A pair of new security vulnerabilities has been discovered in the framework used by a wide variety of Mac apps leaves them open to Man-in-the-Middle (MitM) attacks.

The framework in question is Sparkle that a large number of third-party OS X apps, including Camtasia, uTorrent, Duet Display and Sketch, use to facilitate automatic updates in the background.

Sparkle is an open source software available on GitHub under the permissive MIT license by the Sparkle Project with the help of numerous of valuable contributors. The framework supports Mac OS X versions 10.7 through 10.11 and Xcode 5.0 through 7.0.

The Sparkle vulnerabilities, discovered by Radek, a security researcher, in late January and reported by Ars reporter, affect Apple Mac apps that use:
  1. An outdated and vulnerable version of the Sparkle updater framework.
  2. An unencrypted HTTP channel to receive info from update servers.

What's the Issue?

The first loophole is due to the improper implementation of Sparkle Updater framework by the app developers.

The app developers are using an unencrypted HTTP URL to check for new updates, rather than an SSL encrypted channel.

As a result, an attacker in the same network could perform MitM attacks and inject malicious code into the communication between the end user and the server, potentially allowing an attacker to gain full control of your computer.

Video Proof-of-Concept Attack

You can watch the proof-of-concept (PoC) attack video that shows a working attack conducted against a vulnerable version of the Sequel Pro app:

Another proof-of-concept attack was shared by fellow researcher Simone Margaritelli using an older version of VLC Media Player, which has now been updated to patch the vulnerability.

Margaritelli showed how he exploited the flaw on a fully patched Mac running a then-latest version of VLC media player using a technique that streamlines the attack by letting it work with the Metasploit exploit framework.

Another less severe bug in Sparkle has also been discovered by Radek that could be exploited against poorly configured update servers, potentially allowing an attacker to replace an update file with a malicious one.
The Sparkle vulnerabilities affected both Mac OS X Yosemite and the most recent version of OS X El Capitan.

Who's Affected?

The Sparkle vulnerabilities affects third-party apps outside of the Mac App Store, which is downloaded from the Internet manually by the user and uses an outdated version of the Sparkle.

Although the actual number of affected apps is not known, Radek estimated the number could be "huge."

Among the affected apps are uTorrent (version 1.8.7), Camtasia 2 (version 2.10.4), Sketch (version 3.5.1), and DuetDisplay (version

Check if You're Affected

Check this list of apps that use Sparkle Updater framework. If you have installed any of these apps on your Apple Mac, you could probably be at risk of being hacked.

Note: Not all of the listed apps communicate over unencrypted HTTP channels or use an outdated version of the framework.

How to Protect Yourself against the Issues?

Although Sparkle has provided a fix for both the vulnerabilities in the newest version of the Sparkle Updater, it is not so easy to install the patch.

Radek warns in an email that the major problem is that developers who created their apps are required to update Sparkle framework inside their apps, which is not trivial.

As the update process requires a developer to:
  • Download the latest version of Sparkle Updater
  • Check if the latest version of Sparkle is compatible with their app
  • Create some test cases, verify update and others
  • Address this security issue and publish new version of their app
Once this completes, users can check for the app update and download the newest version of the particular app on their computers.

Until this is done, users who are not sure if an app on their computers is safe should avoid unsecured Wi-Fi networks or, alternatively, use a Virtual Private Network (VPN).

In the meanwhile, if you get a prompt for an app update, rather than updating the app via the update window itself, simply visit the app's official website and download the latest version from there, just to make sure that you're downloading what you actually intend to.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.