‘Huge’ number of Mac apps vulnerable to hijacking, and a fix is elusive

“Camtasia, uTorrent, and a large number of other Mac apps are susceptible to man-in-the-middle attacks that install malicious code, thanks to a vulnerability in Sparkle, the third-party software framework the apps use to receive updates,” Dan Goodin reports for Ars Technica. “The vulnerability is the result of apps that use a vulnerable version of Sparkle along with an unencrypted HTTP channel to receive data from update servers. It involves the way Sparkle interacts with functions built into the WebKit rendering engine to allow JavaScript execution.”

“As a result, attackers with the ability to manipulate the traffic passing between the end user and the server—say, an adversary on the same Wi-Fi network—can inject malicious code into the communication,” Goodin reports. “A security engineer who goes by the name Radek said that the attack is viable on both the current El Capitan Mac platform and its predecessor Yosemite.”

“The challenge many app developers have in plugging the security hole, combined with the difficulty end users have in knowing which apps are vulnerable, makes this a vexing problem to solve. People who aren’t sure if an app on their Mac is safe should consider avoiding unsecured Wi-Fi networks or using a virtual private network when doing so,” Goodin reports. “Even then, it will still be possible to exploit vulnerable apps, but the attackers would have to be government spies or rogue telecom employees with access to a phone network or Internet backbone.”

Read more in the full article here.

MacDailyNews Take: Yes, use a VPN when using public Wi-Fi networks (see related articles below). Or tether to your iPhone if at all possible.

Why you should avoid free VPNs – January 29, 2016
How to easily turn that old Mac into an inexpensive personal VPN – November 19, 2015
How and why you should use a VPN to protect your data’s final mile – January 16, 2015


    1. That’s not the only affected app. Run this in Terminal to find all of the affected apps on your Mac: find /Applications -name Sparkle.framework | awk -F’/’ ‘{print $3}’ | awk -F’.’ ‘{print $1}’

      1. FAIL!
        Not ALL apps are affected. Only apps that use HTTP to update, rather than HTTPS. You are listing all apps.
        Of the apps returned you need to examine the info.plist of each application, look for the ‘SUFeedURL’ property and see if it uses http or https.

    2. FYI: Java has almost nothing to do with Javascript, other than the opportunistic naming of Javascript was done when Java was popular. The vulnerability has to do with Javascript within a specific framework (not your web browser), and turning off Java has nothing to do with it.

  1. Mac users of third party software that autoupdates are at risk, first examples are applications used to source media form dubious places.
    how is this news, we all know that entering places of bad reputation, and using software that can be downloaded from difficult to trust sources (the may be trusted in intentions, but not on security practices) is a call for trouble.

    1-Avoid FLASH (use chrome when needed) & Java
    2-Use apps form App Store, or trusted sources, use download hashes when provided (ensure no phishing).
    3-Turn of Auto update. always review updates, sometimes the are just too fresh.
    **Use MS and Google apps at your own discretion

    1. It’s not just an issue of using apps from untrusted sources. Even trusted apps like Handbrake, GPG, and VLC are affected. Here’s the list of apps which are affected on my Mac:
      •GPG Keychain
      •Malwarebytes Anti-Malware
      •MediaInfo Mac
      •Quicken 2015
      •Toast 10 Titanium
      •Trim Enabler

  2. …along with an unencrypted HTTP channel to receive data from update servers

    HTTPS everywhere!
    That would solve it.
    But, for various reasons, this transformation has been slow going. Bleh.

    Meanwhile, there are now lots of relatively inexpensive VPN offers around.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.