This article originally appeared in TidBITS on 2016-02-15 at 9:50 a.m.
The permanent URL for this article is: http://tidbits.com/article/16261
Include images: Off

Sparkle Vulnerability Real, but Exploits Highly Unlikely

by Josh Centers

While numerous readers love our regular TidBITS Watchlist feature, in which we track notable updates for key Mac software, many apps no longer require you to go hunting for the latest versions as they’re released. Instead, these apps use an open source framework called Sparkle [1] to check for, download, and install updates automatically.

Unfortunately, some developers haven’t been careful enough with their implementations of Sparkle, and that could put your Mac at risk of attack. Researcher Radosław Karpowicz found that many developers use unencrypted HTTP connections to their servers [2], which makes man-in-the-middle attacks possible. So, a bad guy could sniff out your network connection, insert malicious code, and hijack your Mac via the compromised app without triggering Apple’s Gatekeeper security feature.

Sparkle itself isn’t really doing much wrong, since using unencrypted HTTP connections violates this recommendation in its documentation: “We strongly encourage you to use HTTPS URLs for the AppCast.” Regardless, the Sparkle team has already updated Sparkle to address the vulnerability. The only problem is that getting an updated app with the new Sparkle code requires, well, getting an update, which could expose you to the vulnerability.

But don’t panic! To exploit this vulnerability, an attacker would need to be on the same network as your Mac. So if you’re safely in the confines of your home or office with an Ethernet or secure Wi-Fi connection, you have nothing to fear. Just keep letting your apps update when they want, and as long as you’re on a private network, you’ll be fine.

However, if you often use public Wi-Fi networks without also employing a VPN to secure all your network traffic, you could be at risk if there was a sufficiently capable hacker at the next table. That risk would apply for any affected app that has automatic update checking enabled and is running. However, using a VPN will keep you safe and should be standard operating procedure when using networks outside your home or office. If a VPN isn’t an option, you can also disable automatic update checking in any apps that use Sparkle, and when an update arrives, download and install it manually. Since taking advantage of this vulnerability would require a targeted attack, it’s highly unlikely that it would be used indiscriminately against people who aren’t high-profile government or corporate officials.

If you are still worried, how do you figure out which apps are vulnerable? People have offered all sorts of Terminal commands to suss out vulnerable apps, but the best one I’ve found comes from RussW, a commenter on Mac Kung Fu [3]. His solution checks to see if the app uses both Sparkle and an insecure HTTP connection, and then it prints out a list of those apps in a fairly readable format.

Unfortunately, there are smart quotes in RussW’s text that partially break the command (thanks to reader Joe for pointing that out), so I’ve created a Pastebin link with the properly formatted command [4]. Follow that link, copy the command under RAW Paste Data, paste the command in the Terminal window, and press Return. Terminal will list the vulnerable apps in your Applications folder.

[image link] [5]

[image link] [6]

The list may be long, but those who use public Wi-Fi networks can use it to figure out for which apps automatic updates should be disabled until a new version is available. At that point, either update manually or re-enable automatic updating only when on a trusted network. Again, this is necessary only if you’re paranoid or are concerned about using untrusted networks. And as Security Editor Rich Mogull likes to remind us, if you’re in China or are being pursued by the NSA, your data is probably already compromised.

[1]: https://sparkle-project.org/
[2]: https://vulnsec.com/2016/osx-apps-vulnerabilities/
[3]: http://www.mackungfu.org/how-to-find-if-your-apps-are-affected-by-the-sparkle-hijack
[4]: http://pastebin.com/4LfdZBMm
[5]: http://tidbits.com/resources/2016-02/Pastebin-Sparkle-command.png
[6]: http://tidbits.com/resources/2016-02/Terminal-Sparkle-vulnerabilities.png