Sparkle software updater leaves 'huge' number of Mac apps open to attack

Posted:
in macOS edited February 2016
A "huge" number of third-party Mac apps are under threat of man-in-the-middle attacks due to a recently discovered vulnerability in Sparkle, an open source framework used to facilitate software updates.


Proof-of-concept video showing remote code execution in Sequel Pro update. | Source: Vulnerable Security


As reported by Ars Technica, a flawed WebKit rendering engine implementation found in certain Sparkle builds is to blame for the newly discovered attack that allows malicious users to insert and execute JavaScript code when affected app check for software updates.

Along with a flawed Sparkle version, vulnerable apps must also be running an unencrypted HTTP channel to receive software updates from offsite servers. Nefarious users capable of capturing network traffic, perhaps over an unsecured Wi-Fi connection, can leverage the Sparkle exploit to run malicious code remotely on a target computer. The publication cited work from a software engineer called Radek, who confirmed the exploit affects apps running on the latest versions of OS X 10.11 El Capitan and OS X 10.10 Yosemite.



While an exhaustive list of impacted Mac apps is unavailable, researchers successfully applied the exploit to Camtasia, uTorrent and a recent version VLC Media Player. It should be noted that developers are aware of the Sparkle vulnerability, as VLC patched the hole in an update last week. A running list of apps that use Sparkle as an update framework has been posted to GitHub

Sparkle Updater has pushed out a fix in its latest version release, but it remains up to third-party app developers to integrate the patched framework.
«1

Comments

  • Reply 1 of 21
    melgrossmelgross Posts: 30,345member
    I love it! I get this crap about how secure open source is because there are so many "eyes" on it. That total nonsense. Open source is as vulnerable as any proprietary software is, often more so.
    monstrositySpamSandwichcyberzombielostkiwitallest skil
  • Reply 2 of 21
    melgross said:
    I love it! I get this crap about how secure open source is because there are so many "eyes" on it. That total nonsense. Open source is as vulnerable as any proprietary software is, often more so.
    Well, except that:

    1) the flaw wasn't really in Sparkle itself; it comes from the fact that they used Apple's WebView, which allows JavaScript by default, and the fact that the Finder can apparently download executables from FTP servers without setting the quarantine flag,

    2) this was patched pretty much immediately as soon as it was revealed (unlike the Finder bug, which hasn't been fixed yet), and:

    3) it only affects apps that are using HTTP rather than HTTPS to load resources, which has been discouraged for quite some time now (in El Cap, in fact, HTTP is disabled by default by App Transport Security, and you have to jump through some hoops before it'll allow you to use it at all in the first place).

    edit: it appears that this is relying on a bug in the Finder's FTP support. Apparently, if the Finder is set as the default FTP handler, it can download executable files from FTP servers without setting the quarantine flag, so that Gatekeeper is bypassed. I hope Apple patches this soon, because it's kind of huge, and it doesn't seem specific to Sparkle. To me, it looks like someone could use this trick basically to intercept any Web traffic, including normal browsing via Safari or Chrome.

    edit 2: Here's a post containing some tips on how to defend against this attack.
    edited February 2016 cornchipnumenoreannoivadcwingravcnocbuicurt12
  • Reply 3 of 21
    lkrupplkrupp Posts: 5,885member
    Nice terminal command found on GitHub that searches your Applications folder and returns a list of those apps using the Sparkle framework. From that list you can check to see if any of your apps have updates available to patch the vulnerability. I tried it and it works like a charm.


    find /Applications -name Sparkle.framework | awk -F’/' '{print $3}' | awk -F'.' '{print $1}'
    
    
    
    
  • Reply 4 of 21
    Nope. Abject FAIL if there's an app using Sparkle framework in /Applications/Utilities:

    find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
    Utilities
    Utilities
    VLC

    Try this one-liner instead:

    find /Applications -name Sparkle.framework | sed 's,/Applications/\(.*\)\.app/.*,\1,'
    Utilities/Carbon Copy Cloner
    Utilities/Mactracker
    VLC





  • Reply 5 of 21
    tenlytenly Posts: 707member

    If Apple detects this vulnerability, they should shut down the computer and force the user to buy a new one!  Anything short of that is a security risk!!!  They could display something on the screen which clearly communicates the issue and the options a user has available to them - something clear and concise - like "Error 54" maybe...

    /s
    edited February 2016 muppetrycurt12djsherlynumenoreannoivadsingularitycnocbui
  • Reply 6 of 21
    mcdavemcdave Posts: 806member
    Any free software that's not on the Mac App Store is inherently suspect anyway.
  • Reply 7 of 21
    EstherD said:
    Nope. Abject FAIL if there's an app using Sparkle framework in /Applications/Utilities:

    find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
    Utilities
    Utilities
    VLC

    Try this one-liner instead:

    find /Applications -name Sparkle.framework | sed 's,/Applications/\(.*\)\.app/.*,\1,'
    Utilities/Carbon Copy Cloner
    Utilities/Mactracker
    VLC





    or:

    find /Applications -name Sparkle.framework | awk -F'/' '{print $(NF-3)}'

  • Reply 8 of 21
    lkrupp said:
    Nice terminal command found on GitHub that searches your Applications folder and returns a list of those apps using the Sparkle framework. From that list you can check to see if any of your apps have updates available to patch the vulnerability. I tried it and it works like a charm.


    find /Applications -name Sparkle.framework | awk -F’/' '{print $3}' | awk -F'.' '{print $1}'
    
    Note: that terminal command only works for apps directly within in the /Applications directory and not nested in a subfolder.
  • Reply 9 of 21
    melgross said:
    I love it! I get this crap about how secure open source is because there are so many "eyes" on it. That total nonsense. Open source is as vulnerable as any proprietary software is, often more so.
    Actually - if developers would use their eyes and follow the Sparkle documentation that "strongly recommends" the use of https://, then this problem would not exist:

    https://sparkle-project.org/documentation/#publish-your-appcast
    We strongly encourage you to use HTTPS URLs for the appcast.


  • Reply 10 of 21
    kpluckkpluck Posts: 500member
    tenly said:

    If Apple detects this vulnerability, they should shut down the computer and force the user to buy a new one!  Anything short of that is a security risk!!!  They could display something on the screen which clearly communicates the issue and the options a user has available to them - something clear and concise - like "Error 54" maybe...

    /s
    Gold. :smiley: 

    -kpluck
  • Reply 11 of 21
    auxioauxio Posts: 1,823member
    tenly said:

    If Apple detects this vulnerability, they should shut down the computer and force the user to buy a new one!  Anything short of that is a security risk!!!  They could display something on the screen which clearly communicates the issue and the options a user has available to them - something clear and concise - like "Error 54" maybe...

    /s
    Or maybe they could roll out a hasty patch?
    edited February 2016
  • Reply 12 of 21
    cnocbuicnocbui Posts: 3,613member
    auxio said:
    tenly said:

    If Apple detects this vulnerability, they should shut down the computer and force the user to buy a new one!  Anything short of that is a security risk!!!  They could display something on the screen which clearly communicates the issue and the options a user has available to them - something clear and concise - like "Error 54" maybe...

    /s
    Or maybe they could roll out a hasty patch?
    Or they could do what Apple usually does - give no public response to a reported bug, whatsoever, and slip the fix into an OS update in a couple years time.
  • Reply 13 of 21
    Just one of many reasons I don't let any of my apps auto-update, not to mention that a new version isn't always wanted.
  • Reply 14 of 21
    How to find if apps on your system are possibly affected: http://www.mackungfu.org/how-to-find-if-your-apps-are-affected-by-the-sparkle-hijack
  • Reply 15 of 21
    Oh great:

    Coda 2
    Fitbit Connect
    Fitbit Connect.app/Contents/MacOS/Fitbit Connect Menubar Helper
    Labels & Addresses
    TeamViewer
    Utilities/XQuartz

    I liked Coda when it was available on the Mac App Store. I don't know why they went back to distributing their way again. It's kind of a backwards step. I can see no valid reason for them ditching Mac App Store at all.
    edited February 2016
  • Reply 16 of 21
    I assume that when it was in the App Store, that was before the App Store required sandboxing. Coda is a developer tool; these sorts of apps often need to do things that the App Sandbox won't allow.
  • Reply 17 of 21
    foggyhillfoggyhill Posts: 4,622member
    tenly said:

    If Apple detects this vulnerability, they should shut down the computer and force the user to buy a new one!  Anything short of that is a security risk!!!  They could display something on the screen which clearly communicates the issue and the options a user has available to them - something clear and concise - like "Error 54" maybe...

    /s
    This is not sarcasm because I've read your other posts on this; you can't claim sarcasm after that. Sorry, try again!
    So, the only other interpretation is that this was was a straight up lame attempt at being witty.
    edited February 2016
  • Reply 18 of 21
    I assume that when it was in the App Store, that was before the App Store required sandboxing. Coda is a developer tool; these sorts of apps often need to do things that the App Sandbox won't allow.
    It's used to develop websites. Even FTPing or accessing databases can be done sandboxed. In fact I cannot see a single thing that Coda does that requires to be non-sandboxed.
  • Reply 19 of 21
    tenlytenly Posts: 707member
    foggyhill said:
    tenly said:

    If Apple detects this vulnerability, they should shut down the computer and force the user to buy a new one!  Anything short of that is a security risk!!!  They could display something on the screen which clearly communicates the issue and the options a user has available to them - something clear and concise - like "Error 54" maybe...

    /s
    This is not sarcasm because I've read your other posts on this; you can't claim sarcasm after that. Sorry, try again!
    So, the only other interpretation is that this was was a straight up lame attempt at being witty.
    You may have read them but your post proves that you didn't understand...

    Is there a tag for wit?

    /w /s /gfy
  • Reply 20 of 21
    lkrupplkrupp Posts: 5,885member
    Just got the Sparkle.framework update fix for Quicken 2016, now at version 3.0.5
Sign In or Register to comment.