Software Integrity Blog


Mac apps vulnerable to third-party update flaw

A number of Mac apps, including popular ones such as Camtasia and uTorrent, are susceptible to man-in-the-middle attacks, according to new research. A vulnerability found in Sparkle, a third-party software framework used by Mac apps to receive updates, could allow a remote attacker to install malicious code.

According to Ars Technica, the vulnerability involves the way Sparkle interacts with functions built into the WebKit rendering engine to allow JavaScript execution. Basically, the connection between the end-user client and the server is mistakenly marked as HTTP and not HTTPS.

A researcher posting on Vulsec found there are two specific vulnerabilities: First one is connected with the default configuration (http) which is unsafe and leads to RCE over MITM attack inside untrusted environment; the second one is the risk of parsing file://, ftp:// and other protocols inside the WebView component.

The researcher who posted under the name Radek found that he was able to exploit the flaws in systems running OS X 10.10 (Yosemite) and 10.11 (El Capitan) with the latest version of the software
In addition to the apps mentioned earlier, a more complete list of vulnerable apps can be found on GitHub.

Fortunately, Sparkle has updated and patched the vulnerabilities. Developers using the Sparkle Updater framework will need to update to the most current version, 1.13.1.


More by this author