Posted by Robert Vamosi on February 10, 2016
A number of Mac apps, including popular ones such as Camtasia and uTorrent, are susceptible to man-in-the-middle attacks, according to new research. A vulnerability found in Sparkle, a third-party software framework used by Mac apps to receive updates, could allow a remote attacker to install malicious code.
A researcher posting on Vulsec found there are two specific vulnerabilities: First one is connected with the default configuration (http) which is unsafe and leads to RCE over MITM attack inside untrusted environment; the second one is the risk of parsing file://, ftp:// and other protocols inside the WebView component.
The researcher who posted under the name Radek found that he was able to exploit the flaws in systems running OS X 10.10 (Yosemite) and 10.11 (El Capitan) with the latest version of the software
In addition to the apps mentioned earlier, a more complete list of vulnerable apps can be found on GitHub.
Fortunately, Sparkle has updated and patched the vulnerabilities. Developers using the Sparkle Updater framework will need to update to the most current version, 1.13.1.