Sparkle software updater leaves 'huge' number of Mac apps open to attack
A "huge" number of third-party Mac apps are under threat of man-in-the-middle attacks due to a recently discovered vulnerability in Sparkle, an open source framework used to facilitate software updates.
Proof-of-concept video showing remote code execution in Sequel Pro update. | Source: Vulnerable Security
As reported by Ars Technica, a flawed WebKit rendering engine implementation found in certain Sparkle builds is to blame for the newly discovered attack that allows malicious users to insert and execute JavaScript code when affected app check for software updates.
Along with a flawed Sparkle version, vulnerable apps must also be running an unencrypted HTTP channel to receive software updates from offsite servers. Nefarious users capable of capturing network traffic, perhaps over an unsecured Wi-Fi connection, can leverage the Sparkle exploit to run malicious code remotely on a target computer. The publication cited work from a software engineer called Radek, who confirmed the exploit affects apps running on the latest versions of OS X 10.11 El Capitan and OS X 10.10 Yosemite.
While an exhaustive list of impacted Mac apps is unavailable, researchers successfully applied the exploit to Camtasia, uTorrent and a recent version VLC Media Player. It should be noted that developers are aware of the Sparkle vulnerability, as VLC patched the hole in an update last week. A running list of apps that use Sparkle as an update framework has been posted to GitHub
Sparkle Updater has pushed out a fix in its latest version release, but it remains up to third-party app developers to integrate the patched framework.
Proof-of-concept video showing remote code execution in Sequel Pro update. | Source: Vulnerable Security
As reported by Ars Technica, a flawed WebKit rendering engine implementation found in certain Sparkle builds is to blame for the newly discovered attack that allows malicious users to insert and execute JavaScript code when affected app check for software updates.
Along with a flawed Sparkle version, vulnerable apps must also be running an unencrypted HTTP channel to receive software updates from offsite servers. Nefarious users capable of capturing network traffic, perhaps over an unsecured Wi-Fi connection, can leverage the Sparkle exploit to run malicious code remotely on a target computer. The publication cited work from a software engineer called Radek, who confirmed the exploit affects apps running on the latest versions of OS X 10.11 El Capitan and OS X 10.10 Yosemite.
While an exhaustive list of impacted Mac apps is unavailable, researchers successfully applied the exploit to Camtasia, uTorrent and a recent version VLC Media Player. It should be noted that developers are aware of the Sparkle vulnerability, as VLC patched the hole in an update last week. A running list of apps that use Sparkle as an update framework has been posted to GitHub
Sparkle Updater has pushed out a fix in its latest version release, but it remains up to third-party app developers to integrate the patched framework.
Comments
1) the flaw wasn't really in Sparkle itself; it comes from the fact that they used Apple's WebView, which allows JavaScript by default, and the fact that the Finder can apparently download executables from FTP servers without setting the quarantine flag,
2) this was patched pretty much immediately as soon as it was revealed (unlike the Finder bug, which hasn't been fixed yet), and:
3) it only affects apps that are using HTTP rather than HTTPS to load resources, which has been discouraged for quite some time now (in El Cap, in fact, HTTP is disabled by default by App Transport Security, and you have to jump through some hoops before it'll allow you to use it at all in the first place).
edit: it appears that this is relying on a bug in the Finder's FTP support. Apparently, if the Finder is set as the default FTP handler, it can download executable files from FTP servers without setting the quarantine flag, so that Gatekeeper is bypassed. I hope Apple patches this soon, because it's kind of huge, and it doesn't seem specific to Sparkle. To me, it looks like someone could use this trick basically to intercept any Web traffic, including normal browsing via Safari or Chrome.
edit 2: Here's a post containing some tips on how to defend against this attack.
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
Utilities
Utilities
VLC
Try this one-liner instead:
find /Applications -name Sparkle.framework | sed 's,/Applications/\(.*\)\.app/.*,\1,'
Utilities/Carbon Copy Cloner
Utilities/Mactracker
VLC
/s
find /Applications -name Sparkle.framework | awk -F'/' '{print $(NF-3)}'
https://sparkle-project.org/documentation/#publish-your-appcast
We strongly encourage you to use HTTPS URLs for the appcast.
-kpluck
Coda 2
Fitbit Connect
Fitbit Connect.app/Contents/MacOS/Fitbit Connect Menubar Helper
Labels & Addresses
TeamViewer
Utilities/XQuartz
I liked Coda when it was available on the Mac App Store. I don't know why they went back to distributing their way again. It's kind of a backwards step. I can see no valid reason for them ditching Mac App Store at all.
So, the only other interpretation is that this was was a straight up lame attempt at being witty.
Is there a tag for wit?
/w /s /gfy