Mac tool vulnerability exposes lots of apps to man-in-the-middle attacks
A security specialist has discovered a flaw in Sparkle, a third-party framework that Mac apps use to receive updates, which makes a man in the middle attack possible when unencrypted HTTP connections are used.
If the attacker has the ability to intercept the unencrypted data stream for example on a public Wi-Fi hotspot they could possibly inject malicious code.
The number of apps affected is unknown, but researchers believe there to be a significant number. Some of the known vulnerable apps are; Camtasia 2 v2.10.4, DuetDisplay v220.127.116.11, uTorrent v1.8.7, and Sketch v3.5.1. as well as Hopper reverse engineering tool and DXO Optics Pro, amongst many others.
However, not all apps that use Sparkle are susceptible, only ones that use HTTP instead of HTTPS and use a vulnerable version of Sparkle are at risk. Sparkle has issued an update, however the security specialist, Radek, who originally discovered the flaws warns in an email, that it is not a trivial process to apply it.
This process requires [a developer] to:
- Download the newest version of Sparkle Updater
- Check if new version of Sparkle is compatible with the app
- Create some test cases, verify update and so on
- Address this vulnerability and publish new version of the app
Now, this is the moment when people can check for an update and replace this particular app version on their Macs with the newest one.
It all depends on the complexity of an application, its size and maintainers. That’s the reason why some developers don’t want to update or can’t update Sparkle in their applications (quickly enough).
Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.
- 95% of HTTPS servers vulnerable to trivial MITM attacks(news.netcraft.com)
- Should You Switch To An HTTPS Website?(business.yell.com)