'Huge' Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability

pair of vulnerabilities in framework mac apps use receive automatic updates leaves them open man-in-the-middle attacks, according report ars technica covering security flaw was first discovered security researcher named radek in late january.

apps use vulnerable version of sparkle , unencrypted http channel server updates @ risk of being hijacked transmit malicious code end users. sparkle framework used apps outside of mac app store facilitate automatic software updates.

of affected apps downloaded titles camtasia, duet display, utorrent, , sketch. proof of concept attack shared simone margaritelli using older version of vlc, updated patch flaw. vulnerabilities tested on both os x yosemite , recent version of os x el capitan.

​

image via evilsocket​

"huge" number of apps said @ risk, ars technica points out, difficult tell apps use sparkle open attack. github users have compiled list of apps use sparkle, not use vulnerable version , not transfer data on non-secured http channels.

apps downloaded through mac app store not affected os x's built in software update mechanism not use sparkle.

sparkle has released fix in newest version of sparkle updater, take time mac apps implement patched framework. ars technica recommends concerned users potentially vulnerable apps installed avoid using unsecured wi-fi networks or via vpn.

article link: 'huge' number of mac apps open hijacking sparkle updater vulnerability

 

this give list of on system.

code:

find /applications -name sparkle.framework | awk -f'/' '{print $3}' | awk -f'.' '{print $1}'

 

Forums News and Article Discussion MacRumors.com News Discussion

• iPhone
• Mac OS & System Software
• iPad
• Apple Watch
• Notebooks
• iTunes
• Apple ID
• iCloud
• Desktop Computers
• Apple Music
• Professional Applications
• iPod
• iWork
• Apple TV
• iLife
• Wireless