- An outdated and vulnerable version of the Sparkle updater framework.
- An unencrypted HTTP channel to receive info from update servers.
What's the Issue?
Video Proof-of-Concept Attack
Another less severe bug in Sparkle has also been discovered by Radek that could be exploited against poorly configured update servers, potentially allowing an attacker to replace an update file with a malicious one.
Among the affected apps are uTorrent (version 1.8.7), Camtasia 2 (version 2.10.4), Sketch (version 3.5.1), and DuetDisplay (version 18.104.22.168).
Check if You're Affected
Check this list of apps that use Sparkle Updater framework. If you have installed any of these apps on your Apple Mac, you could probably be at risk of being hacked.
Note: Not all of the listed apps communicate over unencrypted HTTP channels or use an outdated version of the framework.
How to Protect Yourself against the Issues?
- Download the latest version of Sparkle Updater
- Check if the latest version of Sparkle is compatible with their app
- Create some test cases, verify update and others
- Address this security issue and publish new version of their app