App developer

Sparkle Framework Vulnerability

Dan Goodin:

Camtasia, uTorrent, and a large number of other Mac apps are susceptible to man-in-the-middle attacks that install malicious code, thanks to a vulnerability in Sparkle, the third-party software framework the apps use to receive updates.

The vulnerability is the result of apps that use a vulnerable version of Sparkle along with an unencrypted HTTP channel to receive data from update servers. It involves the way Sparkle interacts with functions built into the WebKit rendering engine to allow JavaScript execution. As a result, attackers with the ability to manipulate the traffic passing between the end user and the server—say, an adversary on the same Wi-Fi network—can inject malicious code into the communication.

If you want to find if there are affected apps on your Mac, run this command in Terminal:

find /Applications -name Sparkle.framework

On my Mac, Coda 2, Fabric, GPG Keychain, and Sketch show up as using the Sparkle Framework. However, it’s important to note that the vulnerability only works when updates are served over a non-HTTPS connection. With that in mind:

  • Coda 2 is not affected
  • Fabric is not affected
  • GPG Keychain is not affected
  • Sketch is fixed as of v3.5.2

Say what you want about the state of the Mac App Store, but this stuff hasn’t happened there.