available, then install directly from the developer's website.
Ars Technica, which has been following the story, also advises:
Ugh. Bottom-line me!
There's a risk that this vulnerability could be used to get malicious code onto your Mac, and that would be bad. But the probability of it happening to most people is low.
Now that it's public, developers using Sparkle should be sprinting to make sure they aren't affected, and if they are, to get updates into customers hands immediately.
Get more iMore in your inbox!
Our news, reviews, opinions, and easy to follow guides can turn any iPhone owner into an Apple aficionado