Flaw in Sparkle Updater for Mac opens users of popular apps to system compromise

A security engineer has recently discovered a serious vulnerability in Sparkle, the widely used open source software update framework for Mac applications, that could be exploited by attackers to mount a man-in-the-middle attack and ultimately take control of the computer if they are located on the same network.

Sparkle Updater for Mac

Since it inception in 2006, Sparkle slowly became the de-facto standard for OS X application updates. It is used by many, many popular applications including Evernote, Coda, VLC Media Player, Slack, and TeamViewer (to name a few), but not all these apps are vulnerable to this attack.

That’s because the flaw can be exploited only if the app using the vulnerable version of Sparkle also uses HTTP to receive updates.

“The vulnerability is not in code signing itself. It exists due to the functionality provided by the WebKit view that allows JavaScript execution and the ability to modify unencrypted HTTP traffic (XML response),” explained the researcher, who goes by the name of Radek.

He created a demo of the attack against a vulnerable version of the popular Sequel Pro SQL database management app (for more technical details about the attack chek out his blog post):

He says that the vulnerability can be exploited both on OS X 10.10 (Yosemite) and 10.11 (El Capitan).

The existence of the vulnerability and the effectiveness of the attack has been confirmed by other researchers.

In the meantime, developers of vulnerable apps have started pushing out updates that include a new, fixed version of the framework, which has been pushed out by the Sparkle Project almost immediately after they have been contacted by Radek.

According to him, Facebook has already fixed the problem in its UI designing tool Origami, free tool for designing modern. Sequel Pro has also been updated, and so has VLC.

The whole process isn’t that simple or easy (some apps are too complex, some developers simply don’t have the time) but it should to be done.

In the meantime, users of vulnerable apps would do well to disable the automatical check for updates option in the app (if there is one), and wait for the developers to push out a fixed version. Then, they should download and install the new version manually, ideally over a secure network (not public Wi-Fi).